fbpx
877.877.1840 [email protected]

With HIPAA fines on the rise, simply hoping that regulators won’t notice your HIPAA non-compliance is no longer a viable option.

The Health Insurance Portability and Accountability Act (HIPAA) is a major hurdle for small healthcare providers. Without the in-house resources to dedicate to enforcing consistent HIPAA compliance, some providers have chosen to either fly under the radar and hope that regulators won’t notice their systems lack the correct processes and controls, or delay addressing their HIPAA issues until they have more time or resources to allocate to the task.

Neither of these strategies is a good idea. As cybercriminals continue to assault healthcare organizations at unprecedented levels, HIPAA regulators have greatly increased their efforts to enforce compliance, which includes collecting a record number of HIPAA non-compliance penalties in 2018. Despite the penalties, organizations continue to stumble over HIPAA compliance, with more healthcare records breached in the first 6 months of 2019 than in all of 2018.

More aggressive inspections and increased fines for non-compliance means that the time for healthcare providers of all sizes to start approaching HIPAA with greater seriousness.

Why Do So Many Organizations Still Struggle With HIPAA?

HIPAA compliance isn’t a mystery. All the processes and controls required by HIPAA regulators are plainly laid out in the text of the regulation, which you can browse here. While understanding those controls and applying them to your organization can be a hurdle, the problem we see most often is organizations that are struggling to maintain the consistent effort that HIPAA requires.

Like any compliance effort, HIPAA is not a one-time project, but an ongoing program that requires vigilant monitoring and maintenance. Even small changes in your network technology — at either the infrastructure or application level — can knock a system out of compliance or change your compliance needs.

The Basics: Safeguarding Electronic Protected Health Information

Electronic protected health information (ePHI) is any data that’s produced, transferred, or saved on your systems. Organizations that handle ePHI, no matter how often or how much, are known as covered entities in HIPAA, and are subject to a range of HIPAA requirements that are most appropriate to their size, capability, risk.

That sounds vague because in some areas HIPAA wasn’t designed to be a one-size-fits all regulation. Instead, it gives organizations a certain amount of freedom to determine how to best protect their data. While there’s room for flexibility, organizations that access ePHI must be prepared to protect that information with three separate types of safeguards, technical, physical, and administrative.

The Three Primary Safeguards of HIPAA

Technical

The technical controls and processes in HIPAA include the implementation of centrally-managed access controls, the consistent encryption and decryption of all ePHI, controls for authentication and integrity, the creation of auditing trails, and much more.

Physical

HIPAA demands that your office and network are both secured from physical tampering and intrusion. Complete Network will secure your server rooms and workstations with today’s best practices for physical security, including the management, storage, and disposal of network devices.

Administrative

Administrative safeguards account for over half of HIPAA’s requirements. This broad category includes processes for risk analysis and management, assigning security responsibilities, security incident management, and more.

Remember, ePHI isn’t like credit card data. Once a person’s social security number or health information has been leaked to the public, that information can’t be changed or reset to prevent hackers from maliciously using that information to do harm.

Any healthcare organization – big or small – is required to safeguard ePHI according to HIPAA requirements

The Role of Security Risk Assessment

All HIPAA engagements should start with a thorough risk assessment. Without a methodical approach for the analysis and prioritizing of your organization’s systems and vulnerabilities, you’ll be unable to design an effective roadmap for improving your cyber defenses and ensuring HIPAA compliance.

To help us conduct risk assessments, Complete Network uses federal guidelines outlined in National Institute for Standards and Technology (NIST) Cybersecurity Framework. Originally developed to help government agencies secure national infrastructure, the NIST cybersecurity framework has since been widely adopted by organizations in the healthcare field to lay a strong foundation for HIPAA compliance.

