Nip it in the bud! Avoiding HIPAA penalties.

Nip it in the bud! Avoiding HIPAA penalties.

Regulatory financial settlements are on the rise  /  Data breach results in $4.8 million in HIPAA settlements

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) continues to blow our minds with the breach penalties it has been announcing. But brace yourselves, because these penalties should continue to grow… so you better plan to nip this in the bud!

Last month, OCR for the first time announced two breach penalties in one day, and the total for both penalties was $ 2 million. This month, to do one better, OCR announced the largest HIPAA settlement to date: $4.8 million (to which we must of course add the cost of the – extensive – corrective actions plans which will have to be put in place)! However, if this figure makes your head reel, you’ll be even more stunned to know what it actually corresponds to.

The Issue

What actually happened?

This new settlement concerns once again two entities – the New York and Presbyterian Hospital (NYP) and Columbia University (CU), but this time, both were participating together in a joint arrangement, operating a shared network and a shared network firewall that was administered by employees of both entities.  They submitted a joint breach report when they found out that the deactivation of one of their servers resulted in the ePHI of 6,800 people being accessible on internet search engines. The entities learned of the breach after receiving a complaint by an individual who found the ePHI of the individual’s deceased partner, a former patient of NYP, on the internet.

In addition to the impermissible disclosure of ePHI on the internet, OCR’s investigation found that neither NYP nor CU made efforts prior to the breach to assure that the server was secure and that it contained appropriate software protections.  Moreover, OCR determined that neither entity had conducted an accurate and thorough risk analysis that identified all systems that access NYP ePHI.  As a result, neither entity had developed an adequate risk management plan that addressed the potential threats and hazards to the security of ePHI.  Lastly, NYP failed to implement appropriate policies and procedures for authorizing access to its databases and failed to comply with its own policies on information access management.

NYP has paid OCR a monetary settlement of $3,300,000 and CU $1,500,000, with both entities agreeing to a substantive corrective action plan, which includes undertaking a risk analysis, developing a risk management plan, revising policies and procedures, training staff, and providing progress reports.

What does it mean?

$4.8 million is a lot of money but only the tip of the financial iceberg concerning all of the associated costs.  OCR took very seriously the fact that ePHI was made available on internet search engines.  As well it should. How would any of us like to have our most personal information available to whoever wants it on the Internet?   Actually, it’s a big deal.

Which brings us to our second point… $4.8 million isn’t that much, all things considered. Here’s the fine print: $4.8 million divided for the ePHI of 6,800 people, that’s about $700 per person in fines. $700 is a mere hand slap for allowing an individual’s PHI to be spread all over the web as it was.

Let’s face it, the price is likely to go up as people become upset over the low cost escape that companies are getting away with, in regards to their mismanagement of HIPAA protected, private & personal information.  Take this into consideration then add the costs associated to the proposed remediation requirements and you’ll begin to see our point: this should really be nipped in the bud.

The Solution

Contact US ProTech.  Because if you’d like to discuss and understand exactly what  “substantive corrective action plan, which includes undertaking a risk analysis, developing a risk management plan, revising policies and procedures, training staff, and providing progress reports” really entails – they’re exactly the kind of business you’re looking for and they’re working for clients just like you.  US ProTech has a 100% satisfaction guarantee and services industry nationwide.

In the words of Deputy Barney Fife “This calls for action and now – nip it in the bud!”

For the full resolution agreements, click on the links below:

https://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/ny-and-presbyterian-hospital-settlement-agreement.pdf

https://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/columbia-university-resolution-agreement.pdf