Over the course of 2016, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) reached many resolution agreements with a number of covered entities and business associates for violation of the Health Insurance Portability and Accountability Act (HIPAA).

These HIPAA settlements are mutually agreed-upon resolutions between HHS and the offending entities. A settlement may require these parties to implement additional parameters to better secure personal health information (PHI). It may also include a civil money penalty and subject an offending entity to HHS monitoring for up to three years.

HIPAA settlements are not always achieved, however. If the HHS cannot reach an appropriate agreement with an offender, it may impose civil money penalties (CMPs) for noncompliance.

Learning From HIPAA Settlements

Each settlement listed on the HHS website includes a resolution and corrective action plan (CAP). These action plans demonstrate ways in which other organizations might tighten their infrastructures, processes and procedures related to health records and other patient information.

Risk Analysis

Many CAPs call on offending entities to incorporate comprehensive risk analysis into processes related to PHI. This would require a party in violation to:

  • Develop a complete inventory of all its facilities, electronic equipment, data systems and applications that contain or store PHI and conduct a thorough risk analysis.
  • Evaluate the risk to all equipment, data systems and applications. The evaluation should extend to any portion of the entity’s infrastructure that deals with PHI.
  • Provide documentation related to current security measures and the level of risk to PHI within network segmentation, network infrastructure, vulnerability scanning, logging and patch management.

In truth, the processes described above should be standard operating procedure for any organization that handles PHI.

Policies and Procedures

CAPs also commonly require offending parties to review policies and procedures related to the security of PHI. This may force them to:

Training is often viewed as a loss to production and placed on the back burner. But it’s more pragmatic to view training as a valuable investment.


The bottom line is that PHI must be protected. Knowing the state of PHI when at rest and in transit is the key to determining the level of risk at a given time. Many CAPs require organizations to report details on their use of encryption. This report needs to include:

  • The number of devices used to access, store, download or transmit PHI;
  • The number of devices that are encrypted;
  • Evidence of such encryption; and
  • Details related to any devices that lack encryption.

The clear message to all entities is that if your data is at rest, it needs to be encrypted, unless there is a clear and well-documented need for it to be insecure.

Access Controls

Unauthorized access to PHI is an ongoing issue. Countless news headlines have documented instances in which files went missing, uncredentialed personnel accessed critical materials, third-party vendors gained inappropriate access and more. The HHS stresses the need to know who is accessing PHI, whether they are required to have access and, in the case of third-party entities, ensuring the business associate agreements spell out the security and privacy requirements for protecting data.

Security Awareness Training

Many CAPs require entities to provide security awareness training to workforce personnel who handle PHI. Training materials must be approved by the HHS. If the materials fail to meet the HHS standards, the organization must adjust and resubmit them for approval. This cycle continues until the training is deemed appropriate and sufficient.

Avoiding HIPAA Settlements

The best course of action is to hire a dedicated employee to be held accountable for the security of PHI. This individual can manage the comprehensive risk assessment and necessary actions stemming from regulations.

Furthermore, it’s critical to discourage employees from taking shortcuts or stepping outside of established processes and procedures. They should be thoroughly trained on how to transmit and handle PHI securely and in compliance with HIPAA.

As we like to say in the security industry, you should always treat sensitive information such as PHI as if it was cash — your cash.

Listen to the podcast: Data Security Insights from a Health Care Insider

More from Healthcare

Increasingly Sophisticated Cyberattacks Target Healthcare

4 min read - It’s rare to see 100% agreement on a survey. But Porter Research found consensus from business leaders across the provider, payer and pharmaceutical/life sciences industries. Every single person agreed that “growing hacker sophistication” is the primary driver behind the increase in ransomware attacks. In response to the findings, the American Hospital Association told Porter Research, “Not only are cyber criminals more organized than they were in the past, but they are often more skilled and sophisticated.” Although not unanimous, the…

4 min read

Reporting Healthcare Cyber Incidents Under New CIRCIA Rules

4 min read - Numerous high-profile cybersecurity events in recent years, such as the Colonial Pipeline and SolarWinds attacks, spurred the US government to implement new legislation. In response to the growing threat, President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) in March 2022.While the law has passed, many healthcare organizations remain uncertain about how it will directly affect them. If your organization has questions about what steps to take and what the law means for your processes,…

4 min read

Healthcare Breaches Costliest for 12 Years Running, Hit New $10.1M Record High

8 min read - IBM Security and the Ponemon institute release an annual report known as one the most significant industry benchmarks. The Cost of a Data Breach analysis examines real-world breaches in great detail, producing insights into the factors that impact the cost of cyber-attacks. In the 2022 report just released, the healthcare sector stands out for extremely high breach costs on the global average chart. Furthermore, the sector has kept its leading position in that respect for the 12th year in a…

8 min read

Incident Response for Health Care IT: Differences and Drivers

4 min read - Threat actors continue to target the health care industry. IBM’s Threat Intelligence Index for 2022 rates the industry as the sixth most targeted. That puts it close behind the energy and retail and wholesale sectors. Certain regions seem to be more prone to attack as well. The Asia-Pacific region accounted for 39% of all health care-related attacks, while North America trailed next at 33%. Coming as no surprise, ransomware is the leading known method of attack, representing 38% of cases.Some…

4 min read