Healthcare providers and business partners are undergoing Phase II audits starting in the summer of 2016. The Department of Health and Human Services (HHS) is the agency charged with the enforcement of HIPAA; this function is carried out by the HHS Office for Civil Rights (OCR). Data breaches in the healthcare industry are becoming ubiquitous. In response, OCR is cracking down on the party(ies) responsible for the breach.
OCR has settled a number of breach incidents, and the fines after a settlement is still, in fact, high enough to threaten some organization’s existence.
OCR Enforcement Actions
While fines can be costly, not all violations are treated equally. The OCR settles many cases of HIPAA violations without any direct settlement costs, although the offending entities may incur costs caused by coming into compliance.
Two Hefty Fines Announced in July 2016
The US HHS announced in July 2016 two large fines for HIPAA violations. Portland-based Oregon Health & Science University (OHSU) paid a settlement of $2.7 million to HHS, and the University of Mississippi Medical Center (UMMC) paid a similar fine in the amount of $2.75 million.
Oregon Health & Science University
Oregon Health & Science University is a major provider of healthcare in the Portland, Oregon region. It is made up of many general and specialty clinics as well as two hospitals. It operates as a public, not-for-profit organization.
The problem that caught the attention of the OCR was the lack of follow-up on prior breaches involving HIPAA and specifically for failure to have a compliant business associate agreement with a vendor to the system. This alone would not have created a situation warranting such a costly settlement. But their failure to act responsibly following earlier breaches was a contributing factor. Following is what OCR Director Jocelyn Samuels had to say about the OHSU settlement.
“From well-publicized large-scale breaches and findings in their own risk analysis, OHSU had every opportunity to address security management processes that were insufficient. Furthermore, OHSU should have addressed the lack of a business associate agreement before allowing a vendor to store ePHI.This settlement underscores the importance of leadership engagement and why it is so critical for the C-suite to take HIPAA compliance seriously.”
University of Mississippi Medical Center
In 2013, UMMC had an unencrypted laptop stolen that was used on a certain unit of the hospital to access patient data. But no evidence exists that any patient information was accessed or disclosed from entry to hospital databases. The breach had information about 10,000 patients on it; however, no harm was done to any of them, so why the high fine?
The fine was steep simply because, as with OHSU, UMMC had prior knowledge of the potential for breaches since 2005, but they had failed to make appropriate changes in the manner that HIPAA protected information was treated.
In a press release from HSS, the public learned the following:
“U.S. Department of Health and Human Services, Office for Civil Rights (OCR). OCR’s investigation of UMMC was triggered by a breach of unsecured electronic protected health information (“ePHI”) affecting approximately 10,000 individuals. During the investigation, OCR determined that UMMC was aware of risks and vulnerabilities to its systems as far back as April 2005, yet no significant risk management activity occurred until after the breach, due largely to organizational deficiencies and insufficient institutional oversight. UMMC will pay a penalty of $2,750,000 and adopt a corrective action plan to help assure future compliance with HIPAA Privacy, Security, and Breach Notification Rules.”
The large settlements and others like them give credence to HHS’s announcing that Phase II HIPAA audits will begin in the summer of 2016, and it will include vendors and hospital partners that share patient information. The purpose of these audits is to inform and educate. Organizations that have been aware of the potential and executed threats against their ePHI (electronic Personal Health Information) and have not taken corrective action may further serve as examples of provider behavior that is out of compliance with HIPAA rules and regulations.
{company} is the trusted choice when it comes to staying ahead of the latest information technology, tips, tricks and news. Contact us at {phone} or send us an email at {email} for more information.