3 Lessons Learned from 2017 HIPAA Violations

2017 HIPAA Data Breach & Violations

Even though HIPAA awareness and training is in abundance all across the US, the Department of Health and Human Services received 1,996 breaches in only the first half of 2017. It seems that no matter how hard organizations try, they continue to fall victim to breaches and attacks and do not take sufficient corrective measures to avoid future issues. In response, we have compiled a list of some of the most important lessons learned from 2017 HIPAA violations:

  1. Report breaches on time

    The security breach notification process is quite clear. Within sixty days of discovering a breach, organizations are obliged to make the breach known to the Office for Civil Rights (OCR), the media and affected customers. If there is a notification delay for no valid reason, the breached organization must pay a settlement. Putting legal issues aside, waiting to notify OCR is a waste of valuable time that could be used to minimize the effect of the breach. Presence Health suffered the consequences of untimely breach notification after it agreed to pay $475,000 and implement a corrective action plan. While hesitating to notify OCR of a breach is understandable, the repercussions for not doing so are much worse than bad publicity.

  2. Business Associate Agreements are a must

    While they do not guarantee the security of your patient data, BAAs guide the third party vendors that your organization works with on how to handle sensitive data. Your BAA must be unambiguous and vendors must sign it before receiving any personal health information (PHI). Additionally, business associates that are held accountable for a data breach can be held responsible for breaches, just like covered entities. In April of 2017, the Center for Children's Digestive Health agreed to pay a settlement of $31,000 for disclosing PHI without having an appropriate BAA in place. Such unnecessary shortcomings are not worth the trouble caused or the fines paid, since writing up a BAA is undoubtedly cheaper than paying a settlement.

  3. Audit Control is a must

    The HIPAA rule considers audits to be a part of the technical safeguards that an organization must implement. It expects covered entities to adopt the necessary technologies to monitor all activities in systems containing PHI. A well-known case of a breach which resulted from inconsistent auditing is the Memorial Healthcare System incident. The organization agreed to a $5.5 million settlement after the organization gave a previous employee of a business associate access to PHI. While MHS immediately took corrective measures, the damage was already done.

Client Success

MetroHealth System Logo
  • 50% reduction in time to deploy Giva's change, incident, problem, asset management and knowledgebase modules
  • 60% reduction in the 5 year Total Cost of Ownership (TCO)
  • Saved at least 1 FTE due to lower ongoing administration
  • Saved 1 week per month due to easy to use reports
Athens Regional Health System Logo
  • Increased to 90% achievement in meeting service level agreements
  • 70% reduction in generating reports and admin; eliminated 35 hours/month
  • 50% faster to create/assign a service request
  • 60% increase in information captured during the initial phone call
  • 50% increase in the number of service requests created due to intuitive design
Santé Health Systems Logo
  • 80% increase in productivity by using Giva's dashboards and reports
  • 60% increase in meeting service level agreements
  • 45% increase in the number of the calls logged due to Giva's intuitiveness and ease of use
  • 50% increase in productivity by using Giva's integrated custom forms