The struggle for HIPAA compliance in the modern healthcare industry.
HIPAA compliance is not something that your healthcare practice can bluff its way through.
Medical records are a hot commodity on the black market. Patient health records can sell for as much as $373 per record, which is about ten times more valuable than financial data. Medical information is more valuable and longer lasting than financial data. While people can change or cancel credit cards and bank accounts, deleting or changing your birthdate or social security number is impossible. It is not surprising that health care companies experienced a 72% increase in cyberattacks between 2013 and 2014 from hackers trying to obtain this valuable information.
While compromised health records pose huge problems for individuals, ePHI breaches can negatively, sometimes disastrously, affect companies as well. HIPAA fines, criminal charges, and civil action lawsuits being filed can be significant and just the onset of the consequences. Advocate Health Care recently agreed to pay a settlement of $5.5 million, the largest settlement to date against a single entity, for multiple potential violations of HIPAA involving ePHI. However, the indirect costs can be hardest to recover from. A company’s reputation can take a huge hit, especially if they get listed on the HHS “Wall of Shame” since the OCR posts all large data breaches online.
Many HIPAA fines have stemmed from the lack of risk assessments or properly implemented risk management plans. Wellpoint Inc, a managed care company, did not implement appropriate administrative and technical safeguards, which resulted in a $1.7 million settlement and 612,402 ePHI impermissibly disclosed without the company even knowing until a lawsuit was filed. Wellpoint’s breaches could have been avoided by implementing proper IT practices.
Insecure emails and stolen records due to hackers as well as malware and ransomware attacks are a major cause of data breaches. In 2014, the Anchorage Community Mental Health Services (ACMHS) was fined $150,000 for a malware infection that compromised the records of 2,700 people. The incident was a direct result of ACMHS failing to address basic risks like running outdated, unsupported software and not updating patches.
However, this doesn’t mean all data breaches are the result of cyberattacks, many occur through employee error or dishonesty. Massachusetts Eye and Ear Infirmary paid $1.5 million stemming from violations found when a personal unencrypted laptop containing patient’s clinical data was stolen. Unencrypted data has been a major reason behind data breaches and although it is not a 100 percent solution, encrypting important data can help mitigate or prevent many cases. If an encrypted device is lost or stolen, it will not result in a HIPAA breach for exposure of patient data since the organization can safely assume the thief cannot access the data.
Staying compliant with HIPAA can be a moving target. Companies may be HIPAA compliant one day, but fail the next if certain processes and documentation are not in place. Proper cyber security controls and standards must be followed by health care companies and become routine. IT best practice combined with the appropriate documentation leads to HIPAA compliance and eliminates the worry of patient information being leaked.
HIPAA compliance is not something that your healthcare practice can bluff its way through. For more information, get in touch right away at (425) 2 or firstname.lastname@example.org.