What we can learn from HIPAA violators, without experiencing their pain
HIPAA violations settled this year by the Health & Human Services Office for Civil Rights (HHS OCR) have offered important lessons for all healthcare providers. In assessing the most frequent violations, the HHS OCR has found that a handful of specific compliance actions can prevent the majority of violations and potential data breaches. Learn from these core lessons to achieve the greatest return on your compliance investment.
Lesson 1: Know Your Vulnerabilities and Monitor Your System Activity
Montefiore Medical Center, a non-profit hospital system based in New York City, was found by the OCR to be in violation of several requirements of the HIPAA Security Rule. Their HIPAA violations created data security failures that enabled an employee to steal and sell patients’ protected health information (PHI) over a six-month period. Worse still, the theft wasn’t discovered for two years.
OCR’s investigation into the data breach found multiple violations of the HIPAA Security Rule at Montefiore, including:
- Failure to analyze and identify potential risks and vulnerabilities to PHI.
- Failure to monitor and safeguard its health information systems’ activity.
- Failure to implement policies and procedures that record and examine activity in information systems containing or using protected health information.
Under the terms of the settlement, Montefiore will pay $4,750,000 to the OCR and implement a corrective action plan that meets HIPAA requirements for the protection and security of PHI. OCR will monitor Montefiore Medical Center for two years to ensure compliance with the corrective action plan.
The corrective actions mandated by the OCR teach lessons to those willing to listen and learn. To achieve HIPAA compliance, Montefiore—and all healthcare providers—must take the following actions.
- Conduct an accurate and thorough annual assessment of the potential security risks and vulnerabilities to the confidentiality, integrity, and availability of electronic PHI.
- Develop a written risk management plan to address and mitigate the risks and vulnerabilities identified in the risk assessment.
- Develop a plan to implement hardware, software, and other procedural mechanisms that record and examine activity in all information systems that contain or use electronic PHI.
- Review and revise written policies and procedures to comply with the HIPAA Privacy and Security Rules.
- Provide employee training in documented HIPAA policies and procedures and keep a record of who was trained on what dates.
Lesson 2: Make Sure Your Procedures are HIPAA-Compliant and Train Your Employees to Follow Them
Another common HIPAA violation is a delay of timely access to medical records, which violates the HIPAA Privacy Rule’s Right of Access provision. Providers have 30 days to respond to and fulfill such requests. One 30-day extension is allowable in certain circumstances, but it is not the norm.
In just two examples, 2024 financial penalties imposed on Hackensack Meridian Health and Phoenix Healthcare totaled $350,000 prior to negotiated settlements between HHS OCR and the violators. These and other violations of the Right of Access requirement teach important lessons based on the following compliance actions mandated by the OCR.
- Revise HIPAA policies and procedures to address, in detail, Privacy Rule requirements for accommodating an individual’s right to access their PHI.
- Implement and distribute to all employees the revised set of HIPAA-compliant policies and procedures.
- Develop employee training materials that review the compliant policies and procedures and include a description of the necessary training, summary of topics to be covered, length of each training session, a training schedule, and names of individuals who will conduct the training and their affiliations.
- Document completion of each training session, including who was trained.
Lesson 3: Take These Steps to Safeguard Your PHI
Under HIPAA, healthcare providers play important dual roles in delivering patient care and safeguarding patient information. In a recent press release from HHS OCR, all entities are encouraged “to review the cybersecurity measures they have in place with urgency to ensure that critically needed patient care can continue to be provided and that health information is protected.”
In light of ongoing HIPAA violations and data breaches in the healthcare industry, the OCR urges healthcare providers, health plans, business associates, and clearinghouses to implement the following safeguards to reduce their vulnerability to cyberthreats. Implementing these compliance actions, along with those described in Lessons 1 and 2, will go a long way toward reducing your risk of HIPAA violations that lead to costly data breaches.
- Review all vendor and contractor relationships to ensure business associate agreements are in place, appropriate, and address breach reporting requirements.
- Integrate risk analysis and risk management into business processes.
- Conduct risk assessments regularly, and also when preparing to implement new technologies, install new hardware or software, and introduce business operations.
- Ensure audit controls are in place to record and examine information system activity, and conduct regular reviews of information system activity to detect suspicious activity promptly.
- Employ multi-factor authentication to ensure only authorized users are accessing protected health information.
- Encrypt PHI to guard against unauthorized access.
- Incorporate lessons from security incidents and data breaches into the overall security management process.
- Provide training specific to employees’ roles and job responsibilities on a regular basis and reinforce with employees the importance of protecting data privacy and security at the individual employee level.
Summary
HIPAA violations and the data breaches that result from them continue to plague the healthcare industry as providers, business associates, insurers, and other covered entities struggle to achieve full HIPAA compliance. Until they do, the OCR will actively investigate potential violations, report findings in public press releases, impose financial penalties, mandate detailed corrective action plans, and monitor the implementation of those corrective actions.
Clear lessons are available to all members of the healthcare industry, teaching us how to achieve the greatest return on our HIPAA compliance investment and how to avoid HIPAA violations. For assistance in converting these lessons into positive actions for your organization, contact our team of experienced cybersecurity and compliance professionals at 24By7Security.