1 Breach A Day Is 1 Breach Too Many! Take Note – HIPAA Fines Have Increased

The healthcare sector fell victim to more than 330 data breaches in 2017 – nearly one per day. Will you be next?

Large-scale ransomware attacks like WannaCry (which hit 112 countries) struck the industry with a scary new reality: Hackers will find a way in and – regardless of safeguards taken — hospitals will get hit.

And there’s more bad news – the fines for noncompliance with HIPAA regulations have reached new heights! HHS recently increased the penalties for HIPAA violations:

• No Knowledge (Covered Entity did not know about violation): $112 to $55,910 per violation
• Reasonable Cause (Lesser than Willful Neglect): $1,118 – $ 55,910 per violation
• Willful Neglect (Violation Corrected): $11,182 – $55,910 per violation
• Willful Neglect (Violation not Corrected): The Minimum penalty is $55,910 per violation with no maximum.

And, in addition to civil penalties for noncompliance, you could be liable for criminal penalties that include fines, imprisonment or both!

These fines are expected to continue to increase. Have you recently reviewed your HIPAA data-protection policies and procedures? If not, you should.

The really sad news is that these data breaches could have been prevented.

One of these offenders didn’t even take the time to undergo a Vulnerability Assessment to determine if there were any gaps in their IT security posture.

And they said they couldn’t show that they did everything that could have reasonably been done to protect their patients’ private data.

This is unforgivable.

Would you trust your family’s electronic Protected Health Information (ePHI) to a clinic that didn’t take precautions to protect it? — I doubt that you would.

When this happens, word gets around and patients simply move on to another medical professional.

Keep reading because we’re going to tell you about some of the worst data breaches over the past year. Plus, we’ll tell you what regulators are looking for and how to prevent non-compliance.

HHS/HIPAA #1 Offender – MedStar Health Maryland

MedStar Health is the 2^nd biggest healthcare system in Maryland. Wouldn’t you think they’d know better than to leave their patients’ protected information at risk?

Unfortunately, they weren’t well prepared. They were hit with a ransomware attack where their data was held ransom and under the control of criminals.

As a result, their 30,000 employees and 6,000 physician affiliates couldn’t access their electronic health records (EHRs) and much needed patient information. They also couldn’t use their computers. Instead, they had to resort to using paper and pencils! As a result, some patients were turned away.

Would you go to MedStar or one of their affiliates now? I wouldn’t. There are many other providers in the DC Metro Area, Maryland and Virginia that I could take my business to.

The hackers demanded a ransom payment in bitcoins at an equivalent of $1,250 per patient record, or $18,500 to unlock them all. And worse, the criminal’s demand didn’t clearly state that they also wanted a separate 45-bitcoin payment to unlock each affected MedStar network!

HHS/HIPAA #2 Offender – Banner Health Phoenix, Arizona

Banner Health is a major hospital system. Its payment processing network was penetrated by hackers in their food stations. And, because these computers were connected to the rest of Banner’s IT network, the hackers gained access to more than 4 million patient records! This included patients’ names, birthdates, addresses, claims information, medical information, and Social Security Numbers! In other words, “the works!”

What a disaster!

And guess what hackers do with this data? They sell it! A record that contains a name, address and Social Security number can sell for $1 to $3 on the black market. And, a detailed medical record (ePHI) with unique patient identifying numbers can fetch up to $100!  

Imagine the negative publicity Banner got. Not to mention the effect on their insurance rates–if they can even get insurance now!

HHS/HIPAA #3 Offender–Advocate Health Care Network

Advocate Health in Illinois, one of the nation’s biggest health-care systems, had to pay a fine to HHS for $5.55 million due to a breach that compromised the electronic data of 4 million patients.

To date, this is the single largest penalty levied against a single entity for a HIPAA violation.

According to HHS, the compromised patient records included people’s names, addresses, dates of birth, credit card numbers with expiration dates, demographic information, clinical information and health insurance information!

The HHS investigation also revealed that Advocate Health Care failed to:

1. Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to all of its ePHI.
2. Implement policies and procedures and facility access controls to limit physical access to the electronic information systems housed within a large data support center.
3. Obtain satisfactory assurances in the form of a written business associate contract that its business associate would appropriately safeguard in all ePHI in its possession.
4. Reasonably safeguard an unencrypted laptop when left in an unlocked vehicle overnight.

