Lessons learned from a $65,000 HIPAA fine

Last week the Department of Health and Human Services’ Office for Civil Rights (OCR) issued a press release announcing that West Georgia Ambulance has agreed to pay a settlement of $65,000. In addition to the monetary penalty, the organization agreed to adopt a corrective action plan that includes two years of monitoring from the OCR.

OCR began its investigation after West Georgia Ambulance filed a breach report in 2013 regarding the loss of an unencrypted laptop computer. The computer contained the protected health information of 500 individuals. As the OCR investigated the breach, they found the organization had several ongoing HIPAA non-compliance issues including failure to conduct a security risk assessment (SRA), failure to provide a security awareness and training program and failure to implement HIPAA security rules and procedures.

Despite OCR’s investigations and technical assistance, West Georgia did not take meaningful steps to address the risks and vulnerabilities found which resulted in $65,000 in fines assigned seven years later in December of 2019.

In announcing the settlement, OCR Director Roger Severino noted that “the last thing patients who are being wheeled into an ambulance should have to worry about is the privacy and security of their medical information.” He went on to state, “All providers, large and small, need to take their HIPAA obligations seriously.”

Data Breaches often lead to investigations

There are several lessons to be learned from this announcement. The first being, data breaches often lead to OCR investigations. In this case, West Georgia was investigated after they reported a breach affecting 500 individuals to the Breach Portal. Through the investigation, the OCR found non-compliance issues and unfortunately, the issues that were found were not addressed properly or in a timely manner. The OCR issued a financial penalty and corrective action plan to the organization as a result.

The lesson we learn here is organizations that work proactively to prevent data breaches can drastically reduce the chance of an investigation resulting in HIPAA fines. When it comes to HIPAA, you can’t just identify risks and leave it at that. You need to assign each risk a priority level of high, medium, and low. Once you have prioritized your risks you can begin working on the highest risks by create an action plan, setting target dates, and working towards mitigating each risk.

Fines can be issued retrospectively

The West Georgia breach occurred in 2013 but the fines weren’t issued until December of 2019. It is important to note that the OCR can issue penalties for incidents that happened years ago – in this case almost seven years after the initial breach. This is an important lesson to note because in our own experience helping clients through audits, we have also seen the OCR and State Attorneys General ask for documentation for up to six years. If you experienced a breach and were audited today, would you feel confident that your organization has been actively working to fulfill the HIPAA requirements since 2014?

Completing a security risk assessment (SRA) can identify issues early

Failure to conduct an SRA is a common reason why organizations are audited and penalized. The OCR requires an SRA to be completed annually. By completing an SRA, organizations can identify risk and vulnerabilities before they become a security incident. For West Georgia, if they had completed an SRA they would have known that encryption is one of the technical safeguards of HIPAA that should have been addressed. The lesson we learn here is completing an annual SRA can help identify and mitigate risks before they become a security threat.

The OCR is not particular about when they issue penalties. It doesn’t matter if it is the end of the year, a holiday, or you are on vacation. In this case, the penalties were issued on December 30, 2019. This is the third announcement in just over a month of the OCR enforcing a potential HIPAA violation.

Reducing the number of breaches in 2020

With cyber-attacks on the rise and with breaches happening daily, healthcare organizations are facing greater scrutiny than ever before. Experiencing a breach can be devastating for an organization. It not only leaves them vulnerable to audits, fines and penalties, but is can result in the loss of reputation and patient trust. Luckily, with HIPAA One®, you have a team of certified auditors on your side. As an industry leader in HIPAA compliance, we guarantee our clients will pass an audit. In fact, we often ask to be their first call in the case of a breach or audit so we can help from the very beginning. In addition to our 100% pass rate, HIPAA One® follows the OCR’s HIPAA audit protocol and NIST methodologies to help organizations best identify gaps in security and compliance.

In the spirit of the new year and decade, our goal is to help organizations simplify and prioritize compliance to collectively reduce the number of breaches in 2020. It all starts with completing an annual Security Risk Assessment. Completing an SRA allows organizations to see exactly where they are vulnerable and what needs to addressed to secure and protect patient health information.

To get started, schedule a call with one of our certified compliance experts.