The Health Insurance Portability and Accountability Act (HIPAA) is a major hurdle for small healthcare providers. Without the in-house resources to dedicate to enforcing consistent HIPAA compliance, some providers have chosen to either fly under the radar and hope that regulators won’t notice their systems lack the correct processes and controls, or delay addressing their HIPAA issues until they have more time or resources to allocate to the task.
Neither of these strategies is a good idea. As cybercriminals continue to assault healthcare organizations at unprecedented levels, HIPAA regulators have greatly increased their efforts to enforce compliance, which includes collecting a record number of HIPAA non-compliance penalties in 2018. Despite the penalties, organizations continue to stumble over HIPAA compliance, with more healthcare records breached in the first 6 months of 2019 than in all of 2018.
More aggressive inspections and increased fines for non-compliance means that the time for healthcare providers of all sizes to start approaching HIPAA with greater seriousness.
HIPAA compliance isn’t a mystery. All the processes and controls required by HIPAA regulators are plainly laid out in the text of the regulation, which you can browse here. While understanding those controls and applying them to your organization can be a hurdle, the problem we see most often is organizations that are struggling to maintain the consistent effort that HIPAA requires.
Like any compliance effort, HIPAA is not a one-time project, but an ongoing program that requires vigilant monitoring and maintenance. Even small changes in your network technology — at either the infrastructure or application level — can knock a system out of compliance or change your compliance needs.
Electronic protected health information (ePHI) is any data that’s produced, transferred, or saved on your systems. Organizations that handle ePHI, no matter how often or how much, are known as covered entities in HIPAA, and are subject to a range of HIPAA requirements that are most appropriate to their size, capability, risk.
That sounds vague because in some areas HIPAA wasn’t designed to be a one-size-fits all regulation. Instead, it gives organizations a certain amount of freedom to determine how to best protect their data. While there’s room for flexibility, organizations that access ePHI must be prepared to protect that information with three separate types of safeguards, technical, physical, and administrative.
Remember, ePHI isn’t like credit card data. Once a person’s social security number or health information has been leaked to the public, that information can’t be changed or reset to prevent hackers from maliciously using that information to do harm.
Any healthcare organization – big or small – is required to safeguard ePHI according to HIPAA requirements
All HIPAA engagements should start with a thorough risk assessment. Without a methodical approach for the analysis and prioritizing of your organization’s systems and vulnerabilities, you’ll be unable to design an effective roadmap for improving your cyber defenses and ensuring HIPAA compliance.
To help us conduct risk assessments, Complete Network uses federal guidelines outlined in National Institute for Standards and Technology (NIST) Cybersecurity Framework. Originally developed to help government agencies secure national infrastructure, the NIST cybersecurity framework has since been widely adopted by organizations in the healthcare field to lay a strong foundation for HIPAA compliance.
Another commonly used guideline to validate your cybersecurity process is the cybersecurity triad of confidentiality, integrity, and availability — oftentimes shortened as the “CIA triad.” This tool is useful because some organizations discover that cybersecurity controls impede productivity and collaboration, the CIA triad can help prevent that from occurring.
Availability is about maintaining the systems and hardware that store and access ePHI, while also protecting them against threats such as malware and cyberattack, which can disrupt access to healthcare data. Other strategies like back-ups, disaster recovery, and encryption also fall under this category.
A business associate in HIPAA refers to any person or organization who interacts with your ePHI. HIPAA requires that you have a business associate agreement in place with each vendor before they gain access to your ePHI. This applies to all the service providers that support healthcare organizations, including:
For even a small healthcare provider, this can lead to the maintenance of dozens of different vendor relationships and agreements. Examples of business associate management overwhelming providers are common, like the recent incident at the Pagosa Spring Medical Center in Colorado, in which the hospital was fined $115,000 for not properly managing its relationship with a web-based schedule application.
Complete Network helps healthcare organizations implement a systematic approach to handling their business associate’s agreements, ensuring that vendor systems are compliant with HIPAA regulations and that annual audits and maintenance are both performed according to requirements.
According to recent research by the Healthcare Information and Management Systems Society (HIMSS), 75% of respondents said that their organization experienced a significant security incident in the last 12 months. Based on how negligent your organization is deemed, a single record being leaked could cost you anywhere between $100 to $50,000, with a maximum penalty of $1.5 million per year for each violation.
Here’s how the actual cost of a fine is calculated:
|Circumstances||Penalty Per Violation||Penalty Per Identical Violation in the
same calendar year
|The covered entity does not know or
could not have known of the breach.
|$100 – $50,000||$25,000 – $1,500,000|
|The covered entity “know, or by
exercising reasonable due diligence would
have known,” but didn’t act with willful neglect.
|$1,000 – $50,000||$100,000 – $1,500,000|
|The covered entity acted with willful neglect but
made steps toward remediation within 30 days.
|$10,00 – $50,000||$250,000|
|The covered entity acted with willful neglect but
made no steps toward remediation within 30 days.
It’s not just the direct monetary losses that come with HIPAA non-compliance, though. Another important factor to consider is the reputational harm that comes with publicly acknowledging that you’ve let data fall into the hands of cybercriminals.
Consumer confidence in the healthcare industry is high, with 80% of respondents to a recent research study saying they trust healthcare providers to keep information safe. However, the reality is that healthcare sees 34% of all data breaches, higher than any other industry, according to the Data Security Risk Report by law firm BakerHostetler, and that 31% of consumers cut ties with an entity following a data breach.
While reputational loss can be difficult to quantify, it’s important to factor it into any risk-impact analysis of HIPAA non-compliance, as according to experts like the Reputation Institute, intangible factors could make up as much as 81% of your organization’s market value.
There’s no substitute for having a trusted partner at your side to help you with your HIPAA compliance programs. If you’re a healthcare organization in the Albany, NY or Charlotte, NC area that’s looking for an expert to help develop or strengthen your HIPAA compliance program, our friendly team is here to help.
Call us any time at 877.877.1840 or email us at [email protected]
We know that the first step toward better IT support is to research your options. We’ve put this guide together to aid you in that process.
It’s designed to give you an overview of our organization, so that you have the key information you need to evaluate our service fit.
This guide covers:
Download it for free by filling out the form here.