In 2018 the Office for Civil Rights (OCR) investigated and settled multiple cases resulting in over $28 million in fines and judgements, making it a record for enforcement activity. Enforcement actions by the OCR have increased steadily since 2014 as healthcare entities struggle to secure their protected health information and remain in compliance with federal laws.
Reasons Cited for OCR Enforcement Cases:
- Healthcare entities failed to perform/Inaccurate/ inadequate risk assessment
- Entities incurred a data breach
- Entities were cited for failure to implement/adopt policies and procedures
- Entities had failures or inadequate levels of data encryption and decryption of ePHI
- An entity was cited for not following a risk management plan on their own risk assessment findings
- Entities incurred 3 or more of the above violations
OCR deputies over the last several years have advised healthcare entities to perform adequate enterprise-wide risk analysis, examine internal policies and procedures, and implement a written ongoing risk management plan to correct risk findings. OCR enforcement deputy Deven McGraw explains at a 2017 EHR industry conference that nearly every breach case investigated by the department originates from a hospital that fails to perform a risk analysis. For those that performed a risk analysis, many failed to identify the steps needed to mitigate risks and took no further action.
Healthcare administrators for smaller organizations may presume that OCR enforcement focuses on larger entities so there is little risk to being investigated, however since 2015 the OCR has focused on investigating smaller entities in which breaches occurred affecting less than 500 individuals. Two examples stand out in 2018 in which the OCR investigated Pagosa Springs Medical Center in Colorado and cited them with violations of a data breach totaling $111,400, and Advanced Care Hospitals with a $500,000 fine also for a potential compromise of PHI data.
Cyber-security threats such as e-mail phishing are on the rise in the healthcare industry and OCR investigations will place enforcement focus on failures to protect healthcare information and the damage created by data breaches to all parties involved. Roger Severino at HIMSS 2019, reported that the OCR is planning to continue its enforcement efforts around healthcare entities who fail to provide patient access to their medical records and entities that have a culture of noncompliance. Enforcement officials will specifically give attention to entities who fail to conduct a comprehensive risk analyses, lack in HIPAA policies and procedures, have inadequate management practices, have no business associate agreements, improperly disclose PHI information, and lack in safeguards.
If you would like more information on why compliance as a service can better protect healthcare organizations, please contact Mandry Technology. To stay informed with the latest on healthcare technology and cyber security please subscribe to the Mandry Technology blog.