If anyone doubts that HIPAA is being enforced, the Office for Civil Rights (OCR) which oversees HIPAA compliance, has made clear in the last two weeks that they are serious. OCR has set examples among eight covered entities and business associates of all types and sizes with their recent announcements of resolution agreements and monetary settlements.

Last week we wrote about five recent HIPAA settlements under the Right of Access Initiative. Those fines ranged from $3,500 to $70,000, and the HIPAA violations were specifically related to failing to provide patients’ with access to their own protected health information (PHI).

Ignoring HIPAA is Costly

Then, between September 21 and 25, OCR announced three much bigger settlements ranging from $1.5 to $6.85 million. Those investigations revealed noncompliance across a broader set of HIPAA requirements. In the announcements for all three cases OCR described “systemic noncompliance“. In other words, they all ignored key HIPAA responsibilities or only did the minimum.

In addition to the monetary settlements, all three organizations also agreed to a corrective action plan that includes two years of monitoring by OCR.

$1.5 million – Athens Orthopedic Clinic PA

In June 2016, Athens Orthopedic learned that a hacker had stolen a database of their patient records by using a vendor’s credentials. The hacker continued to access protected health information (PHI) for over a month until July 16, 2016.

On July 29, 2016, Athens Orthopedic filed a breach report informing OCR that 208,557 individuals were affected, and that the PHI disclosed included patients’ names, dates of birth, social security numbers, medical procedures, test results, and health insurance information.

When OCR investigated they found “longstanding, systemic noncompliance with the HIPAA Security Rule including failure to conduct a risk analysis, and failures to implement information system activity review, security incident procedures, and access controls.”

Athens Orthopedic’s Resolution Agreement and Corrective Action Plan is here.

$2.3 million – CHSPSC LLC

CHSPSC provides a variety of business associate services, including IT and health information management, to hospitals and physician clinics indirectly owned by Community Health Systems, Inc., in Franklin, Tennessee.

In April 2014, the FBI notified CHSPSC LLC that hackers were attempting to break into CHSPSC’s information system. The hackers continued to access and steal the protected health information (PHI) of more than 6 million individuals for five more months until August. The hackers used compromised administrative credentials to remotely access CHSPSC’s information system through its virtual private network.

Similar to the Athens Orthopedic investigation, OCR found “longstanding, systemic noncompliance with the HIPAA Security Rule including failure to conduct a risk analysis, and failures to implement information system activity review, security incident procedures, and access controls.”

CHSPSC’s Resolution Agreement and Corrective Action Plan is here.

$6.85 million – Premera Blue Cross

This is the second highest monetary settlement in OCR history – the highest was $16 million paid by Anthem in 2018. Premera Blue Cross (PBC) is a health plan operating in Washington and Alaska, serving more than 2 million people.

According to the OCR, in March 2015 PBC filed a breach report stating that cyber-attackers had gained unauthorized access to its information technology (IT) system. The hackers used a phishing email to install malware that gave them access to PBC’s IT system more than a year earlier, in May 2014, which went undetected for more than eight months until January 2015.  This undetected cyberattack resulted in the disclosure of more than 10.4 million individuals’ PHI including their names, addresses, dates of birth, email addresses, Social Security numbers, bank account information, and health plan clinical information.

Like the Athens Orthopedic and CHSPSC cases describe above, OCR found “systemic noncompliance with the HIPAA Rules including failure to conduct an enterprise-wide risk analysis, and failures to implement risk management, and audit controls.”

Premera’s Resolution Agreement and Corrective Action Plan is here.

HIPAA Risk Analysis – Risk Management is the Key

These three recent cases underscore that the HIPAA risk analysis is the single most important element of HIPAA compliance. Each organization had failed to do a risk analysis and failed to follow a risk management plan. The other failings mentioned – the information system activity review, security incident procedures and access control – are all on the HIPAA checklist within a HIPAA risk analysis, and their omission would have been revealed if it had been completed. Done right, the risk analysis uncovers gaps and risks, and the risk management plan from the analysis creates action steps to reduce those risks and fill the gaps.

Noncompliance is More Expensive than Compliance

If you have questions about how to do a HIPAA risk analysis that complies with OCR requirements, The HIPAA E-Tool® has answers. Included is step-by-step guidance that covers every element required by both the HIPAA Privacy and Security Rules and follows the NIST procedures recommended by OCR. Our HIPAA checklist is ready for you to use to get it done right, maintain your patients’ trust and avoid big penalties.

Free HIPAA Checklist
What best describes you?