As the proactive investigative arm of the Department of Heal and Human Services (HHS), the Office for Civil Rights(OCR) has decided to focus on smaller healthcare data breach cases, or those involving fewer than 500 compromised patient-clients. The resources of HHS and the OCR have been primarily devoted to larger cases of cyber breach, or cases sometimes involving many thousands and even millions of patients. Though it adamantly claims that it has looked into smaller breaches since HIPAA laws were enacted, the OCR’s move to more assiduously aim its investigative powers at smaller cases has reportedly been done in hopes to “devote more resources to investigating smaller breaches.” (Source: Healthcare IT News)
So, why is the OCR really stepping up its investigations of healthcare providers (and their business associates) who get blindsided by cyberattack? Maybe it’s because many of the cyberattacks and data breaches are inside jobs, and investigating smaller firms, clinics, and practices holds out more hope of finding cybercriminal needles in corporate haystacks. Maybe it’s a sense of fairness, where resources have been traditionally allocated to looking into the breaches happening in larger organizations. Whatever the case, as of August, the OCR has informed its regional offices to dig deeper into the causes of data breach and PHI exposure involving healthcare providers with fewer than 500 clients.
One wonders why the sudden shift in focus to smaller clinics and providers when huge settlements among equally huge corporate healthcare organizations aren’t slowing down. Just this week, Advocate Health Care Network has agreed to payout the largest HIPAA settlement to date: A reported $5.5 million for allowing data to be compromised involving 4 million of its patient-clients. (Source: Cyber Security Intelligence, Sept. 5, 2016) In fact, the settlements have grown bigger and bigger, at an almost exponential rate. Smaller providers mean smaller settlements, and equal investigative time, which seems counter-intuitive to judicious investigatory practices.
Compliance, Security, and Punishment
No matter the size of the healthcare organization, hiring a seasoned IT support team to provide managed services and proper cybersecurity incurs far less a cost than the inevitable fines and settlement costs that go along with HIPAA non-compliance and egregious data breaches. And, the fines can still be significant for healthcare SMBs. Case in point: The $50,000 settlement paid out by the Hospice of North Idaho after one of their unencrypted laptops was stolen. At the time (2013), former director of the OCR Leon Rodriguez said about the theft and settlement: “This action sends a strong message to the healthcare industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information.” (Source: Healthcare IT News)
One thing the many HIPAA settlement cases are showing us all is how important implementing a sound cybersecurity strategy for your company network is. The best course of action for healthcare providers and other high-risk industries is to have monthly IT service support in place, to eliminate the possibility of a successful data breach before a network intrusion – or massive settlement due to non-compliance – even occurs.
Fill In The Form Below for industry news, and information about our services, events, webinars and more.