Avoid being the next target for a HIPAA breach
In 2016, the Office for Civil Rights imposed civil monetary penalties of more than $22.8 million on 12 entities, including a business associate. The most frequent violations of the Health Insurance Portability and Accountability Act and the Health Information Technology for Economic and Clinical Health Act regulations are not hacking.
The violations are lost or stolen laptops, mobile device, paper records, and thumb drives. Other violations include no security risk assessment or assessment not enterprise-wide; and no or outdated business associate agreement. The final violation includes improper disclosure of PHI.
Effective September 6, 2016, the penalties for violations of the HIPAA Laws have increased. For entities that responded “Did not know,” the penalties range from $110 to $55,010. Violations that were found to be “reasonable cause” the penalties fell within the $1,100 to $55,010 range. Violations that were found to be “willful neglect” but were corrected ranged from $11,002 to $55,010, while a “willful neglect” that was not corrected saw penalties of $55,010.
The OCR announced in August that it also will begin investigating breaches of protected health information that affect less than 500 individuals, or small breaches. The factors to be considered in deciding whether a small breach will be investigated include:
1. Size of the breach
2. Was there theft or the improper disposal of unencrypted PHI
3. Did the breach involve an unwanted intrusion into the IT system (e.g., hacking)
4. Amount, nature, and sensitivity of the PHI
5. Have there been multiple breaches reported from the same entity
6. Have similar entities had small breaches reported
So there is even more reason now for covered entities and business associates to take steps to minimize the risk of a CMP and which typically also results in an extensive corrective action plan (CAP) being required by the Office of Civil Rights.
How can you avoid being the next victim of a CMP and CAP? First, if the level of violation is “did not know” or “reasonable cause,” no penalty will be imposed by the OCR if the violation is corrected within 30 days of discovery.
Therefore, timely reporting of violations is critical, which is then followed up by a robust investigation and responsive actions. You must require employees to notify the designated person within 24 hours of when a breach is known or suspected.
Also see: “The politics of rising ACA premiums”
Since frequently this requires employees to self-report their own mistakes, there must be a culture that fosters this transparency without repercussions.
Second, the OCR has encouraged covered entities and business associates that experience a violation of the HIPAA Laws to perform a root cause analysis of why the violation occurred. The Joint Commission and the National Patient Safety Foundation have excellent tools for root cause analyses and action plans.
If the violation is “willful neglect,” the HIPAA Laws require the OCR to impose a CMP. But if the violation is corrected within 30 days of being discovered, the potential CMP is much less. Having well-defined strategies in place before a violation occurs will more likely result in timely resolution of the violation and avoidance of a CMP and CAP. Detailed documentation must clearly reflect when the violation was discovered, how the violation was investigated, and what actions were taken to minimize and correct the violation.