Why You Can’t Afford to Take HIPAA Security Incidents Lightly

May 30, 2019

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently announced a record year for Health Insurance Portability and Accountability Act (HIPAA) enforcement activity in 2018. OCR collected $28.7 million in penalties for the year, which surpassed the previous annual record by over $5 million.

The HIPAA health privacy and data security rules apply to health plans, health care providers, and health care clearinghouses. While most penalties are assessed against providers, there are still lessons employers with health plans should learn:

Make sure your HIPAA compliance program is up to date

Data breaches are becoming more common and a breach of protected health information (PHI) can lead to an OCR investigation. While a breach by itself may not trigger a penalty, an entity that doesn’t have policies and procedures or hasn’t done a security risk assessment likely will get penalized. If you did a risk assessment, take steps to address your vulnerabilities. If you haven’t done one, complete it soon.

Train your employees on HIPAA requirements and best practices

Make sure they understand what HIPAA requires and how best to protect PHI. Physical security is important and records with protected PHI should never be left unattended. Anything containing PHI (i.e. a laptop or even a paper file) should be hidden and/or secured at all times, especially in an employee’s car (locked in the trunk).

Don’t ignore or delay BAAs

Most employers regularly dealing with HIPAA are likely tired of having to get business associate agreements (BAAs) from their vendors that handle PHI. However, not having BAAs can be used to demonstrate that the company doesn’t take HIPAA seriously and may increase penalties in the event of a breach. Get BAAs in place in a timely manner and update them when necessary.

Have a robust HIPAA training that teaches employees when they can speak and when they shouldn’t  

Those familiar with HIPAA know that they should not disclose PHI without an authorization. Disclosure can take many forms, whether it’s talking about someone’s PHI, sending emails to the wrong recipient, or talking to the media. Employees should be trained so that they understand the importance of keeping PHI private and when they can and (more importantly) cannot disclose it. Make sure anyone handling media inquiries understands the HIPAA requirements if there’s a likelihood that PHI could be relevant to the response.

HIPAA’s administrative safeguards require covered entities to identify and respond to suspected or known security incidents, mitigate harmful effects of security incidents that are known to the covered entity, and document security incidents and their outcomes. If the security incident rises to the level of a breach, the covered entity also has notification requirements. Failure to satisfy these requirements can have very real consequences to your business.

Record 2018 HIPAA penalties should serve as a reminder to revisit security your incident procedures, and should be a wake-up call for those that are not prepared to readily respond. Although no covered entity can be 100% immune from the threat of a breach, preparation today can minimize the extent that a breach will harm your company tomorrow. In the end, it all boils down to keeping your HIPAA compliance program up to date and top of mind. The best defense is a good program.