Are you following these 4 requirements? If not, you could be fined as well.

Is Your Healthcare Organization HIPAA Compliant?

Being HIPAA compliant doesn’t necessarily mean that your data is secure. Hackers’ tactics are more sophisticated than ever before. This is a big business, and it’s easy for criminals to get into the hacking game.

Cybercriminals have new and more effective ways of stealing your data, and they try new techniques every day.

HIPAA law, although updated, just can’t keep up with all of these new attack vectors. It’s up to you to stay abreast of the cyber threat landscape and protect your health organization.

You must ensure your ePHI privacy, protect it from anticipated cyber threats, and employ security measures to protect against the latest threats.

At a minimum, you must comply with § 164.306 – Security standards: General rules.

(a) General requirements. Covered entities and business associates must do the following:

(1) Ensure the confidentiality, integrity, and availability of all electronic protected health information you or your business associate creates, receives, maintains, or transmits.

(2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.

(3) Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part.

(4) Ensure compliance with this subpart by its workforce.

(b) Flexibility of approach.

(1) Covered entities and business associates may use any security measures that allow the covered entity or business associate to reasonably and appropriately implement the standards and implementation specifications as specified in this subpart.

(2) In deciding which security measures to use, a covered entity or business associate must take into account the following factors:

(i) The size, complexity, and capabilities of the covered entity or business associate.

(ii) The covered entity’s or the business associate’s technical infrastructure, hardware, and software security capabilities.

(iii) The costs of security measures.

(iv) The probability and criticality of potential risks to electronic protected health information.

Do you agree that these rules leave some room for interpretation? The HIPAA language is written this way for this reason, and it can be difficult to know where you stand.

That’s why it’s essential that you either have a HIPAA IT Professional on your staff, or contract with an IT Managed Service Provider (MSP) in your area who has this expertise.

To make matters worse, you also have to worry about the HITECH Act and its 4 tiers of increasing penalties.

The Health Information Technology for Economic and Clinical Health (HITECH) Act was signed into law on February 17, 2009, to promote the adoption and meaningful use of health information technology.

Subtitle D of the HITECH Act addresses the privacy and security concerns associated with the electronic transmission of health information, in part, through several provisions that strengthen the civil and criminal enforcement of the HIPAA rules.

Section 13410(d) of the HITECH Act, which became effective on February 18, 2009, revised section 1176(a) of the Social Security Act (the Act) by establishing:

Four categories of violations that reflect increasing levels of culpability;

Unknowing. The covered entity or business associated did not know and reasonably should not have known of the violation.

Reasonable Cause. The covered entity or business associate knew, or by exercising reasonable diligence would have known, that the act or omission was a violation, but the covered entity or business associate did not act with willful neglect.

Willful Neglect. (corrected)The violation was the result of conscious, intentional failure or reckless indifference to fulfill the obligation to comply with HIPAA. However, the covered entity or business associate corrected the violation within 30 days of discovery.

Willful Neglect. (uncorrected) The violation was the result of conscious, intentional failure or reckless indifference to fulfill the obligation to comply with HIPAA, and the covered entity or business associate did not correct the violation within 30 days of discovery.

• Four corresponding tiers of penalty amounts that significantly increase the minimum penalty amount for each violation; and
• A maximum penalty amount of $1.5 million for all violations of an identical provision.

It also amended section 1176(b) of the Act by:

• Striking the previous bar on the imposition of penalties if the covered entity did not know and with the exercise of reasonable diligence would not have known of the violation (such violations are now punishable under the lowest tier of penalties); and
• Providing a prohibition on the imposition of penalties for any violation that is corrected within a 30-day time period, as long as the violation was not due to willful neglect.

We need a lawyer to interpret all of this!

How are you supposed to see your patients and interpret/comply with these strictly enforced rules?

You can’t. You need the advice of an IT Expert who understands HIPAA and HITECH regulations. One who can help you not only comply but ensure your ePHI is safe and secure 24/7.

Don’t take chances with federal regulators or risk a HIPAA audit. Seek the counsel of your local HIPAA IT Expert/ IT Managed Services Provider.