The Department of Health and Human Services released news last week that a HIPAA Covered Entity health care provider has incurred a $1.7M fine as the result of just one unencrypted laptop that went missing from one of their satellite facilities. This penalty was more severe because previous risk assessments (more than one) indicated the lack of encryption on laptops, desktops, and other equipment and devices posed a significant risk to their PHI. The OCR’s investigation deemed the company’s remediation efforts to have been “incomplete and inconsistent over time leaving patient PHI vulnerable throughout the organization.” (For more information about this case, visit HHS.gov/News.)
Encryption and Simple Security Steps to Avoid Breach
We have seen costly breaches involving stolen laptops and equipment before. There may have been simple steps the organization and its satellite facility could have taken to increase physical on-site security to prevent the laptop from being stolen. Ultimately, such loss by theft is a risk that cannot be completely eliminated. Applying encryption software is a simple step that can avoid a costly data breach and heavy fines.
Policies and Procedures designed to facilitate the maintenance of equipment and security tools can ensure the ongoing, proactive security of sensitive data and assets. The costs of such measures are very minor relative to the potential breach or fines an organization can face when these steps are not taken .
Remediation of Identified Risks
The fine levied in this recent case was compounded by the organization’s failure to sufficiently address risks they had already identified. It is tempting, when the likelihood of a breach seems small (which it always does before it happens), to gamble with the risk to avoid the time, disruption, and costs of remediation. Proactive remediation (taking action when a threat is identified), however, is never as costly as reactive remediation that has to occur after a breach.
The Administrative Safeguards of the Security Rule call for “reasonable and appropriate” steps to be taken to ensure compliance. If an organization can show that such steps have been taken on a consistent basis, and if a plan is in place to address the identified risks over time, the potential for penalties and fines can be lessened.
However, if the organization does not take appropriate steps on its own and a breach occurs, remediation may be mandated by the HHS Office of Civil Rights which regulates HIPAA compliance. Oversight of the ordered remediation process may be required as well and this can increase remediation costs considerably.
Risk Assessment: Ignorance is Not Bliss
When we see examples where prior knowledge of the security threat increased the ultimate penalty faced by the company following an incident, it may seem more practical to avoid such knowledge altogether. It is safe to assume that the penalty would have been even more severe if the organization had neglected to perform periodic risk assessments at all. They could have claimed ignorance to the risk (a dubious assertion at best) but this would not negate responsibility.
Covered Entities and Business Associate organizations are required to perform periodic risk assessments. A risk assessment, in and of itself, does nothing to mitigate risk. Relying on a checklist to guide an internal risk assessment or trusting a low cost security provider’s less than thorough analysis does not relieve the responsibility for any risks that may not be revealed in the assessment. It is important that each Covered Entity or Business Associate undergo a thorough risk assessment that produces an actionable report and remediation plan.
The goal is always to correct or mitigate as much risk as possible. When an incident or breach does occur, having a plan in place ahead of time to guide your response will lessen the damage to the organization and reduce the cost of recovery. In the event of an audit or investigation following a breach, showing a consistent effort to mitigate risk can minimize the penalty incurred as well.
The costs of preparation are far less than the price of being caught unprepared for a security incident. Contact us today to find out how a risk assessment, remediation guidance, and an incident response plan can help you avoid a costly breach or heavy penalty down the road.
