Based on the frequency and amount of HIPAA fines in 2016, one thing is clear, very clear: the lack of a credible HIPAA compliance program for an organization today, will lead to an increase in business risk.
Multiple alleged HIPAA violations resulted in a $2.75 million settlement with the University of Mississippi Medical Center (UMMC). HIPAA fines typically are in the seven figures. In addition, it always includes a corrective action map (CAP), which requires a comprehensive HIPAA compliance program, mandated with attestation from an organization’s officer over the duration of the CAP period. The duration of the CAP period is typically a minimum of two years, more likely, three years.
The recommendation to senior leadership: select a security framework and establish HIPAA compliance within the context of that framework. There are essentially three options for security frameworks: HITRUST, ISO 27001 and NIST. I would recommend HITRUST. Be deliberate, disciplined, and steady to get HITRUST certified.
Senior executives must treat HIPAA compliance as a life-cycle, as a process. It will lower business risk!
Let’s examine the settlement related to UMMC to better understand how this impacts where you need to set the bar for HIPAA compliance based on Office for Civil Rights (OCR) enforcement of the regulation.
The HIPAA Compliance Program Failures
The core HIPAA Compliance Program failures at the University of Mississippi Medical Center:
- Failure to implement appropriate policies and procedures to prevent, detect, contain and correct security violations
- Failure to implement physical safeguards for all workstations that access electronic protected health information (EPHI) to restrict access to authorized users
- Failure to assign a unique user name and/or number for identifying and tracking user identity in information systems containing EPHI
- Failure to notify each individual whose unsecured EPHI was reasonably believed to have been accessed, acquired, used or disclosed as a result of the breach.
On July 25, 2016, the university medical center agreed to settle multiple alleged HIPAA violations with OCR. During the investigation, OCR determined that UMMC was aware of risks and vulnerabilities to its systems as far back as April 2005, yet no significant risk management activity occurred until after the breach, due largely to organizational deficiencies and insufficient institutional oversight.
Your HIPAA Bar:
Has your organization established a credible HIPAA compliance risk management program?
UMMC will pay a penalty of $2,750,000 and adopt a CAP to ensure continual compliance with:
- HIPAA Privacy Rule
- HIPAA Security Rule
- HITECH Breach Notification Rules
Your HIPAA Bar:
Does your organization’s HIPAA compliance program continually address the requirements of the three pillars of HIPAA regulations (privacy, security, breach)?
Here is what led to the UMMC breach. On March 21, 2013, OCR was notified of a breach after UMMC’s privacy officer discovered that a password-protected laptop was missing from the center’s Intensive Care Unit. The center’s investigation concluded that it had likely been stolen by a visitor to the MICU who had inquired about borrowing one of the laptops.
OCR’s investigation revealed that EPHI stored on a UMMC network drive was vulnerable to unauthorized access via UMMC’s wireless network, because users could access an active directory containing 67,000 files after entering a generic username and password. The directory included 328 files containing the EPHI of an estimated 10,000 patients dating back to 2008.
Your HIPAA Bar:
Does your organization regularly, on a disciplined schedule, conduct vulnerability assessments across your external, internal and wireless infrastructure to identify security gaps that can compromise EPHI?
Has your organization conducted a comprehensive and thorough risk analysis exercise to identify compliance gaps such as use of generic credentials that can access EPHI?
Your Steps for Safeguarding Information (Required!)Formally document and appoint a HIPAA compliance officer with responsibility, budget and authority to manage an enterprise program
- Conduct a comprehensive and thorough enterprise-wide risk analysis exercise annually (be disciplined on the timeline and process)
- Manage a technical vulnerability assessment and penetration testing program that formally assesses these areas for security deficiencies: external, internal, wireless, firewall/DMZ, and mission-critical application(s) (e.g. EHR system)
- Establish a credible enterprise risk management program (ensure every compliance and security gap identified has a formal, documented response and appropriate capabilities implemented
- Encrypt, not just password protect, sensitive information across all mobile devices, including laptops, tablets and smartphones
- Implement Mobile Device Management (MDM) capabilities to effectively manage the security of all mobile devices across the enterprise
- Develop, update and implement appropriate policies and procedures to prevent, detect, contain, and correct security violations
- Ensure active physical safeguards for all workstations that access EPHI to restrict access to authorized users
- Assign a unique user name and/or number for identifying and tracking user identity in information systems containing EPHI (do not use generic credentials that can access confidential information)
- Notify each individual whose unsecured EPHI was reasonably believed to have been accessed, acquired, used, or disclosed as a result of the breach
- Build a multi-prong approach for enterprise security awareness training for all members of the workforce (raise the HIPAA knowledge bar for HIPAA compliance and your enterprise security policies, continually with a robust training program)
- Base your enterprise HIPAA compliance program on an industry-recognized security framework (e.g. HITRUST, ISO 27001, NIST)