The OCR’s Notorious Wall of Shame

Posted on May 16, 2022 by ncmgm

Originally published by HealthMark Group on January 13, 2022
2022 Alliance sponsor feature article courtesy of HealthMark Group

Avoiding HIPAA Breaches and the “Wall of Shame”

Ever-evolving developments in healthcare technology, aimed at increasing efficiency and access, are growing at an exponential rate. That may offer more effective processes and support better care coordination, but it also leaves many practitioners finding it exceedingly difficult to remain compliant amid all of the security measures guided by the Health Insurance and Patient Accountability Act (“HIPAA”). Whether dealing with staffing shortages, clinic expansion, or a lack of training, avoiding breaches of personal health information (“PHI”) is both a top priority and an ongoing challenge.

When breaches do occur, HIPAA requires they be reported to the U.S. Department of Health & Services Office for Civil Rights (“OCR”). Violations affecting 500 individuals or more must be reported within 30 days of discovery to impacted individuals and within 60 days to the OCR and local media. OCR also publishes information identifying these breaches on what has become known as the OCR “Wall of Shame”. Established under the HIPAA Breach Notification Rule and HITECH Act, the Wall of Shame lists the names and other details of organizations under investigation due to a violation that has occurred within the last 24 months. To state the obvious, you do not want to be placed on this list.

Recent Statistics

  • In 2021, 607 violations affecting nearly 45 million individuals were submitted to the OCR and are now visible on the Wall of Shame (a 20% increase in breaches compared to 2019, only two years prior) 1
  • Breaches have increased 84% in the last five years, with 329 reported in 20162
  • The average cost per record breached hit $499 in 2020 on an upward trend, totaling $13.2 billion for the year3
  • Unauthorized access/disclosure accounts for 34% of violations every year, up 162% over the past three years4
  • Hospitals typically account for 30% of all large data breaches4

Potential Financial Consequences

Most often, the OCR resolves cases through voluntary compliance or by accepting a covered entity’s plan to address the breach and adjust policies and procedures to avoid future violations. For severe cases, the Enforcement Final Rule of 2006 allows the OCR to issue financial penalties to covered entities that fail to comply with HIPAA Rules. There are currently four main tiers of such violations5:

  • Tier 1, $100 – $50,000 per breach: A violation that the covered entity was unaware of and could not have reasonably avoided.
  • Tier 2, $1,000 – $50,000 per breach: A violation that the covered entity should have been aware of but could not have avoided.
  • Tier 3, $10,000 – $50,000 per breach: This violation is considered to be the result of willful neglect in instances where corrective measures were taken within a reasonable timeframe.
  • Tier 4, $50,000 per breach: This violation is considered to be the result of willful neglect in instances where no corrective measures were taken to resolve the breach.

While less common, criminal penalties do exist in addition to fines for various violations, including malicious intent (i.e., selling data for harm or commercial gain).

How HealthMark Can Help

With management of PHI at the core of HealthMark’s business, it remains the highest priority to keep data secure and compliant. Our team responsible for the handling of medical records is required to undergo Certified Release of Information Specialist (“CRIS”) training and certification to demonstrate understanding of patient privacy rights and HIPAA requirements. Guidelines around HIPAA, the Privacy Rule, Information Blocking, etc. are constantly evolving, making regulatory education one more thing for practices to manage. Our goal as a partner is not only to offer services that ease administrative loads, but to also do the work for clients by combing through often convoluted details and staying abreast of the most important changes that are occurring. By doing so, we can share with clients what they need to know and when, which allows our clients to focus more of their limited resources on their primary goal of patient care.

  1. https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
  2. https://www.hipaajournal.com/largest-healthcare-data-breaches-of-2016-8631/
  3. https://www.beckershospitalreview.com/cybersecurity/healthcare-data-breaches-up-55-1-in-2020-report-finds.html
  4. https://techjury.net/blog/healthcare-data-breaches-statistics/#gref
  5. https://www.hipaajournal.com/what-are-the-penalties-for-hipaa-violations-7096/

Filed under: Education, healthcare, technology | Tagged: , , , , , , , , , , , , , | Leave a comment »

The 411 on HITECH and HIPAA IT Compliance

Posted on July 13, 2020 by ncmgm

By Judi Grassi

2020 Alliance sponsor feature article courtesy of Carolinas IT: A Logically Company

Most group practices and clinics have adopted the Electronic Health Record (EHR). If you’re one of these organizations, you know how imperative it is to keep your Electronic Protected Health Information (EPHI) safe. Both HIPAA and the HITECH Act lay out very specific requirements about data protection and regardless of your size, you are required to keep your Protected Health Information (PHI) data secure. This is especially imperative if your organization electronically transmits health information for financial or administrative reasons, such as claims processing, benefit eligibility, referral authorization requests, and other transactions defined under the HIPAA Transactions Rule.

