In 2016 there were a recorded 10.88 million breaches in June alone. This was closely followed up with a recorded 9.1 million breaches for the month of August. What this means is that it is the time of year when you need to review your organizations practices when it comes to IT and cyber security.
The HIPAA Breach Rule has specific guidelines for reporting breaches within a certain time frame for them to both be assessed and rectified. Something small like a medical record faxed to the wrong number is easily fixable, shred it, notify all parties involved, and get proof the record was destroyed. But, there are more complex matters that need resolution, like a firewall with appropriate Intrusion Prevention (or Detection) Service.
Items specific to cybersecurity are what typically fall through the cracks, so much so that in 2017 80% of offices planned to increase the budget for IT needs. The federal government allocates 16% of its budget to cyber security, and in 2016 it is reported that the health care industry on average only spends 6% or even less on cyber security!
With health care as the number one target for hacks this dichotomy spells trouble.
With 1 in 4 offices not having the proper safe guards in place to prevent HIPAA violations it becomes an expensive problem for everyone.
MD Anderson Cancer Center in Houston was just cited with $4.3MM in fines for having 3 unencrypted devices.
The current limit for HIPAA fines is $1.5 million per year, or $50,000 per instance on an identical violation, but fines can jump higher if “Willful neglect” is proven, which it was in the MD Anderson case.
The worse news is that if OCR (the Office of Civil Rights) who enforces HIPAA rules finds it was a willful act, meaning if you knew it was a violation but let it happen anyways, jail time can be added. 1 year for not knowing, and up to 10 years if you knowingly sell patient information.
As daunting as maintaining compliance seems it can be easy to keep within HIPAA standards at your organization.