HIPAA Lessons and Examples: Breaches, Fines, and HIPAA Compliance

Data breaches have long plagued the healthcare industry but have rapidly increased in both size and frequency. A recent study conducted by Black Book Market Research uncovered just how dire the situation is. They found that there was a 300 percent increase in vulnerable healthcare organizations as compared to the previous year, with 60 percent of surveyed organizations vulnerable to large-scale data breaches. The study also predicted that healthcare breaches are likely to triple in the coming year. With healthcare organizations as prime targets, now is the time to think about your cybersecurity strategy and if you are adequately securing patient information.

What Are HIPAA Breaches?

HIPAA breaches are incidents that compromise the privacy or security of protected health information (PHI). Examples of HIPAA breaches include:

  • A hacking incident that allows unauthorized access to PHI (i.e. phishing incident, network server hack, or electronic medical record hack).
  • An authorized employee who accesses PHI without cause.
  • An authorized employee who discloses PHI to an unauthorized party.
  • Theft or loss of paper records.
  • Theft or loss of an unencrypted device (i.e. laptop, desktop, tablet, or other portable electronic device).

How Are Fine Amounts Determined?

The Office for Civil Rights (OCR) investigates organizations that have been breached to determine whether or not the organization’s negligence led to the breach. When the OCR finds an organization negligent, the organization is subject to costly HIPAA fines. In 2020 alone, the OCR issued $13.5 million in fines to 19 organizations that were found to be noncompliant with HIPAA standards.

How much an organization is fined is determined by the level of perceived negligence, categorized into four tiers:

Tier 1: $100 – $50,000 per violation (or per record)—the organization did not know and could not have reasonably known of the violation.

Tier 2: $1,000 – $50,000 per violation (or per record)—the organization knew or by
exercising reasonable diligence would have known of the violation, but did not act with
willful neglect.

Tier 3: $10,000 – $50,000 per violation (or per record)—the organization acted with willful neglect and corrected the problem within a 30-day time period.

Tier 4: $50,000 per violation (or per record)—the organization acted with willful neglect and failed to make a timely correction.

HIPAA Compliance Protects You Against Breaches and Fines

Healthcare organizations that are HIPAA compliant are inherently more secure. This is because many components of HIPAA relate to assessing your security measures, ensuring that you implement effective safeguards to secure data, and providing employees with guidelines to keep data secure.

HIPAA Self-Audits, Gap Identification, and Remediation: To ensure that your administrative, technical, and physical safeguards adequately protect PHI, HIPAA requires you to conduct annual self-audits. By conducting self-audits, you can identify risks and vulnerabilities to your PHI, exposing gaps in your current safeguards. To address these gaps, you are required to create remediation plans that bring your safeguards up to HIPAA standards.

HIPAA Policies and Procedures: It is important to have documented HIPAA policies and procedures that directly relate to how your business operates. These policies and procedures should dictate the proper use and disclosure of PHI, how your organization safeguards PHI, and what to do in the event of a PHI breach.

Employee Training: a large portion of breaches stem from employee error, whether that is clicking on a phishing email, accessing PHI without cause, or sharing PHI with an unauthorized party. This is why one of your best defenses against breaches is employee training. Employee training should include cybersecurity best practices, HIPAA basics training, and an overview of your organization’s policies and procedures.

Business Associate Agreements: A key component of HIPAA compliance, as well as a way to protect your organization against third-party breaches, are business associate agreements (BAAs). A BAA is a legal contract between a healthcare organization and their business associate vendor. BAAs require each signing party to be HIPAA compliant and to be responsible for maintaining their compliance. Having a signed BAA limits your liability in the event of a third-party breach, as only the negligent party would be held responsible. Without a signed BAA, not only are you at risk of fines due to noncompliance, you will also be held liable for the breach itself.

Incident Detection and Response: Having HIPAA security measures in place allows for the quick detection of and response to breaches. This is because part of being HIPAA compliant is monitoring PHI access to ensure that it is only being accessed by authorized parties and with cause. By being able to quickly respond to a breach, you drastically reduce the scope, costs, and time it takes to recover from the incident.

Learn More on Learn ACA

Sign up for our “HIPAA Lessons Learned and Examples from Past Breaches and Fines” webinar on Learn ACA to learn from the HIPAA compliance experts at Compliancy Group. In this webinar, which offers 1 CE credit, we will review breaches and fines—big and small—and how implementing an effective compliance plan could have saved these businesses both money and negative publicity. You will be given actionable tips that you can apply today to start protecting your business!

Liam Degnan is a senior account manager with The Compliancy Group, ACA’s Preferred HIPAA Solution.