The Health and Human Services’ Office for Civil Rights (OCR) recently reached a settlement demanding $1.5 million and corrective action as penalty in the Blue Cross Blue Shield of Tennessee case. This and the other similar breach cases where heavy penalties were sought, make us wonder ‘what are the determinants of the fine imposed by OCR?’
Clarifying this, Leon Rodriguez, the Director of the Department of HHS OCR said that in the event of a major data breach, HIPAA enforcers will weigh several factors before deciding whether to impose a hefty fine or not. This includes looking into the number of records breached, the vulnerabilities that led to the breach, and steps taken by the organization to remedy these vulnerabilities once they were discovered.
Questions That Have to be Answered
Rodriguez says that if there has been a data breach in your organization, you are bound to answer the following questions posed by the OCR investigators:
- Do you have policies and procedures governing data security?
- Do you have a training program?
- Have you done a risk assessment?
- Do you have disciplinary policies?
- Have you evaluated the need for physical, administrative, and technical safeguards?
- Do you live by the product of your evaluation?
He says that these questions are directed towards finding out whether you have in good-faith, done the basic things that HIPAA requires you to do. He noted that in a majority of cases where high financial penalty was sought, organizations at some point, had failed to follow the very basic norms set by HIPAA.
Rodriguez also states that if your organization has taken the necessary steps after a breach has been discovered, and tries to remedy the problems, then OCR will consider these when determining the enforcement course of action. With regard to the purpose of OCR investigations, Rodriguez says that the main aim is not to look for enforcement cases, but to explore vulnerabilities, and in a constructive way find ways to fix those vulnerabilities.
Lessons to Learn
Rodriguez stresses that most healthcare breaches have involved loss or theft of storage devices or records rather than hacking. So the lesson for you to learn is that the culture of compliance matters a lot. This would mean ensuring that your organization adopts and accepts compliance and security as a basic routine. This requires ensuring technical and physical safeguards apart from making employees understand what HIPAA compliance means, and why protecting privacy is important.
According to Rodriguez an effective way to build awareness about privacy and security is by letting people see the enforcement actions taken against organizations that have failed in their duty.
While you may be learning many lessons from several data breach cases, you certainly don’t want to be in that list yourself. And one sure way to ensure this is to adopt a comprehensive security and compliance management solution like SecureGRC. By doing this you can not only make sure that everything required by HIPAA is followed, but you can also ensure better control over your data, and get improved visibility of your security and compliance status.