Agency Secures $1.25M Settlement in Reported HIPAA Violations

Agency Secures $1.25M Settlement in Reported HIPAA Violations-2-7-23
February 7, 2023 65 view(s)
Agency Secures $1.25M Settlement in Reported HIPAA Violations
This month, the U.S. Department of Health and Human Services’ (HHS’s) Office for Civil Rights (OCR) announced a $1.25 million settlement after a cybersecurity breach exposed a non-profit health organization’s data that was covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), constituting possible HIPAA violations. The potential HIPAA violations affected 2.81 million consumers. Indeed, incidents of cybersecurity breaches and data loss continue across all industries and have implications in multiple employment laws. In December 2022, the HHS applied an employer’s HIPAA obligations to online data tracking. The OCR guidelines included obligations to keep sensitive electronic health data secure and protected.

Possible HIPAA Violations and the Cybersecurity Incident

The OCR initiated its investigation after a breach report indicated a possible cybersecurity hack that compromised millions of users’ electronic personal health information (ePHI). In detail, compromised data included names, dates of birth, addresses, Social Security numbers, lab results, medications, diagnoses, and more. According to the OCR’s investigation, the organization’s potential HIPAA violations included:
  • a lack of a risk analysis of the organization’s ePHI storage methods;
  • insufficient systems monitoring;
  • failure to use an authentication process to safeguard ePHI; and
  • a lack of security measures during data transmission.
All in all, OCR investigators found that the potential HIPAA violations were long-term and pervasive. This was particularly concerning, considering the organization kept the ePHI of nearly 3 million users.

Employer Obligations Under HIPAA Security Rule

HIPAA is a federal law that requires the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. In turn, the HHS issued the HIPAA Privacy Rule to implement requirements under HIPAA. Standards under HIPAA also include cybersecurity obligations. The HIPAA Security Rule establishes standards to protect individuals’ ePHI. It requires administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of ePHI. In detail, covered entities under HIPAA include:
  • most health-care providers,
  • health plans,
  • business associates, and
  • health-care clearinghouses.
These covered entities may disclose personal health information only as expressly permitted or required by the HIPAA Privacy Rule.

Penalties for HIPAA Violations

As a result of the purported HIPAA violations, the organization paid $1.25 million to the OCR and agreed to a comprehensive corrective action plan. Briefly, the corrective action plan identifies steps the organization will take to resolve these HIPAA violations and protect ePHI in the future. Steps within the plan include the following:
  • conducting a thorough risk analysis of data systems;
  • developing and implementing a risk management plan;
  • creating and distributing relevant policies and procedures, including a regular system review, an authentication process, and security measures during ePHI online transmission; and
  • reporting to the HHS within thirty days of any future HIPAA violations.
The OCR also provides resources to help covered entities under HIPAA improve their cybersecurity and avoid HIPAA violations. Relevant HIPAA Security Rule Guidance Material includes educational tools, physical and technical safeguards, and information on performing a risk analysis.

Cybersecurity Awareness Training

Presently, many laws require businesses to take reasonable steps to protect personal information collected from customers, employees, or job applicants. Given that, all employees must know the common workplace cybersecurity threats and recognize what protections are available against cyberattacks. To assist employers, Personnel Concepts has developed an online, interactive Cybersecurity Awareness Training Program. Explicitly, businesses of any size and industry can help train employees on keeping personal information safe by using this resource.
by

NOTE: The details in this blog are provided for informational purposes only. All answers are general in nature and do not constitute legal advice. If legal advice or other expert assistance is required, the services of a competent professional should be sought. The author specifically disclaims any and all liability arising directly or indirectly from the reliance on or use of this blog.

Comments
Leave your comment
Your email address will not be published
Leave your comment
Loading...
Options chevron-down
Contact Us
Compliance 101A
Categories chevron-down
Search the blog chevron-down
Recent posts chevron-down
Latest EEOC Enforcement Data Shows Increased Pre-Litigation Activity Latest EEOC Enforcement Data Shows Increased Pre-Litigation Activity
54 view(s)
EEOC Pens Letter to Companies Regarding Title VII Compliance and DEI Initiatives EEOC Pens Letter to Companies Regarding Title VII Compliance and DEI Initiatives
112 view(s)
NLRB Officially Reinstates Previous 2020 Joint Employer Standard NLRB Officially Reinstates Previous 2020 Joint Employer Standard
197 view(s)
OSHA Releases New Job Safety and Health Workplace Poster OSHA Releases New Job Safety and Health Workplace Poster
430 view(s)
Agency Releases Newly Proposed Independent Contractor Status Rule; Seeks Employer Comments Agency Releases Newly Proposed Independent Contractor Status Rule; Seeks Employer Comments
54 view(s)