Largest HIPAA Settlement Amongst 20th Anniversary of Regulation
As the Heath Insurance Portability and Accountability Act HIPAA turns 20, we have also seen the largest HIPAA settlement ($5.55 million) – laid at the feet of Advocate Health Care.
This last case was on the heels of two July 2016 settlements: $2.75 million with the University of Mississippi Medical Center and $2.7 million with Oregon Health & Science University. With mandatory breach notification required for the past seven years, HIPAA compliance risk exposure has increased, and HIPAA enforcement is rising.
HIPAA Data Breach and Security Lessons
The Federal Trade Commission is paying attention to security as well. In addition to enforcement actions that point to security promises, the FTC has published security guidance – lessons learned from enforcement actions, if you will.
Moreover, even without regulator oversight, the possibility of a data breach brings a complex set of state laws and costs associated with notification and possible litigation.
Another trend is the increased responsibility of vendors to health organizations. As enforcement rises and the sophistication of health care organizations around HIPAA increases, these “covered entities” under HIPAA expect more from their vendors, most of whom qualify as Business Associates under HIPAA.
In turn, Business Associates must sign up for HIPAA obligations in a Business Associate Agreement and then live up to those responsibilities with direct regulatory compliance risk and liability to the covered entities they support.
While early in the life of HIPAA, before the amendments under HITECH in 2009, healthcare organizations may have been more concerned with their own HIPAA compliance than with their vendors’ compliance, now vendors are asked more in-depth questions about how they comply.
With this in mind, the HIPAA anniversary is a great reminder that the security risk assessments and the strong privacy and security programs that HIPAA requires are more important to today’s healthcare businesses and their vendors – not less.
Start Conducting Risk Assessments Now
In fact, as part of its settlement, Advocate Health Care has agreed to conduct a complete risk assessment and present security plans to HHS for approval. It makes sense, then, that organizations that handle sensitive personal information – such as Protected Health Information (PHI) – would take the same measures on their own.
A first step can be a HIPAA Health Check, a high-level gap analysis against HIPAA privacy, security and breach notification requirements compared with current practices and documentation. This Health Check aims to identify areas in which major program components are either not adequately documented or may not exist.
From this high level gap analysis, an organization can consider how to prioritize and address in a reasonable and thoughtful way.
With over 10 significant settlements year to date and commencement of the Phase 2 HIPAA Audit program review of both covered entities and business associates, our 20th year of HIPAA brings with it increasing security and privacy focus and expectations.
Fortunately, there are also more resources available to organizations who wish to double down on their compliance and security stance.