Last year was a record-setting year for HIPAA enforcement. On HHS’s website, OCR has touted its 2018 enforcement:
OCR has concluded an all-time record year in HIPAA enforcement activity. In 2018, OCR settled 10 cases and secured one judgment, together totaling $28.7 million. This total surpassed the previous record of $23.5 million from 2016 by 22 percent. In addition, OCR also achieved the single largest individual HIPAA settlement in history of $16 million with Anthem, Inc., representing a nearly three-fold increase over the previous record settlement of $5.5 million in 2016.
Here is an overview of the resolution agreements and enforcement actions with civil monetary penalties from 2018:
Lessons from 2018
Increase awareness of phishing.
Phishing remains an enormous problem for data security, especially in healthcare, which is being ravaged by phishing attacks. Organizations should step up protections against phishing, which include providing more extensive training to the workforce about being on guard for phishing attacks and how to spot suspicious emails.
Use a business associate agreement.
Use a business associate agreement (BAA) when required.
Do the basics.
This point follows from the point about about using BAAs. In most of the cases involving financial penalties, the HIPAA violations are not subtle or nuanced or a matter of some novel interpretation of HIPAA. Nor are most penalties issued for failing to do some arcane requirement under HIPAA. Most fines are for failing to do the basics.
Conduct risk assessments! I repeat: Conduct risk assessments!
Copied verbatim from my post last year: If HIPAA enforcement were a song, risk assessments would be the chorus line. Year after year, the HIPAA enforcement cases nab many organizations for insufficient risk assessments – or, in some cases, none at all.
Take disciplinary action for violators.
One of the cases involved a charge of failing to discipline an employee for a HIPAA violation. Be sure that there are meaningful and appropriate consequences for violating HIPAA.
Train the workforce about basic common sense.
A few cases involved exposing PHI to the media without patient consent. This might seem like basic common sense, but it is surprising how often caregivers and others will have lapses in common sense. The solution is to train, train, train! It is often not enough to say something once. People learn when messages are repeated throughout the year. Never assume that anything is too obvious to be said. And never assume that just saying it is enough. The point must be made in a way that resonates. Merely telling people aughts and naughts will often be ineffective unless people really care — they must appreciate why it matters.
Encryption isn’t optional under the HIPAA Security Rule. It’s addressable, which means that it must be implemented if reasonable and appropriate. If an addressable specification isn’t reasonable or appropriate, then a reasonable and appropriate alternative must be used. This must be documented.
Also of Interest Regarding HIPAA
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of awareness training on privacy and security topics. Professor Solove also posts at his blog at LinkedIn. His blog has more than 1 million followers.
Professor Solove is the organizer, along with Paul Schwartz of the International Privacy + Security Forum (Apr. 3-5, 2019 in Washington, DC), an annual event that aims to bridge the silos between privacy and security.
A 3-course series about HIPAA taught by Professor Daniel Solove. Each course is 1 hour long.