HIPAA regulators are starting to levy heavy fines for small breaches.
If you’re an IT firm, and you have small healthcare clients, then put them on alert: they can no longer fly under the radar. They must protect patient health data or risk ending up like the providers listed in this post.
As their IT service provider, you can sieze a massive opportunity by helping them protect patient data and maintain compliance.
Small HIPAA Breaches Yield BIG Fines
A review of the following enforcement actions taken by OCR in response to smaller HIPAA breaches reveals a few insights:
- A stolen laptop can yeild hundreds of thousands of dollars in fines (aka “settlement fees”).
- Carelessness is often to blame.
- The size of a fine appears more closely tied an organization’s degree of neglect in establishing and enforcing sound security policies, rather than the number of records stolen in a single incident.
Stolen laptop – $50,000 fine
In 2013, HHS settled its first HIPAA breach case in regard to compromised PHI that affected less than 500 individuals.
The Hospice of North Idaho agreed to pay $50,000 after an unencrypted laptop with the ePHI of 441 patients was stolen.
OCR discovered the company had no policies or procedures in place that addressed mobile security.
Stolen laptop – $1.7 million fine
In 2014, Concentra Health Services agreed to a settlement of $1,725,220 after an unencrypted laptop was stolen from one of its facilities.
Though the company had performed a risk analysis that determined many of its devices containing ePHI were unencrypted, and therefore at risk, its efforts to fix the problem were inconsistent and incomplete.
Stolen laptop – $250,000 fine
Arkansas based QC Health Plan agreed to a 2014 settlement of $250,000 after OCR received notice that the ePHI of 148 individuals had been downloaded on a laptop that was stolen from an employee’s car.
The company also agreed to retrain its workforce, and to document ongoing compliance measures.
File sharing misuse – $218,400 fine
A $218,400 settlement was agreed to by St. Elizabeth’s Medical Center in 2015 after OCR received a complaint that an employee used a web-based document sharing application to store the ePHI of at least 498 individuals.
OCR’s investigation determined that SEMC failed to quickly identify and respond to the incident, and also failed to quickly mitigate its harmful effects and document it.
Stolen mobile device – $650,000 fine
In June 2016 the OCR imposed a $650,000 settlement on Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS). CHCS provided IT services to six skilled nursing facilities as a business associate.
A mobile device containing PHI for 412 individuals, including their social security numbers, family member names, and medical diagnoses was stolen in 2014.
The OCR determined the company didn’t have a risk analysis plan, or a policy against removing mobile devices from the premises.
In addition to being fined, all the above companies agreed to comply with a prescribed Corrective Action Plan.
Opportunity for IT companies
Many healthcare record breaches are preventable, and that organizations are doing too little to keep PHI secure, according to FBI Supervisory Special Agent Scott Augenbaum.
In his 2016 speech, titled, “The Health Information Executive’s Guide to Cybersecurity,” he warned that hackers backed by foreign governments, China in particular, are penetrating U.S. health care information systems.
They do so as a way to innovate their own health care systems without spending money on legitimate research.
IT companies can capitalize on new business opportunities by taking Augenbaum’s advice, which he claims can prevent 90% of healthcare system breaches.
He recommends the following steps:
- Create an inventory of authorized and unauthorized devices
- Create an inventory of authorized and unauthorized software
- Ensure secure configurations for hardware and software on all devices (PCs, laptops, mobiles, tablets, servers, and IoT devices)
- Ensure continuous vulnerability assessments are performed and vulnerabilities are remediated promptly
- Ensure administrative privileges are controlled
Healthcare companies need to acknowledge that in addition to their core business, they are also in the IT business.
They can tackle cybersecurity in-house, or they can hire subcontractors to help them stay in compliance with HIPAA’s many rules and regulations.
IT companies have a fantastic opportunity to profit from this reality by poising themselves as affective partners in PHI protection.