OCR Steps Up Investigation of Smaller HIPAA Breaches

The HIPAA spotlight searches through the hundreds of thousands of reported HIPAA breaches involving fewer than 500 records and highlights those caused by non-compliance.  They have issued fines of as much as $50,000 for breaches under 500 records.

What are the root causes of HIPAA breaches?  While criminal activities have increased dramtically their success is ultimately dependent on human error.  Stealing a laptop with unencrypted ePHI is obviously the work of criminals, however placing the ePHI on the laptop and leaving it where it can be stolen were human errors.  How many mobile devices are floating around out there with unencrypted ePHI?

In my last blog I wrote about social engineering's effect on HIPAA breaches.  Since then I read an excellent book "Phishing for Phools" that makes the case that the notion of tricking people into making poor decisions is endemic in our society.  In our case it involves tricking someone into opening the wrong email, or clicking on the wrong link which allows the criminal to gain access to the computer and possibly the network.  Once they are inside the fences or defences such as firewalls, they can wreak havoc but either stealing the ePHI outright or locking it up and demanding a fee to release it (ransomware).

I can't count the number of times I have been told that "we are too small to need HIPAA compliance" or "we can't afford to pay for HIPAA compliance".  These arguments will not seem reasonable to the organization that gets a $50,000 fine for a breach of 441 patient records. (Hospice of North Idaho (HONI)).

HHS only requires that you meet the security and privacy standards that are reasonable and appropriate to the size and complexity of your organization.  We have tailored HIPAA compliance programs appropriately and priced them appropriately.  We even have a program for a single person called Jumpstart Expert.  These are programs that come with not only the content and tools you need but a personal Helper assigned to you who checks your work and answers your questions.

Take a look at www.compliancehelper.com or email me at jack@compliancehelper.com 


Add Your Comments

(not published)