Even though HIPAA awareness and training is in abundance all across the US, the Department of Health and Human Services received 1,996 breaches in only the first half of 2017. It seems that no matter how hard organizations try, they continue to fall victim to breaches and attacks and do not take sufficient corrective measures to avoid future issues. In response, we have compiled a list of some of the most important lessons learned from 2017 HIPAA violations:
Report breaches on time
The security breach notification process is quite clear. Within sixty days of discovering a breach, organizations are obliged to make the breach known to the Office for Civil Rights (OCR), the media and affected customers. If there is a notification delay for no valid reason, the breached organization must pay a settlement. Putting legal issues aside, waiting to notify OCR is a waste of valuable time that could be used to minimize the effect of the breach. Presence Health suffered the consequences of untimely breach notification after it agreed to pay $475,000 and implement a corrective action plan. While hesitating to notify OCR of a breach is understandable, the repercussions for not doing so are much worse than bad publicity.
Business Associate Agreements are a must
While they do not guarantee the security of your patient data, BAAs guide the third party vendors that your organization works with on how to handle sensitive data. Your BAA must be unambiguous and vendors must sign it before receiving any personal health information (PHI). Additionally, business associates that are held accountable for a data breach can be held responsible for breaches, just like covered entities. In April of 2017, the Center for Children's Digestive Health agreed to pay a settlement of $31,000 for disclosing PHI without having an appropriate BAA in place. Such unnecessary shortcomings are not worth the trouble caused or the fines paid, since writing up a BAA is undoubtedly cheaper than paying a settlement.
Audit Control is a must
The HIPAA rule considers audits to be a part of the technical safeguards that an organization
must implement. It expects covered entities to adopt the necessary technologies to monitor all activities in systems containing PHI. A well-known case of a breach which resulted from inconsistent auditing is the Memorial Healthcare System incident. The organization agreed to a $5.5 million settlement after the organization gave a previous employee of a business associate access to PHI. While MHS immediately took corrective measures, the damage was already done.