Three Areas of HIPAA IT Compliance

HIPAA IT compliance is the responsibility of every administrative and clinical staff member in your organization. To make compliance requirements easier to digest, HHS established three areas of HIPAA IT compliance.

    1. Administrative — These measures ensure the integrity of patient data and accessibility only to authorized parties. It requires HCOs to:
      • Implement a security management process that identifies potential risks to EPHI and appropriate security measures to reduce risks and vulnerabilities.
      • Designate a security official who is responsible for ensuring HIPAA and HITECH compliance.
      • Identify who has authorized access to EPHI.
      • Provide appropriate security training to employees and follow through with appropriate sanctions against any employee who violates security policies.
      • Perform a periodic assessment to assess the effectiveness of your security policies.
    2. Physical — These measures ensure the security of facilities and devices that contain EPHI. It provides HCOs to:
      • Limit physical access to their facilities to authorized personnel only and protect against physical intrusion.
      • Ensure secure access to workstations and electronic media. This includes procedures for the transfer, removal, disposal, and re-use of electronic media to ensure appropriate protection of EPHI.
    3. Technical — These measures ensure that your IT systems and networks are secure from data breaches and unauthorized access. It requires HCOs to:
      • Protect their IT systems against digital intrusion and ensure that EPHI is transmitted over a secure network.
      • Only allow authorized individuals to access EPHI and ensure IT systems provide an audit trail to track EPHI access.
      • Ensure EPHI is not improperly or erroneously altered or destroyed.

HITECH Compliance

The HITECH Act of 2009 shored up these privacy and security provisions:

  • HCOs, business associates, and service providers are all responsible for the security of EPHI.
  • HCOs must promptly notify affected individuals whose PHI was compromised.
  • HCOs must report any security breach that affects more than 500 individuals to the HHS Secretary.
  • HCO business associates must notify the HCO of any breach at or by the business associate.
  • Breaches affecting fewer than 500 individuals must be reported to the HHS Secretary on an annual basis.

How to Comply with HIPAA and HITECH Technical Measures
Whether you are a hospital, clinic, medical practice, HCO business associate, or HCO service provider, you will need to address the following in order to comply with HIPAA and HITECH technical measures.

  • Develop policies and procedures for data backup and recovery.
  • Back up your data on a regular, frequent basis and ensure you can retrieve exact copies of EPHI and restore any lost data. Follow the 3-2-1 backup rule: 3 copies of your data across 2 media with 1 copy stored offsite.
  • Establish acceptable but aggressive Recover Time Objectives (RTOs) and Recovery Point Objectives (RPOs) and develop a disaster recovery plan that meets these objectives.
  • Periodically test your disaster recovery plan to be sure it works before a real disaster happens.
  • Perform an annual risk assessment to determine whether your systems and data are a security risk and how vulnerable you are to attack.
  • Develop a data breach response plan to identify who is responsible for what when a breach occurs, how to communicate with individuals whose PHI was compromised, how to handle the media, minimize further data loss, and remediate the breach.
  • Encrypt EPHI data in transit and at rest.
  • Ensure HCO business associates and service providers meet HIPAA and HITECH security requirements.

Noncompliance Fines
If you are found in noncompliance with HIPAA and HITECH regulations, it can cost you. Fines are based on the violation category or level of perceived negligence and can range from $100 to $50,000 per violation, with a maximum penalty of $1.5 million per year for each violation (see Figure 1).

Carolinas-IT-Table1

Figure 1

If you are breached and fined, your organization is listed on the HHS Office for Civil Rights (OCR) Breach Portal and “Wall of Shame” if the breach involves 500 or more individuals. If your organization has a breach of this magnitude, the name of your HCO will be permanently listed.

Final Thoughts

HCOs have two choices when it comes to HIPAA IT compliance requirements: DIY (Do It Yourself) or hire an IT Managed Service Provider (MSP). Whether you are a large or small HCO, you may find that you have limited IT resources and/or skills in-house to ensure your EPHI is private and secure. Therefore, many HCOs look to HIPAA-compliant MSPs to back up their systems, ensure the privacy of EPHI, and provide the best protection from security breaches.

Figure 1: Categories of Violations and Respective Penalty Amounts Available. Source: https://www.federalregister.gov/documents/2013/01/25/2013-01073/modifications-to-the-hipaa-privacy-security-enforcement-and-breach-notification-rules-under-the#h-95

Filed under: News | Tagged: , , , , , , , , , , , , , , , , , | Leave a comment »