To avoid investigations and big settlement payments, be sure to do a HIPAA Risk Analysis – it’s not enough to have policies on the shelf. Active, ongoing HIPAA awareness and Risk Management year-round is the only way to satisfy regulators who investigate your compliance.
Excellus Health Plan learned this lesson the hard way when it was required to pay a $5.1 million settlement to the Office for Civil Rights (OCR) for failure to comply with the HIPAA Risk Analysis requirements. More than 9.1 million individuals were affected by the data breach at Excellus, which might have been prevented if a Risk Management plan were in place.
Excellus filed a breach report in September, 2015 stating that cyber-attackers had gained unauthorized access to its information technology systems. The hackers broke into the system and stayed there for over 16 months, from 2013 through mid 2015.
The cyber thieves installed malware and spied on Excellus, leading ultimately to the impermissible disclosure of the protected health information of more than 9.3 million individuals, including their names, addresses, dates of birth, email addresses, Social Security numbers, bank account information, health plan claims, and clinical treatment information.
Will My Organization be Investigated?
Covered entities are required by HIPAA to report to the Office for Civil Rights all breaches of protected health information. Small breaches (fewer than 500) are to be reported no later than 60 days after the end of the year in which the breach occurred, but large breaches (500 or more) are to be reported at the same time the individuals are notified, i.e., without unreasonable delay and within 60 days of discovery of the breach. OCR then investigates all large breaches. If the investigation uncovers significant compliance issues, a settlement payment and agreement is likely to follow.
Avoid Becoming the Next Big Case
In Excellus’ case, OCR found potential violations of the HIPAA Rules including failure to conduct an enterprise-wide risk analysis, and failures to implement risk management, information system activity review, and access controls. “Enterprise-wide” means a Risk Analysis conducted across all lines of business, in all facilities, and at all locations. OCR has written about this repeatedly, and mentions it in press releases about settlements where the covered entity failed to meet the requirement.
At The HIPAA E-Tool® compliance is intuitive and complete. The Risk Analysis – Risk Management module includes every requirement of the Privacy and Security Rules, and our Security Rule Checklist guarantees you’ve uncovered the risks you need to manage. It also reminds you about the need for information system activity review and access controls, the two other areas that tripped up Excellus.
Risk Management can help prevent breaches, but if a breach occurs in spite of your efforts and OCR investigates, you will be in much better shape by showing your diligence and good faith efforts – you could avoid a huge settlement payment.