If the $1.7 Million penalty announced recently by OCR didn’t get your attention, how does $4.8 Million sound? In the Department of Health and Human Services’ greatest fine levied to date, two partner healthcare organizations settled with an agreement to pay what, at first blush, may seem to be an exorbitant fine.
With OCR compliance audits set to resume later this year, HHS seems to be sending a clear message – failure to comply with HIPAA regulations puts you at risk of more than just a breach. The message regulators are sending doesn’t stop there.
Start with the Basics
The two fines just announced, $3.3 Million to New York and Presbyterian Hospital and $1.5 Million to Columbia University, stem from a breach involving the disclosure of the ePHI of 6,800 patients in files shared by the two organizations. The investigation initiated by this breach revealed that neither entity:
- made efforts prior to the breach to assure that the server was secure and that it contained appropriate software protections,
- conducted an accurate and thorough risk analysis that identified all systems that access ePHI,
- developed an adequate risk management plan that addressed the potential threats and hazards to the security of ePHI,
- and NYP failed to implement appropriate policies and procedures for authorizing access to its databases and failed to comply with its own policies on information access management.
In the case of the organization recently fined $1.7 Million, as in other similar cases, the laptop(s) went missing or were stolen with no encryption to protect the patient data they contained. Along with basic software protections, the required risk analysis, risk management and other policies and procedures, encryption should be a basic first line of defense against a breach. OCR is making it clear that they are going to be less tolerant of organizations that neglect such basic safeguards.
Manage Partners & Business Associates
NYP and Columbia are both covered entities operating under a joint agreement. Christina Heide, Acting Deputy Director of Health Information Privacy for OCR, made it clear in her statement about this case that “when entities participate in joint compliance arrangements, they share the burden of addressing the risks to protected health information.” This can apply to business associate agreements as well. Entering into an agreement with another organization where ePHI will be shared leaves both entities responsible for the security of that information. Each side in such an agreement is responsible.
When your organization enters into partnership with another covered entity or with a business associate company, it is important to be sure that you share the same diligence toward security and that you both have a similarly strong culture of compliance.
Compliance is not a Checklist – It’s a Culture
It is easy to find compliance software and compliance checklists on the internet. Approaching compliance this way, however, makes it easy to fall into the trap of valuing form over substance. When organizations narrowly focus on the letter of the law, they can lose sight of the bigger picture of compliance for security.
Compliance regulations are a guide for organizations designed to help maintain security. Meeting compliance standards is not simply the task of one person or one department. For your compliance efforts to be effective, your organization must value the benefits you reap from working toward compliance and it must be embraced within top management. Your organization must foster a culture of compliance that is understood and adopted by every member of the staff.
Key tenets of a culture of compliance include:
- Recognition that all ePHI is valuable. Any unauthorized access degrades the security of the entire system. Even records viewed to satisfy personal curiosity devalues the culture and weakens the organization.
- Recognition that the little things are important. Equipment must be encrypted, secured, and tracked diligently. The $1.7 Million dollar fine levied recently was the result of just one unencrypted laptop that went missing.
- Recognition that all of the machines and systems within the network are connected. Any change to the system, anything downloaded or even clicked on can open up the whole network to a threat. The breach resulting in $4.8 Million in fines to NYC and Columbia began when a physician tried to deactivate a server that he owned personally but that was connected to the network.
The great benefits of technology that we all enjoy in our personal and professional lives, the advances in medical treatment, and our dependence on these tools comes with inherent risk. Patients’ health information is a tempting digital prize for hackers and cyber criminals. Organizations must take seriously the risks that exist in health information technology today. We all must realize that the risks of a security breach plus the increasing threat of penalty far outweighs the cost and effort required to be prepared.
If you would like to speak with someone to learn how your organization can begin to take the necessary steps or to identify weak areas in your IT security, contact us today.