Oregon Health and Science University (OHSU) reached a settlement with OCR earlier in July for $2.7 million. The organization had executed six risk analysis over the course of 10 years, but the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) found that those risk assessments did not constitute a sufficient HIPAA compliance plan.
This case should be a clear sign to health care professionals that merely performing a security risk analysis is not enough to protect their organizations from HIPAA violations.
HIPAA regulation specifically outlines a wide series of standards that organizations need to implement in order to maintain compliance. Security risk assessments are important tools that must be executed to find gaps in organizational security infrastructure. However, the law also explicitly states that Administrative and Privacy risk assessments are required.
And even these risk analyses alone still only address a small part of HIPAA regulatory compliance. For a total compliance solution, organizations need to be sure they’re also addressing self-audits (that includes the aforementioned security, administrative, and privacy risk assessments), remediation plans, policies and procedures, employee training and attestation, document and version control, business associate management, and incident management.
Breaches vs. Fines
OHSU had two data breaches that triggered the OCR investigation. The resulting $2.7 million fine, though, was not levied for the breaches themselves, but for the widespread institutional non-compliance that was uncovered over the course of the investigation.
In the end, organizations need to do all they can to mitigate breaches, but the odds of having a device stolen and having a data breach is roughly one in ten based on figures reported by Forbes. Preventative and security measures are important, but the over $12 million in fines that have been levied since the start of 2016 speak to the enforcement efforts that OCR is taking to punish HIPAA violations.
We’ve entered a new era for HIPAA enforcement, and all signs point toward it becoming even more severe as time goes on. OCR has proposed a permanent random audit program to congress that they want to begin rolling out as early as 2017. Non-compliance puts patient data at risk, and new enforcement trends mean that health care organizations are going to be more exposed to fines than ever before.