HIPAA compliance is only getting tougher.

While all industries fell victim to data breaches in 2017, the Healthcare sector continued to be one of the most targeted.  With regulatory requirements to live up to, healthcare executives must be consistently on the ball, making adjustments to their cybersecurity plans to ensure they don’t run afoul of HIPAA rules.  This is an endeavor that has become increasingly difficult with today’s more sophisticated attacks, most notably ransomware, ransomworms and whatever happens to pop up next.

In July, the US Department of Health & Human Service’s Office of Civil Rights (OCR) sent a clear message regarding the importance of health information security: You won't be able to hide your mistakes from the public.  They took the fear of non-compliance to another level with a revision of its HIPAA Breach Reporting Tool (HBRT), commonly referred to as the HIPAA “Wall of Shame.” The updates make it easier to search and view information about data breaches and make it harder for offenders to hide in the aftermath of a breach.


The Risks

If you store medical records or patient data, you may be violating HIPAA compliance if you don't have the appropriate data security measures in place. When it comes to regulatory compliance, HIPAA doesn’t make false threats and their consequences can be severe. Evidence of their aggressive enforcement was seen in a number of settlements this past year:

  • OCR settled its first enforcement action for a health care provider’s failure to timely report a breach to OCR, affected individuals, and the media. It cost the health care company $475,000.
  • In April, OCR announced a tiny $31,000 settlement with a small health care provider for failing to produce a BAA with one of its business associates, and, just four days later, a separate $2.5 million settlement with a larger healthcare company for failing to implement sufficient HIPAA policies and procedures.
  • Memorial Hermann, a large health system, settled potential HIPAA violations with OCR for $2.4 million after publicly disclosing a patient’s name in the title of a press release regarding an incident at one of its clinics.

No surprise here: HIPAA fines are expensive. Not only can violations lead to civil and criminal penalties, the damage to an organization’s reputation could be detrimental. In addition to fines ranging from $50,000 per violation to a maximum annual penalty of $1.5 million, HIPAA has the authority to exclude your business from receiving Medicare benefits.


Security Beyond Compliance

Fulfilling regulatory compliance requirements may exonerate you from government-issued oversight and fines, but it does not exempt you from other recourse including loss of business, lawsuits, or reputation damage. Compliant or not, these are all potential consequences of a data breach. It’s important to remember that being compliant does not mean your organization is safe, nor does it mean that your organization is immune to the consequences a data breach.

In today's technology-intensive healthcare practice, you need an IT partner who understands your business. We get your world—well enough to have been named to the Healthcare 100 by CRN Magazine, as one of the nation’s top IT service providers to the medical community.

Contact SLPowers today to talk about implementing a multi-layered security solution — in conjunction with impactful employee security training — to mitigate your risk.