Recent events highlight the fact that threats to customer and patient data continue to increase. In recent months, government agencies, news outlets, and others have spent considerable time investigating and reporting on major worldwide ransomware attacks, including the "Petya" and "WannaCry" events. Moreover, numerous companies have reported significant malware or security breach events, including InterContinental Hotels Group, Arbys, Dun & Bradstreet, Saks Fifth Avenue, UNC Health Care System, Chipotle, Gmail, and Verizon, among many others.
Healthcare providers and companies have become particular targets, also. Since the beginning of July alone, HIPAA Journal has reported on more than 20 security incidents involving providers and health care companies, including Peachtree Neurological Clinic in Atlanta (ransomware), Tampa Bay Surgery Center (data theft), and White Blossom Care Center in San Jose, California (former employee inappropriately accessing information).
For health care providers and health care companies, this increase in threats to patient data increases the importance of robust HIPAA compliance measures to help guard against such threats. Most importantly, health care providers and companies should (1) conduct an assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (i.e., a HIPAA risk analysis) in their possession and (2) create and implement HIPAA policies and procedures.
These measures form the foundation of overall HIPAA compliance, and both are specifically required under the HIPAA regulations. Without them, health care providers and companies will be unable to satisfy HIPAA requirements and will be more vulnerable to HIPAA security incidents. The Office for Civil Rights ("OCR") at the U.S. Department of Human Services remains focused on these core compliance measures, as is evident from recent HIPAA settlements.
On April 12, 2017, OCR announced a $400,000 settlement with Metro Community Provider Network ("MCPN"), a federally qualified health center, after a breach report indicated that a hacker had accessed employee e-mail accounts through a phishing campaign and obtained the electronic protected health information of 3,200 individuals. In announcing the settlement, OCR cited MCPN for failing to conduct a risk analysis until the breach occurred and subsequently conducting a risk analysis that was insufficient to meet HIPAA requirements.
Shortly thereafter, on April 24, 2017, OCR announced a $2.5 million settlement with CardioNet, a cardiac monitoring provider, after a laptop containing the information of 1,391 individuals was stolen from an employee's vehicle. In the settlement, OCR pointed to CardioNet's failure to conduct a sufficient HIPAA risk analysis and to the fact that its HIPAA Security Rule policies and procedures were in unimplemented draft form (i.e., had not been formally adopted).
These settlements indicate that, in addition to leaving health care providers and companies vulnerable to security incidents, failure to conduct HIPAA risk analyses and to create and implement HIPAA policies and procedures will likely lead to substantial fines if OCR conducts an investigation triggered by an OCR audit, a company breach report, or the filing of a complaint by a concerned patient or employee. Thus, health care providers and their business associates should ensure that they take these key steps toward overall HIPAA compliance to be prepared for OCR investigations and to better protect themselves and their patients in the current environment.