The NIST Risk Assessment Process

Z

Identify

Z

Detect

Z

Protect

Z

Respond

Z

Recover

Another commonly used guideline to validate your cybersecurity process is the cybersecurity triad of confidentiality, integrity, and availability — oftentimes shortened as the “CIA triad.” This tool is useful because some organizations discover that cybersecurity controls impede productivity and collaboration, the CIA triad can help prevent that from occurring.

triad

CONFIDENTIALITY

Confidentiality is about ensuring ePHI is not made available or disclosed to unauthorized individuals, which includes training staff about potential security risks that could harm ePHI confidentiality.

INTEGRITY

Integrity in the context of HIPAA means making sure that data is not altered or destroyed in an unauthorized manner. Proper integrity controls should cover the entire course of the data’s lifecycle, including transit to and from cloud services.

Availability

Availability is about maintaining the systems and hardware that store and access ePHI, while also protecting them against threats such as malware and cyberattack, which can disrupt access to healthcare data. Other strategies like back-ups, disaster recovery, and encryption also fall under this category.

Complete Network cybersecurity for healthcare providers

Proper Vendor Management is Vital to HIPAA Preparedness

A business associate in HIPAA refers to any person or organization who interacts with your ePHI. HIPAA requires that you have a business associate agreement in place with each vendor before they gain access to your ePHI. This applies to all the service providers that support healthcare organizations, including:

  • Medical billing service providers
  • Calendar and scheduling software providers
  • Cloud storage providers
  • Disaster recovery services

For even a small healthcare provider, this can lead to the maintenance of dozens of different vendor relationships and agreements. Examples of business associate management overwhelming providers are common, like the recent incident at the Pagosa Spring Medical Center in Colorado, in which the hospital was fined $115,000 for not properly managing its relationship with a web-based schedule application.

Complete Network helps healthcare organizations implement a systematic approach to handling their business associate’s agreements, ensuring that vendor systems are compliant with HIPAA regulations and that annual audits and maintenance are both performed according to requirements.

The Cost of Non-Compliance

According to recent research by the Healthcare Information and Management Systems Society (HIMSS), 75% of respondents said that their organization experienced a significant security incident in the last 12 months. Based on how negligent your organization is deemed, a single record being leaked could cost you anywhere between $100 to $50,000, with a maximum penalty of $1.5 million per year for each violation.

Here’s how the actual cost of a fine is calculated:

CircumstancesPenalty Per ViolationPenalty Per Identical Violation in the
same calendar year
The covered entity does not know or
could not have known of the breach.
$100 – $50,000$25,000 – $1,500,000
The covered entity “know, or by
exercising reasonable due diligence would
have known,” but didn’t act with willful neglect.
$1,000 – $50,000$100,000 – $1,500,000
The covered entity acted with willful neglect but
made steps toward remediation within 30 days.
$10,00 – $50,000$250,000
The covered entity acted with willful neglect but
made no steps toward remediation within 30 days.
$50,000$1,500,000

HIPAA Violation Leads to Reputational Loss

It’s not just the direct monetary losses that come with HIPAA non-compliance, though. Another important factor to consider is the reputational harm that comes with publicly acknowledging that you’ve let data fall into the hands of cybercriminals.

Consumer confidence in the healthcare industry is high, with 80% of respondents to a recent research study saying they trust healthcare providers to keep information safe. However, the reality is that healthcare sees 34% of all data breaches, higher than any other industry, according to the Data Security Risk Report by law firm BakerHostetler, and that 31% of consumers cut ties with an entity following a data breach.

While reputational loss can be difficult to quantify, it’s important to factor it into any risk-impact analysis of HIPAA non-compliance, as according to experts like the Reputation Institute, intangible factors could make up as much as 81% of your organization’s market value.

A Trusted HIPAA Partner for the Healthcare Community

There’s no substitute for having a trusted partner at your side to help you with your HIPAA compliance programs. If you’re a healthcare organization in the Albany, NY or Charlotte, NC area that’s looking for an expert to help develop or strengthen your HIPAA compliance program, our friendly team is here to help.

Call us any time at 877.877.1840 or email us at [email protected]

need help?

We’re passionate about helping small and midsized Healthcare Providers in Albany, New York and Charlotte, North Carolina. If you would like to achieve strong HIPAA compliance, contact us now.