A steady stream of security breaches, coupled with recent settlements announced by the Office for Civil Rights, have put healthcare providers on high alert, and one attorney warns that the cost of a breach can extend well beyond an initial HIPAA settlement.
Several OCR decisions—including a $5.5 million settlement with Memorial Healthcare System earlier this month—have highlighted the legal fallout of data breaches in the wake of a record-setting year of hackers targeting healthcare. The costs associated with a breach can extend beyond a settlement since most corrective action plans require providers to hire third-party investigators to assess compliance, according to a post by Password Protected, published by lawyers at McGuire Woods.
Four trends have emerged from recent settlements, writes Kate Hardey, a partner at the law firm:
- Business associated agreements with vendors can be a target for regulators.
- Failure to conduct or implement the findings of a security risk assessment, as required by HIPAA, can lead to hefty fines.
- Cloud service providers are liable for failing to protect patient health information and providers are required to address security in their business agreement with vendors, as outlined in guidance issued by the OCR last year.
- Failure to report a breach within 60 days is an easy compliance target for regulators.
The healthcare industry has been roundly criticized for cybersecurity failures, although one survey indicated security concerns are being handled at the executive level and, in some cases, garnering attention from the governing board.
The Office of the National Coordinator for Health IT (ONC) has indicated that more onsite HIPAA audits are expected in 2017, although many are wondering how HIPAA enforcement will play out under new Department of Health and Human Services Secretary Tom Price, who has voiced his opposition to burdensome regulations.