More HIPAA fines on the way!
According to the HHS.gov website, the Office of Civil Rights (OCR) has investigated more than 186,000 HIPAA complaints since 2003, and levied fines totaling more than $78M. And they don’t seem to be slowing down.
At HIMSS18, the director of the OCR said his team is “looking for big, juicy egregious cases.” A quick perusal of the OCR Breach Portal can give you an idea of what they’re looking at, and the OCR’s Resolution Agreements page can give you a pretty good idea of what they consider egregious. With fines as high as ever and jail time levied in a few cases, you definitely want to make sure you’re following the standards.
Here are six often-overlook aspects of HIPAA compliance that could land you a spot on the OCR’s portal if you’re not careful.
#1 No Business Associate Agreement – HIPAA rules state that organizations handling Private Health Information (PHI) must have a business associate agreement (BAA) with everyone in the chain of delivery. This includes cloud providers that may house your PHI and even platforms such as DropBox or Skype on which PHI might be shared. Last year, the OCR fined The Center for Children’s Digestive Health (CCDH) $31K for not having a signed BAA with the third-party provider they had engaged to store their records.
#2 Insufficient Encryption – All PHI data must be encrypted both in-motion (between your user and your database) as well as at rest (as it sits on the disk). One of the largest fines ever ($4.3M) was levied last year against a medical research company for the loss due to theft of PHI data stored on a laptop and two thumb drives. The company had encryption policies covering its core systems, but neglected to govern mobile data.
#3 Lack of Physical Security Measures – This is one of the biggest challenges for organizations that manage their own on-premises data centers. Looking over the incidents in the Breach Portal, take note of how many of them are theft related. Others involve the unauthorized disclosure of PHI in paper format. When access to sensitive areas of your building aren’t properly monitored and restricted, it’s easy for things to go missing or people to see information they shouldn’t.
#4 Inadequate Training – Humans continue to be the weakest link in any security/compliance plan. According to one study, 91% of successful cyber-attacks start with phishing. In fact, 31% of healthcare employees responded to the simulated phishing emails. Perhaps it’s not so surprising that the number of incidents on the Breach Portal that list the location of breached information as “email” is so high. Training your employees on proper procedures and precautions need to be regular and frequent.
#5 Failure to Separate Web/Application from Your Database – This is a general hosting best practice that also applies to HIPAA. You want to make sure the PHI stored in your databases is separate from the rest of your environment. There are certain ports that you want open on a web server that you don’t want open on a database server, so you have to logically separate those two data points.
#6 Failure to document compliance – One of the most common problems resulting in fines is not that an entity did something wrong, but that they could not prove they did not. Our Centralized Log Services and Security Information Event Monitoring (SIEM) services provide our customers with the ability to demonstrate that they have (or had) proper security measures in place at the time the alleged infraction occurred. In addition our Compliance Team is there to help them manage their compliance, scan for and mitigate vulnerabilities, and provide documentation and audit assistance for our customers.
Have questions? Connectria helps healthcare companies, including both providers as well as ISVs, improve their HIPAA/HITECH compliance with HIPAA compliant hosting in our SSAE-18 independently-certified data centers as well as in Azure and AWS environments. We welcome your questions and comments below, or you can reach out directly to one of our HIPAA Compliance advisors for a one-on-one consultation.
 ‘No Slowdown’ for HIPAA enforcement, but Audits Ending, BankInfoSecurity.com