With the average cost of a cyber attack in 2021 at $4.24 million, and with the healthcare industry being the hardest hit by ransomware attacks in 2021, it’s hard to believe that every healthcare provider, from small to large, doesn’t include Health Insurance Portability and Compliance with accountability laws is a top priority. Understandably, small and mid-sized healthcare providers don’t have the manpower or financial resources to staff an entire HIPAA privacy and security officer corps similar to larger healthcare providers and healthcare systems. However, gone are the days of doing nothing and trying to fly under the radar.
Cyber incidents and data breaches in the healthcare industry are becoming more frequent and severe, and as long as there is a dark web underworld that reaps huge profits from cybercrime, this will be the case until we find a “cure” for bad employees Happens and human error continues. Federal and state enforcement activities and the resulting penalties and fines reinforce this inference. Combined, the human resource and financial costs of managing a HIPAA violation or cyberattack, issuing required regulatory notices, and paying fines that federal and state agencies may impose can cripple small and midsize healthcare providers.
A strong HIPAA compliance program must focus on both HIPAA privacy compliance and HIPAA security compliance. While the Privacy Rules focus primarily on principles of permissible use and disclosure of protected health information (PHI), the Security Rules require that appropriate administrative, physical, and technical safeguards be established and implemented to ensure the confidentiality, integrity, and security of electronic PHI , or e-PHI — PHI maintained or transmitted in electronic media. Implementing all the required and addressable “implementation specifications” of the HIPAA security rules is not trivial and requires ongoing security risk analysis to identify threats and vulnerabilities and a security plan to address identified risks and vulnerabilities and maintain an appropriate level of security.
The stick, of course, is the possibility of federal and state financial penalties and corrective action plans, and for violations of criminal HIPAA and state privacy laws, possible prison sentences.
This round up
Recent mergers and acquisitions in the state’s healthcare industry:
Penalties for HIPAA violations and violations can mount quickly, including fines of hundreds of thousands or millions of dollars. More recently, the federal government has begun to provide potential carrots through amendments to the Health Information Technology in Economic and Clinical Health (HITECH) Act. Taken together, the amendments require HHS to “consider whether the entity or business partner in question has sufficiently demonstrated that it has implemented recognized safety measures for not less than the preceding 12 months” when determining fines, as well as other measures that DHHS may have implemented. punishment. As a result, the agency may reduce or cancel fines or other penalties that might otherwise be imposed as a result of the noncompliance incident or HIPAA violation, or may prematurely terminate ongoing audits or investigations of covered entities or business associates.
Generally accepted security practices are “standards, guidelines, best practices, methods, procedures, and processes established under Section 2(c)(15) of the NIST The approach enacted under subsection (d) of the Cybersecurity Act 2015, and other schemes and processes for addressing cybersecurity issues, and through statute making, recognition or promulgation by other statutory bodies. “
Amendments to the HITECT Act state that specific security practices will be determined by the relevant entity or business partner and be consistent with HIPAA security rules. Guidance for such organizations is available from a number of sources, including DHHS and the National Institute of Standards and Technology, part of the US Department of Commerce. DHHS offers a Section 405(d) website sponsored by the 405(d) Program and Task Force, a partnership between private industry and the federal government to raise awareness and provide vetted cybersecurity practices.
The 405(d) Task Force identified the “Top 5 Threats” currently facing the healthcare and public health (HPH) sector: email phishing; ransomware; lost or stolen devices; insider, accidental or intentional data loss; and attacks on connected medical devices.
The 405(d) Task Force provides resources on “10 Best Practices” for addressing the top 5 threats and strengthening cybersecurity capabilities in the HPH sector. Additionally, on October 31, 2022, the final day of National Cybersecurity Awareness Month, DHHS is offering a video presentation on generally accepted security practices to educate organizations covered by HIPAA on recommended security practices to help protect patient information from subject to cyber attack.
Even if they don’t have the substantial human or financial resources available to larger organizations, small and mid-sized healthcare providers cannot fail to comply with HIPAA. Providers of all sizes must take HIPAA compliance seriously and protect their patients’ and their businesses’ electronic information and electronic systems from growing and changing cyber threats. This imperative includes having a living, robust security program that includes frequent assessments of threats and vulnerabilities and implementing a risk management program to address them, including generally accepted security practices.
Lani M. Dornfeld is a member of Brach Eichler LLC and a member of its Healthcare Law Practice Group. She regularly assists healthcare provider clients with compliance, corporate and transactional matters and is certified in Healthcare Privacy Compliance by the Compliance Certification Council.