2017 will go down as a change year for Health Insurance Portability and Accountability Act (HIPAA) enforcement of the Privacy, Security, and Breach Notification Rules. This comes on the heels of 2016, which saw an unprecedented level of enforcement actions, with 13 total settlements and nearly a 300% increase in total collected fines over 2015. In 2017, nine compliance reviews were settled with resolution agreements in addition to a HIPAA enforcement action in which a civil monetary penalty was levied. A total of $19.4 million in fines and penalties were collected in 2017 by OCR through its enforcement actions.
OCR’s enforcement approach has quietly undergone a significant change by resolving enforcement actions informally when the covered entity or business associate corrects its compliance problems, and without the government levying fines or penalties for HIPAA violations. In 2017, over 800 cases will be closed through use of this informal enforcement approach. The number case closures in 2017 through an informal resolution increased by 10% over the number in 2016.
What Did We Learn from OCR HIPAA Enforcement Actions in 2017?
Several themes emerged from OCR enforcement actions that covered entities and business associates should keep in mind to help ensure their compliance with the HIPAA requirements.
- Performing Risk Analyses is crucial. One of the most consistent themes that has emerged from the resolution agreements and corrective action plans announced by OCR is that HIPAA covered entities and business associates must regularly conduct enterprise-wide information security risk analyses in accordance with the Security Rule to assess risk and vulnerabilities. The Security Rule does not proscribe a specific risk analysis methodology, however CynergisTek recommends performing the risk analysis using the NIST Cybersecurity Framework (NIST-CSF). Unlike some other frameworks, the NIST-CSF has been optimized to meet the requirements of the HIPAA Security Rule.
- Develop a Risk Management Plan. While conducting a risk analysis is critical, a risk management plan can assure that reasonable safeguards are adopted as a result of the risks or vulnerabilities identified through the risk analysis.
- Have Business Associate Agreements with vendors. A number of settlements in 2016 and 2017 made headlines when covered entities disclosed PHI to contractors and vendors without first assuring that appropriate safeguards to protect PHI were in place. The vendor subsequently suffered a breach that resulted in the PHI of individuals being disclosed without authorization in violation of the Privacy Rule. The HIPAA rules require that there be a signed business associate agreement in place prior to the vendor creating, receiving, or maintaining the PHI of the covered entity. An effective vendor management program ensures that third-party vendors have appropriate security safeguards to protect the organization’s PHI, as well as the required business associate agreement.
2017 OCR HIPAA Enforcement Fines and Penalties
Only You Can Prevent HIPAA Enforcement Actions
Healthcare providers, health plan administrators, and business associates should take measures now to identify and fix the gaps that threaten the confidentiality or security of their PHI. In addition, steps to review and replace policies and procedures that are out-of-date or that no longer align to the organization’s business or information system operations. Some best practices to prepare now include:
- Use OCR’s 2016 audit protocol as a benchmark for evaluating compliance and performance with the requirements of the Privacy, Security, and Breach Notification Rules
- Make sure you have conducted an information security risk analysis within the last year and that the gaps identified have been transferred to a risk management plan that follows progress to mitigating threats to PHI
- Subscribe to OCR’s Listserv to keep current with the latest guidance, FAQs and advisories concerning the HIPAA Rules and cybersecurity alerts.
- Ensure you have access to all required documentation needed to demonstrate compliance with the health information privacy and security rules.
- Consider conducting a mock audit or use a third-party specialist to make sure you are prepared for an OCR complaint investigation or compliance review.
Please contact us if you have any questions or need help assessing your HIPAA compliance or information security preparedness.