HIPAA Data Breaches and HIPAA Enforcement is definitely off to the races in the first 2 months of 2017. While previous years have started slower and then gradually increased, 2017 proves to be on an advanced path. 2016 ended with a RECORD year in HIPAA Data Breaches (329 Data Breaches greater than 500 Individuals) as well as HIPAA Enforcement Fines ($23.5 Million), but 2017 is off to a quicker start in both of those categories.
Remember that the government only posts details about the data breaches that impact 500 individuals or more. Here are some key facts to know about 2017 HIPAA Data Breaches through February 28, 2017:
- 42 Data Breaches impacting greater than 500 Individuals have been reported
- Unauthorized Access/Disclosure leads the Type of Breach Category with 17 (40%) – Hacking/IT incident comes in a close second with 13 (31%)
- 312,827 Individuals have been impacted by the 42 data breaches
- Unauthorized Access/Disclosure and Hacking/IT Incident account for 289,584 (93%) of the total individual impacted
- Paper/Films comes in #1 place for the location of data breaches with 10 (21%) with Network Server in #2 place with 8 (19%)
- Largest Data Breach was from Emory Healthcare due to a Hacking/IT incident impacting 79,930 individual
- California has had the most reported data breaches with 8, followed by Ohio with 4
- Business Associates were only involved in 3 of the reported data breaches
So comparing what we are seeing in 2017 to where we were at the end of February 2016, we are slightly up on the number of data breaches greater than 500 individuals reported. The location of data breaches and type of data breaches remains consistent with what was seen in the beginning of 2016.
HIPAA Enforcement has been active in 2017 as well. We continue to hear about the HIPAA Audits with on-site audits starting some time in 2017 to 2018. You can prepare for your HIPAA audits by comparing your organization’s HIPAA policies and procedures as well as practices and safeguards with the HIPAA Audit Protocol.
HIPAA corrective action plans (CAP) with monetary fines have made a fast and furious start in 2017. In the first 2 months of the year, 4 HIPAA CAP with monetary fines have been assessed resulting in a total $11.4 Million. In 2016 we only saw 1 HIPAA fine in the first 2 months of the year. Of course the monetary fines and CAPs are always concerning for organizations; however, your organization can learn from what others are being held accountable for. Review the information on the CAPs and see where the non-compliance with HIPAA occurred. Then, as necessary, make changes within your organization. The main categories for the 2017 CAP with monetary fines are:
- Inappropriate delay in data breach reporting (reported after 60 days from the date of discovery)
- Inappropriate implementation of information activities reviews
- Inappropriate oversight into user set up and user management
- Lack of implementation of encryption technology on mobile devices
- Lack of current HIPAA Risk Analysis
- Insufficient policies and procedures for HIPAA Compliance
Ask yourself a question – do you view HIPAA as out of sight, out of mind in your organization? If the answer is YES – now is the time to make a change. Implementing a strong HIPAA Compliance Program can help your organization. A strong HIPAA Compliance program isn’t just about written policy and procedures that collect dust on the shelf. A strong HIPAA Compliance program consists of:
- HIPAA Policies and Procedures
- HIPAA Requests Forms for Patient’s Rights
- A Complete Notice Of Privacy Practices
- Established Technical, Physical, and Administrative Safeguards
- Conducting a regular HIPAA Risk Analysis
- Strong Workforce Education
- Effective User Management and Oversight into systems with Protected Health Information
- Auditing practices for verification of compliance
- Ongoing evaluation of current safeguards established by the organization
Let me know if you ever have any questions – anything HIPAA goes!!
Until Next Time,