In 2018 there were various fines paid by healthcare organizations for failure to comply with the HIPAA security and privacy standards. Reviewing the trends of fines in 2018 can be beneficial to healthcare organizations, providing an opportunity to learn and proactively correct outstanding violations within your organization.
The various trends of fines included lack of compliance in the following areas:
- Failure to implement HIPAA security policies and procedures
- Failure to encrypt devices that store ePHI (electronic protected health information)
- Failure to regularly review system activity and respond to detected incidents
- Failure to conduct a thorough risk analysis of all systems containing ePHI
- Failure to apply sanctions to workforce members who violate HIPAA policies and procedures
- Failure to implement HIPAA policies and procedures at outsourced automated clearing house (ACH)
- Failure to perform risk analysis of outsourced automated clearing house
- Failure to revoke user access to ePHI
- Failure to implement business associate agreements (BAA)
Organizations could potentially prevent fines related to these violations by:
- Creating and implementing business associate agreements (BAA) to ensure all third parties with access to ePHI have a signed BAA to securely protect ePHI
- Creating and implementing (including for third party ACH services) a thorough risk analysis and risk management plan for all systems containing ePHI
- Implementing HIPAA security and privacy training for all workforce members (including for third party ACH services)
- Implementing appropriate sanctions against workforce members who violate the HIPAA security of privacy rules
- Implementing procedures for an information system activity review of network and systems containing ePHI
- Communicating HIPAA security, privacy, and breach notification policies to all workforce members (including for third party ACH services)
- Encrypting all devices that store ePHI
- Implementing access controls that include timely revocation of workforce member’s access when terminated.
- Implementing periodic access reviews to ensure system access is restricted to authorized individuals
With any regulation or law, there are many grey areas for an organization and how they choose to address the regulation. Contact your cybersecurity expert today to determine how your healthcare organization can address HIPAA security and privacy requirements to lower the risk of failing to comply with HIPAA standards.