How to Plan for 2020 as HIPAA Violations Reach Unprecedented Heights

October 29, 2019

Failure to provide adequate measures to keep patient health information private and secure means that your organization is under the constant threat of facing HIPAA violations and failing to meet compliance regulations.

As a healthcare organization, you are not just responsible for the policies and procedures that impact patient health. You are also held accountable for the policies, processes, and technologies that impact patient privacy and security.

In 2018, the cost of HIPAA violations to the healthcare industry was higher than ever before.

As we head into 2020, you can prevent your organization from becoming part of that statistic by learning from the upsurge in violations in recent years.

Upsurge in HIPAA Fines for 2018

In 2018, we saw the highest dollar amount of total penalties for HIPAA violations in history, with fines totaling $29 million overall.

Without substantial changes in regulations or technology last year, many healthcare professionals have been caught off guard by the sudden upsurge.

However, rising concerns about privacy and security have forced governing bodies to become far more rigorous and rigid in the enforcement of existing regulations.

The Settlement the Media Exposed

2018 was a record-breaking year in part due to a $16 million dollar settlement reached between Anthem and the Office of Civil Rights (OCR) for a data breach that affected 79 million people.

The case garnered widespread media coverage. Alongside other breaches at companies such as Facebook and Experian, the coverage spurred public fears about privacy and security.

In turn, growing public outcries fueled rising concerns on a state and federal level and within healthcare organizations about the vulnerability of electronic protected health information (ePHI).

Costly Violations Have Gone Under the Radar

The average financial penalty assessed by the OCR in 2018 was approximately $2.6 million per organization.

However, the majority of these fines stemmed from violations that occurred under the public radar because the offending entities were smaller, local or state-level healthcare organizations.

Unfortunately, small-to-medium healthcare clinics and organizations are the primary target for such cyberattacks – far more so than the large health insurance organizations.

Furthermore, the majority of the data breaches caught and fined in 2018 were preventable if proper compliance and IT security measures were in place within each company’s internal operations.

HIPAA Violations Are Preventable

HIPAA is more than a technology and information issue. Although the prominence of cybersecurity threats is driving many of the critical conversations about HIPAA compliance, leaders must address how departments throughout the organization handle patient data, as well.

The good news is that you can learn from the mistakes organizations made in 2018. Start taking the necessary precautions to prevent common HIPAA violations in your organization now and in the future.

Preventing Common HIPAA Violations in 2019

Last year, the OCR fined healthcare organizations for a wide range of preventable HIPAA violations that fell within several categories. By addressing those specific categories in 2019, your organization can thoroughly protect patient health information while also taking care to protect itself from violations and fines.

Risk Analysis Implementation Failures

In the 2018 data breach surge, some companies were fined for failing to meet the standards and stipulations brought forth during their own risk analyses.

Either a third party or internal analysis discovered risks within their office environment, such as unsecured patient files, and made recommendations to ensure the information would be protected appropriately.

When the company failed to make the recommended improvements, this failure to take action ultimately led to a citation.

As we enter into the fourth quarter of 2019, now is the time to evaluate your risks and securities. Obtain a thorough assessment and the list of improvement recommendations to shore up your compliance.

Ensure that your healthcare organization takes risk analyses and recommended actions seriously in order to prevent violations that can be costly to both your organization’s revenue as well as your reputation with patients.

Impermissible Disclosure of Protected Health Information

Whether due to a cyber security breach or human error, impermissible disclosure of protected health information is the most commonly cited violation.

Data hackers are not the only concern, however. Personal health information can easily get into the wrong hands if all members of the staff and providers are not careful.

For example, something as seemingly innocent as a front desk assistant leaving a screen open can actually lead to private patient health records coming into full view of other patients – a serious breach of HIPAA and patient trust.

Similarly, a doctor who emails medical information about one patient to a different patient with a similar name is a matter of simple human error, but one that can cost an organization gravely.

Whatever the cause of impermissible disclosure, follow the HIPAA Breach of Notification Rule as soon as a misstep happens in order to lessen the damage and avoid fines.

Lack of Appropriate Policies

Some organizations were cited for having a lack of policies and procedures covering electronic devices, such as cell phones, iPads, scanners, and personal computers. Another issue is failing to have proper vendor policies in place.

When developing or revising your company’s policies and procedures, ensure your organization is able to answer questions such as:

• Are employees allowed to use their own electronic devices?
• If so, what levels of encryption do they need?
• How are company-provided devices encrypted and where can they be used?
• Do we have a Business Associate Agreement (BAA) that protects us if our vendors have a breach?
• Do our vendors uphold the same HIPAA standards that we do?

In some cases, citations could have been easily avoided by taking the time to document and institute policies and procedures.

Lack of Encryption or Physical & Digital Safeguards

Healthcare delivery providers are the number one target of hackers. Leveraging hospital and insurance records or personal health information is big business for cyber criminals.

Hackers package and sell the data to support fraudulent insurance claims, the fraudulent purchase of prescription drugs, and all manners of identity theft for profit.

Because of this constant threat, all of the systems and devices your staff and vendors use should be correctly encrypted. Furthermore, whether digital or physical, every place your organization stores data needs to have the appropriate safeguards in place.

Healthcare companies on the cutting edge of technology will increasingly use telehealth and artificial intelligence (AI) to drive healthcare improvements and drive down healthcare costs.

This is an exciting new development in healthcare that allows us to serve patients better and with more convenience and comfort for the patient; however, we must continuously ensure that advances do not occur at the cost of privacy, security, trust, and the welfare of those we serve.

HIPAA Planning for 2020 & Beyond

The goal of HIPAA standards is not to make operations more challenging for healthcare companies to share information and provide better overall care to the patients; rather, the goal is to make serving patients safer and more effective.

The most important lesson we have learned from the HIPAA violations assessed in 2018 is that we cannot afford to ignore the regulations that are in place. If many of the healthcare companies affected had been more proactive, or if they had taken corrective action more quickly and more appropriately, they may have avoided costly fines.

As we prepare for 2020 and beyond, we can anticipate continued enforcement and further privacy protections. Consider auditing, assessing, and reinforcing all of our systems according to the rules that are already in place and become more proactive about data security in your teams’ day-to-day operations – for it is in the subtle daily nuances of patient care that breaches most often occur.

Do you need help establishing or improving your healthcare organization’s HIPAA policies and procedures?

Contact us for help assessing your current compliance systems and implementing a regulatory compliance program so your organization and your patients are protected.