here’s pain in the voices of CISOs who haven’t been able to persuade their executive team to invest in an accurate, thorough enterprise-wide HIPAA risk analysis and risk management plan.
CEOs too often are willing to take on risk to increase revenue rather than mitigate existing risk to avoid cost. The story goes something like: “We’ll never be chosen for an audit, less than 200 organizations have been selected. Even if we do have a breach, it’s unlikely they’ll ever decide to investigate us. There’s 1800 organizations listed on OCR’s wall of shame, in an industry that has over 10,000,000 organizations responsible for protecting PHI. What are the chances?!”
OCR investigations and resulting resolution agreements / corrective action plans have increasingly larger $ settlement amounts, broad exposure, reputational damage and on-going incremental operational costs and distraction. And those enforcement actions often result from circumstances about which OCR wants to highlight to make a specific point.
OCR has demonstrated that all types of organizations are subject to enforcement actions. Examples include:
- State Universities – Idaho State University and the University of Mass-Amherst
- County government – Skagit County Public Health Department
- Community Services – Anchorage Community Mental Health Services
- State Government – Alaska Department for Health and Human Services
- Private Physician Practices – Cancer Care Group and Phoenix Cardiac Surgery
- Specialty Services – Massachusetts Eye and Ear Infirmary
- Research institutions – Feinstein Institute for Medical Research
OCR has demonstrated that all types of regulatory violations are subject to enforcement actions. Examples include:
- For a breach under 500 Records – Hospice of North Idaho
- For not filing a required breach report – 1st one following the HITECH Act -BCBST
- For not reporting breaches in timely manner – Presence Health
- For lack of institutional oversight – University of Mississippi Medical Center
- For failure to erase photocopier hard drive – Affinity Health Plan
- For failure to cooperate – CIGNET
- Referral from OIG, for marketing without permission – Management Services Organization
OCR has demonstrated that varying trigger events may result in enforcement actions:
- Nine (9) of the fifty (50) investigations that led to settlement agreements were initiated by complaints?
- Another four (4) were initiated following news reported in the media.
- Five (5) others focused on business associates and business associate agreements.
- Lately, since OCR has fixed their tracking system (thanks to OIG’s recommendation), the reporting of multiple breach reports has stimulated investigative activities and resulted in settlement agreements with six (6) more organizations.
- Successful hacks have prompted OCR to look into the policies, procedures and evidence of monitoring access, implementing patches, and social engineering training of five (5) organizations, in addition to another five (5) dinged for not having encrypted laptops, thumb drives or mobile devices.
Good news – all the OCR Resolution Agreements / Corrective Action Plans are available for review and learning.
So the short story is that it doesn’t have to be a big breach, or a complex situation, or even a blatant failure for OCR to decide an enforcement action and ultimately a resolution agreement and corrective action plan is in order.
Once they are in, if the case involves ePHI, you can be 100% certain that they will be looking for that risk analysis that would have identified the vulnerability that was exploited by the threat, because controls and safeguards were insufficient to protect the information. And when that isn’t done, or it isn’t done right, the fines and disruption will follow.