This year, the healthcare sector has seen a dramatic rise in HIPAA enforcement, settlement agreements and the resumption of the OCR Audit Protocol. The number of healthcare records that were breached in 2015 (113 million) was almost triple the total number of records breached between 2009 and 2014 (41 million). That, along with the unprecedented number of ransomware attacks facing the industry this year, shines a spotlight on healthcare information security.
So far this year, the OCR has entered into 10 resolution agreements with entities governed by the HIPAA rules. In comparison to the previous 6 years, this is astounding. In both 2014 and 2015 there were a total of 6 resolution agreements each year. Just eight months into 2016, that number is nearly doubled. The number of agreements and the settlement amounts speak volumes about the significance of compliance with the HIPAA rules. More than half of the resolved investigations for this year involved a lack of security, and failure to conduct an organizational risk analysis which is required by the HIPAA rules. In fact, in most cases, had the entity conducted a thorough risk analysis, and corrected any identified risks, the outcome of these investigations could have been much better. The following is a list of this year’s resolution agreements and settlement amounts:
On July 11, 2016 OCR notified the current pool of auditees of their selection, and sent submission requirements for HIPAA documentation. If you have not received a selection notification at this time, you can breathe easy for a few months. You might still be selected for an audit by the OCR though. This audit protocol is expected to develop into a continuous cycle of proactive auditing versus reactive investigations when breach notification occurs. The goal is to get in front of problems before they happen. By the end of this year, OCR expects to have notified selected Business Associates, and to kick off the onsite audit portion of their audit protocol.
The cyber landscape has not improved for the healthcare sector this year. Last year, we saw some well publicized hacking attacks against major insurers, resulting in the loss of about 100 million patient records in just 3 major incidents. This year, instead of hacking attacks, we are seeing an unprecedented number of ransomware attacks against both large and small organizations. Hospitals in California, Texas, Kansas, Kentucky, Maryland and DC have all been the victims of ransomware attacks. In at least two cases, the hospitals have paid ransoms in order to gain back access to their information. Hollywood Presbyterian paid $17,000 (with an initial demand of 3.4 million) and Kansas Heart in Wichita recently paid an undisclosed amount.
Technology continues to shape the cyber landscape for healthcare entities. This new reality presents an ongoing challenge to meet our responsibilities to protect the patient information we create, maintain, and store. All covered entities must have a complete HIPAA compliance program in place. Third party vendors are an important part of a good compliance program. Training and support companies like TMC can help establish policy and procedure. Professional IT companies ensure that the technical infrastructure is secure.
The OCR audits and investigations are a very real possibility. Today is a great day to look at your organization. Do you have documented policies and procedures? Are they communicated to employees? Are they enforceable by rule? When was the last time you completed a Security Risk Assessment, or HIPAA Risk Analysis? Do you know the status of your network? Who is watching your house to allow you to sleep soundly at night?!