UPDATED MAY 7, 2019: Shortly after McDonald Hopkins published the blog below on the most prevalent HIPAA violations resulting in settlements, the Office for Civil Rights of the Department of Health and Human Services announced another HIPAA settlement, this one with Touchstone Medical Imaging, a Tennessee-based provider of diagnostic medical imaging services that agreed to pay $3 million arising out of patient information that was publicly accessible to search engines. The press release and Resolution Agreement highlight multiple common HIPAA violations referenced in the article, including failures to conduct adequate risk analysis, to manage risks and limit access, to have business associate agreements with vendors and to provide timely breach notification. An additional concern was the failure to thoroughly investigate the incident after being notified of the problem by the FBI and OCR.
A recent article identified the following as the HIPAA violations that have been most prevalent in HIPAA settlements:
- Impermissible disclosure of protected health information (PHI) or snooping
- Failure to perform an adequate enterprise-wide assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic PHI (ePHI) (risk analysis)
- Inadequate risk management to safeguard ePHI
- Failure to enter into appropriate business associate agreements
- Failure to provide timely breach notification
- Insufficient PHI access controls
- Failure to encrypt ePHI
- Failure to provide patients with timely access to their PHI.
The HIPAA settlements, while significant, show only the tip of the iceberg of the costs involved with inadequate safeguards. Other PHI breach costs include expenses for investigations, breach notification to individuals and government agencies, remediation, operational disruption and remediation, as well as damage to goodwill (reputational harm and lost business), and potential exposure to class action litigation. Estimates have indicated average costs of $2 million per health care breach and $200 per victim. A physician practice in Michigan announced plans to close on April 30 after hackers staged a ransomware attack and deleted patient files.
Covered entities and business associates need to remain diligent in taking proactive steps to safeguard PHI. Actions of particular importance include:
- Review the cybersecurity best practices recommended in Health Industry Cybersecurity Practices: Managing and Protecting Patients and determine how to revise practices, policies and procedures to more effectively address cybersecurity concerns. Click here to read more
- Conduct and regularly update enterprise-wide risk analysis for all PHI held by the covered entity or its business associates (or, in the case of a business associate, all PHI held by it or its subcontractors) and implement safeguards to address the identified risks.
- Identify all business associate relationships and ensure that appropriate business associate agreements are in place
- Conduct regular privacy, security and breach response training.
- Implement and regularly test an incident response plan.
For more information, please contact the attorney listed below.