Another Record Breaking Year: 2018 HIPAA Settlements Reach an All-time High of $28.7 Million
As technology evolves, privacy and security continue to be a growing area of concern, and the risk of data breaches continues to increase. According to HIPAA Journal, 2018 has seen a total of 365 breaches by covered entities, totaling a massive $28.7 million in financial penalties, which is nearly a 50% increase from 2017.
In most of the 2018 cases, violations were allowed to persist for long periods of time or were recurrences of previous violations. For instance, Cottage Health exposed the medical records of 62,500 individuals in two separate breaches of unsecure protected health information (PHI). The PHI was accessible and searchable online without encryption, password protection or firewall in place to prevent unauthorized access - a hackers dream! Although the breaches were not malicious in nature, the California health system was fined $3 million for the incidents that stemmed from 2011 to 2013.
Multi-million dollar fines for HIPAA violations are now the norm, as enforcement has increased considerably over the past decade, but let us not forget that jail time is also in the cards, should the violation be found to be malicious in nature. Research shows that although covered entities and business associates have become better at protecting healthcare records by implementing controls; loss or stolen paper records, unencrypted laptops and other electronic devices continue to be major problems.
The HIPAA Security Rule requires appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity and security of patient information.
Administrative Safeguards such as:
- Security Management – Appropriately assigning employees access to information
- Workforce training – Periodic training for employees, faculty, students and staff
- Evaluation – Security assessments
Physical Safeguards such as:
- Personnel Controls – Appropriate use and safeguarding of ID badges and log-in information
- Property Controls – Locked doors requiring ID badge entry for restricted areas
- Facility Access Controls – Secure storage and proper disposal of sensitive information
- Device and Media Controls – Use of privacy screens, secure storage of devices; lock or log off devices when stepping away
Technical Safeguards such as:
- Access Controls – Use of only encrypted devices; strong password creation and management; Multifactor Authorization
- Audit Controls – Use of audit logs to monitor users; general audits
- Transmission Security – Secure electronic exchanges of patient health information
As technology continues to evolve, it is of the utmost importance that you are proactive in protecting and securing patient information and ensuring that the proper security methods are in place.
For further information on HIPAA regulations and training please contact the Office of Privacy and Data Security at 305-243-5000. For technical assistance, such as encryption for University-owned devices, contact the UMIT Help Desk at 305-243-5999 or firstname.lastname@example.org.