Even though Meaningful Use, now MIPS, has been in production since 2012, often, we hear healthcare providers tell us they haven’t started their HIPAA compliance because they are too small to worry about being audited. Some also claim that the Office of Civil Rights (OCR) has eased their enforcement of HIPAA and are focused on larger organizations. This is very concerning for us to hear, especially because we have seen an increase in healthcare breaches for both large and small organizations. Breaches that have resulted in significant fines, loss of patient records, and reputation.
HIPAA Reporting Deadline for 2019 is December 31st
The claim that organizations can fly under the radar has been said often enough that we want to address the issue head on. HIPAA enforcement is here to stay. All organizations are at risk of a data breach and can’t afford to look the other way. Security and HIPAA compliance should be a top priority also because under MIPS, the HIPAA Security Risk Analysis must be done by December 31st or the last-day of the reporting period.
According to a recent article published by Health IT Security, “The department of Health and Human Services Office for Civil Rights enforcement of HIPAA has remained strong over the last year, with renewed focus on small breaches and the need for performing and documenting routine security risk assessments.”
All organizations face great scrutiny
Not only has the OCR enforcement increased, they have been issuing larger fines for breaches and investigating an increasing amount of smaller organizations. In fact, just a couple of weeks ago, on November 5, 2019 the OCR issued a press release outlining the $3 million HIPAA settlement reached with the University of Rochester Medical Center (URMC).
URMC filed two different breach reports in 2013 and again in 2017, both referencing the loss of an unencrypted flash drive and the theft of an unencrypted laptop. Both incidents resulted in the unauthorized disclosure of PHI.
Roger Severino, OCR Director said, “Because theft and loss are constant threats, failing to encrypt mobile devices needlessly puts patient health information at risk. When covered entities are warned of their deficiencies, but fail to fix the problem, they will be held fully responsible for their neglect.”
In this case, the investigators found that URMC failed to:
- Conduct an enterprise-wide risk analysis
- Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level
- Utilize device and media controls
- Employ a mechanism to encrypt and decrypt ePHI when it was reasonable and appropriate to do so
An increasing trend
This incident could have been avoided if they had followed the HIPAA regulations and completed an annual Security Risk Analysis. This isn’t the first large breach we have read about this year and it won’t be the last. However, there are things you can do TODAY to help your organization from falling victim to be the next breach.
We would strongly urge organizations of ALL sizes to complete a Security Risk Analysis annually. If you haven’t completed your analysis for 2019, it is not too late! In addition to completing an annual risk analysis, it is important to review all your cybersecurity policies, procedures, and hold an employee training at the very least annually.
Finding a solution that simplifies, automates, and fits your budget
When we started HIPAA One and created the HIPAA One software, the goal was to simplify, automate, and reduce the administrative burden of conducting and maintaining a HIPAA Security Risk Analysis by at least 80%. We know HIPAA compliance isn’t what you want to spend your time doing. That is why we created a solution to efficiently and effectively help you with your compliance so you can focus on what matters most, helping patients.
To learn more about completing your Security Risk Analysis before December 31, 2019, contact us to schedule a call to discuss how we can help.