A Stitch in Time Could have Saved…$1.6 Million in HIPAA Penalties?

If you’re a Covered Entity (“CE”), that “creates, receives, maintains, or transmits electronic Protected Health Information (“ePHI”)”, then perhaps the recent string of HIPAA violations and subsequent civil monetary penalties are worth a moment of reflection.

Is your CE in compliance with HIPAA’s Administrative Simplification Rules?

The Texas Health and Human Services Commission (“HHSC”) must pay $1.6 million dollars in fines for numerous & protracted violations of HIPPA Rules. Here’s the 411:

1. On June 11, 2015, HHSC submitted a report to the Office of Civil Rights (“OCR”), the enforcement arm of Health & Human Services, that it discovered a security vulnerability in a web application for a program under the umbrella of HHCS’ oversight. This vulnerability meant that, among other items, the names, addresses, and SSNs of 6,617 persons was viewable via the Web by unauthorized persons.
2. In August of 2015, HHSC responded to OCR’s investigation that though it performed “risk assessment activities” on applications, it never performed an “agency-wide” security risk analysis.
3. It wasn’t until the Spring of 2018 that HHSC conceded to OCR that they had no written evidence of an attempt to “mitigate” or provide an “affirmative defense” with respect to the ePHI breach.

Resulting penalties for HHSC include the:

• Impermissible disclosure of PHI of at least 6,617 persons;
  • Max penalty of $100K; final penalty of $100K
• Failure to implement access controls (requiring users to validate credentials);
  • Daily penalty, max of $100K/year; final penalty of $500K
• Failure to implement audit controls; and
  • Daily penalty, max of $100K/year; final penalty of $500K
• Failure to perform an “accurate, thorough, & enterprise-wide” risk analysis (“RA”).
  • Daily penalty, max of $100K/year; final penalty of $500K.

Lessons to Learn? CE’s MUST:

1. conduct an accurate, thorough, and enterprise-wide RA;
2. implement administrative, physical, & technical safeguards to ensure the confidentiality, integrity, & accessibility of ePHI; and
3. maintain documentation of the RA, periodically evaluate the effectiveness of security measures in place, and train the workforce.

ComplianceDashboard offers tools to assist CEs in maintaining compliance with HIPAA Rules. And, if you have 30 minutes next week, please register & join us for a free webinar November 19 at 1 pm EST for a refresher on the HIPAA Security Rule.

The information and content contained in this blog post are for general information purposes only, and does not, and is not intended to, constitute legal advice.