A Strong Incentive for Risk AssessmentsRecent Fines Demonstrate Feds Enforcing HIPAA Requirements
The lack of a current, thorough risk assessment can prove to be very costly, recent action by federal regulators illustrates.
Authorities have issued penalties in excess of $1 million to two organizations that were investigated following relatively small breaches and found to be lacking a current risk assessment as required under HIPAA. The resolution agreements in each case also pointed out other alleged HIPAA compliance shortcomings. But the lack of risk assessments that could have identified factors leading to the breaches seemed to be key in the regulator's decisions to levy hefty penalties.
These cases show that risk assessment continues to be a priority for the Department of Health and Human Services.
This week, the Department of Health and Human Services' Office for Civil Rights issued a $1.5 million HIPAA penalty against Massachusetts Eye and Ear Infirmary as part of a settlement agreement. The report of a breach involving a physician's stolen unencrypted laptop sparked an OCR investigation.
In a similar case, OCR in June issued a $1.7 million penalty against the Alaska Department of Health and Social Services. That investigation was triggered by the theft of an unencrypted storage device.
Small Breaches, Big Problems
"These cases show that risk assessment continues to be a priority for the Department of Health and Human Services," says Adam Greene, who formerly worked at OCR and is now a partner at the law firm Davis, Wright Tremaine. "Small breaches will lead to big problems if OCR's investigation finds insufficient risk assessment."
Because the Massachusetts hospital breach happened back in 2010, "when unencrypted laptops were the norm, and since this is not a large organization, I have sympathy for Mass Eye and Ear," says one source familiar with the hospital, who asked not to be identified.
Given the hefty penalty levied against the hospital, the source is hopeful that larger organizations that have deeper pockets will be slapped with even higher penalties if they experience breaches and are found to be coming up short when it comes to HIPAA compliance.
"Given that it's now 2012 ... I'd expect the penalty to be proportionally higher and into the multimillions" when involving larger organizations," the source says. "But I'm not holding my breath."
I predict that OCR, indeed, will issue many more tough penalties in the months ahead in cases involving the failure to conduct a thorough, timely risk assessment and apply encryption to mobile devices. After all, there have been many dozens of breaches tied to the loss or theft of unencrypted devices or storage media.
The recently unveiled final rules for Stage 2 of the HITECH Act electronic health record incentive program are another good indicator of the importance regulators place on risk assessments as well as encryption.
The "meaningful use" rule requires healthcare providers to conduct a risk assessment that includes addressing the issue of encrypting stored information. And the software certification rule requires that EHRs automatically encrypt patient information stored on end-user devices.
Given the recent HIPAA settlements, and the Stage 2 HITECH rules, healthcare organizations can no longer afford to delay conducting timely risk assessments and making widespread use of encryption.