HIPAA Violations: Don't Be A Headline - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Healthcare // Policy & Regulation
Commentary
9/16/2014
09:37 AM
Stephen Treglia
Stephen Treglia
Commentary
50%
50%

HIPAA Violations: Don't Be A Headline

No HIPAA violation case has ever gone to court, for interesting reasons. Here's advice on avoiding violations in the first place.

Violations of the Health Insurance Portability & Accountability Act (HIPAA) make excellent news stories for three reasons. First, they are scandalous and affect the status of a firm whose reputation is built on trust; second, they resonate with every individual who could be at risk of identity fraud; and finally, they usually carry a big price tag.

HIPAA was established in 1996 to govern how medical organizations and their associates treat protected health information (PHI). Penalties for violations can range from fines to criminal prosecution and imprisonment.

[Trojans take to the cloud. Read: Dyre Straits: Why This Cloud Attack's Different.]

However, while HIPAA actions are frequent and varied, one outcome is always the same: Every HIPAA violation has been settled out of court. This is an interesting phenomenon and there are several reasons behind it.

Money, money, money
It costs a lot of money to defend against a HIPAA action, and court hearings can last for months, costing hundreds of thousands of dollars in legal fees. In the case of a recent healthcare breach, the HIPAA action was taken by the Minnesota Attorney General and lasted for six months before a settlement was reached. This was followed by a class action suit. By settling both suits, the healthcare organization ended the court hearings, thereby reducing legal fees and maintaining some control over the cost of the penalty.

Better the devil you know
HIPAA statutes and regulations are untested in the legal system, which makes discretion seem the better part of valor. Organizations want to avoid being the test case for a HIPAA verdict in the courts. They fear that a full-blown defense would result in a penalty or civil assessment that would cost significantly more than a settlement. With no precedent, organizations prefer to err on the side of caution.

Crisis management: Be proactive, then move on
The damage to reputation from a HIPAA violation is often as indirectly costly as a penalty. Once a violation occurs, healthcare organizations adopt a crisis management mode and work to mitigate the harm their reputations might suffer.

(Source: Wikipedia)
(Source: Wikipedia)

PR 101 recommends that an organization own a high-profile mistake, apologize, pay a hefty compensation, and move on quietly. Lengthy court cases prolong the media attention for months, possibly even years. And if an organization becomes the first to see a HIPAA action through to verdict, its brand will inextricably be tied to HIPAA forever. By opting to avoid court and pay the settlement, organizations can reduce the duration of the scandal and minimize reputation damage.

Steps to take in the event of a data breach
Once a HIPAA violation has been discovered internally, it is important that an organization take the following steps.

-- Prepare a crisis management team. A HIPAA breach will affect most departments in an organization so it is important to establish a crisis management team composed of department heads including public relations, human resources, IT, legal, and finance. Each participant should provide relevant information pertaining to the incident. For example, IT can provide an audit log highlighting a device's security posture at the time of the breach. It is important to ensure that a detailed communications plan is in place and that employees are aware of how they should respond to questions about the breach.

-- Notify the appropriate parties. In the case of an unsecured breach of protected health information involving more than 500 individuals, the US Department of Health & Human Services (HHS) mandates that the offending organization notify the affected individuals, the HHS, and prominent media outlets within 60 days of the breach.

If the breach involves fewer than 500 people, the organization must notify the affected individuals and maintain a log of the breaches to submit to the HHS before the end of the calendar year that the breach occurred.  

-- Respond to the civil money penalty (CMP). The HHS determines the CMP based on some general factors, including the nature and extent of the violation, the nature and extent of the harm resulting from the violation, the history of prior compliance including violations by business associates, the financial condition of the organization, and any other extenuating factors. Once this penalty is served, the healthcare organization must respond by paying the penalty or by filing an appeal.

How to avoid a HIPAA violation

  • Review and update HIPAA privacy and security policies and procedures and stay up-to-date with regulatory compliance requirements.
  • Educate employees about data security protocols involving physical records and mobile devices and data.
  • Encrypt protected health information that is stored on portable devices including laptops, tablets, and smartphones.
  • Deploy a persistent security and management software agent that will allow you to maintain a connection with a device regardless of user or location.
  • Prove device and data security compliance with encryption status reports and anti-virus and anti-malware reports to show these solutions were in place and working properly. (This is an important step to satisfy the rules set by the HHS Office for Civil Rights.)
  • Ensure your security software lets you perform remote actions on the device such as data delete, data retrieval, device freeze, and forensic investigations in the case of a security incident.

You've done all the right things to defend your organization against cybercrime. Is it time to go on the offensive? Active response must be carefully thought through and even more carefully conducted. This Dark Reading report examines the rising interest in active response and recommends ways to determine whether it's right for your organization. Get the new Identifying And Discouraging Determined Hackers report today (free registration required).

As Legal Counsel at Absolute Software, Stephen provides oversight and guidance on regulatory compliance related to data breaches and other security incidents. He counsels the Absolute Investigations team, which conducts data forensics, theft investigations, and device ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
jagibbons
50%
50%
jagibbons,
User Rank: Ninja
9/19/2014 | 6:57:49 AM
Re: Own it and fix it
The test of a HIPAA or data breach incident response plan is about walking through all the steps. The response team reviews roles and responsibilities. The response team ensures that communication tools and templates are setup. The goal is to make sure pieces and parts of the response plan are there. This also provides an opportunity to bring new staff up to speed on the process.
Broadway0474
50%
50%
Broadway0474,
User Rank: Ninja
9/18/2014 | 10:38:10 PM
Re: Own it and fix it
jagibbons, How do you exactly test a HIPAA incident response plan? I can understand testing for other sorts of disasters --- data breaches, even terrorist attacks --- but HIPAA violations don't seem that complex. Couldn't you set up a policy/team based on best practices, then tweak after real incidents?
jagibbons
50%
50%
jagibbons,
User Rank: Ninja
9/17/2014 | 10:43:04 AM
Re: Own it and fix it
My two cents: your incident management team and response plan should exist now, whether or not you've had an incident. It will evolve each time it is tested or used, but if you experience an incident without having any plan, any response and remediation will be that much more challenging.
Broadway0474
50%
50%
Broadway0474,
User Rank: Ninja
9/16/2014 | 10:52:27 PM
Re: Own it and fix it
Great information for any organization dealing with healthcare and patient data. I just have one question/comment --- perhaps nit-picky! But I am wondering if organizations should wait until an incident occurs to form a crisis management team. Shouldn't this team exist already, prepared to leap into action?
jagibbons
50%
50%
jagibbons,
User Rank: Ninja
9/16/2014 | 10:03:05 AM
Own it and fix it
Great advice to own up to the breach and be transparent about addressing it. The fact is that a breach is a failure of trust, not just a failure to abide by the law. Take responsibility for it. Pay the fines. Fix the holes and move foward.
Commentary
IT Salary Report 2020: Get Paid What You Are Worth
Jessica Davis, Senior Editor, Enterprise Apps,  2/12/2020
Slideshows
10 Analytics and AI Startups You Should Know About
Cynthia Harvey, Freelance Journalist, InformationWeek,  2/19/2020
News
Fighting the Coronavirus with Analytics and GIS
Jessica Davis, Senior Editor, Enterprise Apps,  2/3/2020
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
IT Careers: Tech Drives Constant Change
Advances in information technology and management concepts mean that IT professionals must update their skill sets, even their career goals on an almost yearly basis. In this IT Trend Report, experts share advice on how IT pros can keep up with this every-changing job market. Read it today!
Slideshows
Flash Poll