The Health Insurance Portability and Accountability Act or HIPAA provides data privacy and security provisions for safeguarding medical information. HIPAA regulations are enforced by the Department of Health and Human Service’s Office for Civil Rights (OCR). This office carries out its mandate by investigating complaints filed with it as well as conducting compliance reviews to determine if entities are compliant.
Since early 2016, OCR has taken a more aggressive enforcement approach. In the first 45 days of 2017, hospitals were fined $11.4 million and in 2016, OCR obtained more than $23.5 million in settlements from healthcare providers involved in electronic patient data breaches. In comparison, the total collected in 2015 was $6.2 million.
In early 2016, The Feinstein Institute for Medical Research of New York agreed to pay a record fine of $3.9 million to settle a HIPAA violation that resulted in a breach that compromised 13,000 patient records. A few months later, in the biggest to-date HIPAA fine, Illinois- Based Advocate Health Care paid a massive $5.55 million fine as a result of multiple violations that compromised health records belonging to 4 million individuals.
On top of the fines, OCR ordered affected hospitals to implement a laundry list of corrective actions including: conducting an in-depth risk analysis of all electronic equipment and implement policies and procedures based on the results of the analysis. The message was clear: OCR is cracking down on entities that violate HIPAA regulations.
In our latest healthcare industry briefing, we explored this issue in depth and found that the largest fines were reserved for hospitals with repeated breaches. In other words, a single isolated noncompliance incident may not have provoked a serious fine, but when an incident exposed a lack of incident management planning or corrective action failures, the fine increased significantly.
This was especially true in the case of Children’s Hospital of Dallas, TX, where a 2013 incident—involving the loss of an unencrypted BlackBerry with ePHI—resulted in a $3.2 million fine for failure “to implement risk management plans, contrary to prior recommendations to do so”.
The findings contained in our briefing underscored the importance of both root cause analysis and root cause resolution. Ensuring that an incident has been conclusively remediated, and corrective action applied across the organization, is the simplest way to reduce the risk of recurring incidents—and mitigate the potential impact of future fines.
Perhaps more importantly, for organizations in highly regulated industries such as healthcare, performing root cause analysis and documenting the resolution steps can demonstrate an overarching commitment to compliance guidelines, as well as to following through on any corrective action recommendations of regulators.
How Can D3 Security’s Incident Management Platform Protect Hospitals
D3’s Incident Management Platform contains a dedicated toolset and workflow for root cause resolution that can prevent incidents from recurring, like what happened at Children’s Hospital in Dallas. Used as a systematic component of any incident response performed in D3, the method has reduced incident recurrence by 90%. Customers often set it up it to escalate notifications in frequency and up the chain of command until a root cause has been corrected, and verified.
In our latest briefing we show how D3’s Incident Management Platform is designed to carry out timely and conclusive corrective action for HIPAA breach incidents. We also detail the role of HIPAA breach playbooks in ensuring streamlined and consistent incident response, and of advanced analytics in the creation of data-driven countermeasures and policies that mitigate the risk of data breaches. Together, these tools and tactics can help hospitals prevent data breaches and subsequent fines.
To learn more about these solutions—and to get a better understanding of HIPAA fines on the rise—download HIPAA Incident Management: How a Hospital’s Multimillion Dollar Fine Could Have Been Avoided
Ready to see D3’s Incident Management Platform in Action? Click on the Button Below To Schedule a Demo.