Over the course of 2016, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) reached many resolution agreements with a number of covered entities and business associates for violation of the Health Insurance Portability and Accountability Act (HIPAA).

These HIPAA settlements are mutually agreed-upon resolutions between HHS and the offending entities. A settlement may require these parties to implement additional parameters to better secure personal health information (PHI). It may also include a civil money penalty and subject an offending entity to HHS monitoring for up to three years.

HIPAA settlements are not always achieved, however. If the HHS cannot reach an appropriate agreement with an offender, it may impose civil money penalties (CMPs) for noncompliance.

Learning From HIPAA Settlements

Each settlement listed on the HHS website includes a resolution and corrective action plan (CAP). These action plans demonstrate ways in which other organizations might tighten their infrastructures, processes and procedures related to health records and other patient information.

Risk Analysis

Many CAPs call on offending entities to incorporate comprehensive risk analysis into processes related to PHI. This would require a party in violation to:

  • Develop a complete inventory of all its facilities, electronic equipment, data systems and applications that contain or store PHI and conduct a thorough risk analysis.
  • Evaluate the risk to all equipment, data systems and applications. The evaluation should extend to any portion of the entity’s infrastructure that deals with PHI.
  • Provide documentation related to current security measures and the level of risk to PHI within network segmentation, network infrastructure, vulnerability scanning, logging and patch management.

In truth, the processes described above should be standard operating procedure for any organization that handles PHI.

Policies and Procedures

CAPs also commonly require offending parties to review policies and procedures related to the security of PHI. This may force them to:

Training is often viewed as a loss to production and placed on the back burner. But it’s more pragmatic to view training as a valuable investment.


The bottom line is that PHI must be protected. Knowing the state of PHI when at rest and in transit is the key to determining the level of risk at a given time. Many CAPs require organizations to report details on their use of encryption. This report needs to include:

  • The number of devices used to access, store, download or transmit PHI;
  • The number of devices that are encrypted;
  • Evidence of such encryption; and
  • Details related to any devices that lack encryption.

The clear message to all entities is that if your data is at rest, it needs to be encrypted, unless there is a clear and well-documented need for it to be insecure.

Access Controls

Unauthorized access to PHI is an ongoing issue. Countless news headlines have documented instances in which files went missing, uncredentialed personnel accessed critical materials, third-party vendors gained inappropriate access and more. The HHS stresses the need to know who is accessing PHI, whether they are required to have access and, in the case of third-party entities, ensuring the business associate agreements spell out the security and privacy requirements for protecting data.

Security Awareness Training

Many CAPs require entities to provide security awareness training to workforce personnel who handle PHI. Training materials must be approved by the HHS. If the materials fail to meet the HHS standards, the organization must adjust and resubmit them for approval. This cycle continues until the training is deemed appropriate and sufficient.

Avoiding HIPAA Settlements

The best course of action is to hire a dedicated employee to be held accountable for the security of PHI. This individual can manage the comprehensive risk assessment and necessary actions stemming from regulations.

Furthermore, it’s critical to discourage employees from taking shortcuts or stepping outside of established processes and procedures. They should be thoroughly trained on how to transmit and handle PHI securely and in compliance with HIPAA.

As we like to say in the security industry, you should always treat sensitive information such as PHI as if it was cash — your cash.

Listen to the podcast: Data Security Insights from a Health Care Insider

More from Healthcare

Cost of a data breach 2023: Healthcare industry impacts

3 min read - Data breaches are becoming more costly across all industries, with healthcare in the lead. The 2023 Cost of a Data Breach Report analyzes data collected from March 2022 to March 2023. Healthcare remains a top target for online criminal groups. These data breach costs are the highest of any industry and have increased for the 13th consecutive year. Healthcare is a highly regulated industry that the U.S. government considers critical infrastructure. As such, recent federal privacy standards, security standards and…

Cyberattackers target the Latin American health care sector

3 min read - Cyberattacks on the healthcare sector are a growing threat in Latin America, and the large amount of confidential data these organizations handle makes these attacks a top concern. The value of healthcare data in the illegal market, such as the personal, medical and financial information of patients and healthcare companies, creates an appealing target for threat actors. This can have serious consequences for the privacy and information security of these organizations. Cyberattacks could lead to reputational risks, interruption of operations,…

Increasingly sophisticated cyberattacks target healthcare

4 min read - It’s rare to see 100% agreement on a survey. But Porter Research found consensus from business leaders across the provider, payer and pharmaceutical/life sciences industries. Every single person agreed that “growing hacker sophistication” is the primary driver behind the increase in ransomware attacks. In response to the findings, the American Hospital Association told Porter Research, “Not only are cyber criminals more organized than they were in the past, but they are often more skilled and sophisticated.” Although not unanimous, the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today