A couple of stories from the last month or so that are required reading if you are a HIPAA-regulated company or plan on ever doing business with HIPAA-regulated companies: Make sure your BAAs are in order and small security breaches are the new target.
Small Security Breaches are New Target for HIPAA Violation Fines
Taking another step toward more aggressive enforcement under the Health Insurance Portability and Accountability Act (HIPAA), on August 18, 2016, the U.S. Department of Health & Human Services Office for Civil Rights announced that it will begin to “more broadly investigate” breaches of protected health information affecting fewer than 500 individuals.
While the OCR has had authority to investigate breaches of all size, they’ve focused primarily on large-scale breaches and entered into only a handful of settlement agreements with entities experiencing these “small breaches.” With this initiative, OCR’s regional offices have been told to “increase efforts to identify and obtain corrective action to address entity and systemic noncompliance related to [small] breaches.”
Recent settlements of cases where OCR’s investigated smaller breach reports include Catholic Health Care Services, Triple-S, St. Elizabeth’s Medical Center, QCA Health Plan, Inc., and Hospice of North Idaho. The smallest monetary settlement of that list was over $200,000, not counting costs of corrective actions. Most of them were much more than that.
Long story short: If you thought you were safe because you’re a smaller organization or the breach was small and OCR was targeting larger breaches, you may want to rethink your strategy.
In Other HIPAA News… If you do business with HIPAA-regulated entities or you’re a clinic who works with outside vendors, make sure your business associate agreements (BAA) are in order and up-to-date. As this recent HHS news release shows, it can be quite expensive if you don’t. A clinic in Rhode Island had a BAA signed with a Care New England but it hadn’t been updated since it was originally written and signed in 2005 and didn’t incorporate the HIPAA Omnibus Final Rule until it was re-written in late 2015, after several exchanges of PHI had happened in the previous years.
Long story short: You should always have a BAA with your vendors, but you need to make sure that BAA is up-to-date. HHS has a sample BAA on their web site that is a good starting point, but your HIPAA Security Officer should have final say over it as well.
If you are overwhelmed, frustrated, confused or all of the above regarding HIPAA and how to make headway in your compliance efforts, give us a call. We are happy to meet with you to discuss where you are currently at and what your best next steps would be. We offer a variety of services to help out including performing security risk assessments, providing remediation solutions for common compliance issues and we even facilitate a group of HIPAA security officials from different organizations in the Bend area. You don’t have to try to figure out HIPAA on your own – give us a call!