HIPAA Settlements of 2016: Lessons Learned
Over the course of 2016, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) reached many resolution agreements with a number of covered entities and business associates for violation of the Health Insurance Portability and Accountability Act (HIPAA).
These HIPAA settlements are mutually agreed-upon resolutions between HHS and the offending entities. A settlement may require these parties to implement additional parameters to better secure personal health information (PHI). It may also include a civil money penalty and subject an offending entity to HHS monitoring for up to three years.
HIPAA settlements are not always achieved, however. If the HHS cannot reach an appropriate agreement with an offender, it may impose civil money penalties (CMPs) for noncompliance.
Learning From HIPAA Settlements
Each settlement listed on the HHS website includes a resolution and corrective action plan (CAP). These action plans demonstrate ways in which other organizations might tighten their infrastructures, processes and procedures related to health records and other patient information.
Many CAPs call on offending entities to incorporate comprehensive risk analysis into processes related to PHI. This would require a party in violation to:
- Develop a complete inventory of all its facilities, electronic equipment, data systems and applications that contain or store PHI and conduct a thorough risk analysis.
- Evaluate the risk to all equipment, data systems and applications. The evaluation should extend to any portion of the entity’s infrastructure that deals with PHI.
- Provide documentation related to current security measures and the level of risk to PHI within network segmentation, network infrastructure, vulnerability scanning, logging and patch management.
In truth, the processes described above should be standard operating procedure for any organization that handles PHI.
Policies and Procedures
CAPs also commonly require offending parties to review policies and procedures related to the security of PHI. This may force them to:
- Revise policies and procedures to ensure compliance with the Health Information Technology for Economic Clinical Health (HITECH) Act.
- Develop training materials on the new policies and procedures.
- Require every employee to participate in the training and get certified if applicable.
- Create security incident procedures to investigate anomalies.
Training is often viewed as a loss to production and placed on the back burner. But it’s more pragmatic to view training as a valuable investment.
The bottom line is that PHI must be protected. Knowing the state of PHI when at rest and in transit is the key to determining the level of risk at a given time. Many CAPs require organizations to report details on their use of encryption. This report needs to include:
- The number of devices used to access, store, download or transmit PHI;
- The number of devices that are encrypted;
- Evidence of such encryption; and
- Details related to any devices that lack encryption.
The clear message to all entities is that if your data is at rest, it needs to be encrypted, unless there is a clear and well-documented need for it to be insecure.
Unauthorized access to PHI is an ongoing issue. Countless news headlines have documented instances in which files went missing, uncredentialed personnel accessed critical materials, third-party vendors gained inappropriate access and more. The HHS stresses the need to know who is accessing PHI, whether they are required to have access and, in the case of third-party entities, ensuring the business associate agreements spell out the security and privacy requirements for protecting data.
Security Awareness Training
Many CAPs require entities to provide security awareness training to workforce personnel who handle PHI. Training materials must be approved by the HHS. If the materials fail to meet the HHS standards, the organization must adjust and resubmit them for approval. This cycle continues until the training is deemed appropriate and sufficient.
Avoiding HIPAA Settlements
The best course of action is to hire a dedicated employee to be held accountable for the security of PHI. This individual can manage the comprehensive risk assessment and necessary actions stemming from regulations.
Furthermore, it’s critical to discourage employees from taking shortcuts or stepping outside of established processes and procedures. They should be thoroughly trained on how to transmit and handle PHI securely and in compliance with HIPAA.
As we like to say in the security industry, you should always treat sensitive information such as PHI as if it was cash — your cash.