Two settlements between Concentra, QCA Health Plan, The Department of Health and Human Services for HIPAA violations have brought new enforcement expectations into focus.
For the last few months, Medicus Solutions’ blog has been in the forefront of the discussion about HIPAA and health care security. While we’ve been discussing the more technical side of security such as crypto ransomware, most of our focus in 2016 has been talking about how the Department of Health and Human Services and its Office of Civil Rights has been stepping up enforcement of HIPAA laws with new waves of audits across the industry and discussing related matters with our favorite partners who are also leaders in the field.
Now, news of recent events have surfaced showing that HHS means business: HIPAA violation settlements totaling nearly $2 million dollars have taken place involving two health care entities — Concentra Health Services and QCA Health Plan Inc. — that reported stolen, unencrypted laptops. With theft or loss of unencrypted devices representing one of the biggest threats to the health care sector with some 2.8 million breaches in California alone since 2012, the need for proper security and encryption in health care has never been more critical.
Back in March, we discussed the most common breakdowns and breaches in security at many health care entities referencing a report released by the California Attorney General, Kamala D. Harris and her team. In that report and our subsequent article, it was determined that physical loss of hardware (lost or laptops, hard drives, thumb drives, phones and physical files) comprised more than 50% of health care’s industry breaches. More alarming, 55% of compromised medical records on these devices are utterly unencrypted.
Costs of Data Breaches For Individuals
The significance and impact of these data breaches for individuals cannot be understated. For the individual, research from Javelin Strategy & Research notes that 67% of victims of data breaches eventually become victims of fraud. On May 5, 2015, UCLA Health concluded that a hacker accessed parts of their network that contained the addresses, DOB’s, social security numbers and medical records of 4.5 million individuals. The data was not encrypted. If the percentages hold, more than 3 million of those people are likely to become victims of fraud at some point in the future.
Costs to Data Breaches for Businesses
For businesses, the cost is different but no less impactful: data breaches not only impose financial, reputational, and business opportunity penalties and costs, they also threaten critical infrastructure. Violations have to be made public and the current list of reported breaches can be seen here, creating a very embarrassing situation for many health care providers. It is becoming increasingly clear that HHS is looking to continue to set its own very clear standards as it relates to failure to observe proper HIPAA rules and regulations. The $2 million settlement that happened a little over a week ago should be best considered as an opening salvo, and one that businesses that wish to stay in business need to sit up and take note of. Concentra will be paying OCR $1.72 million and filling their 2016 calendar with corrective actions. QCA Health Plan has agreed to a $250,000 monetary settlement and to correct a multitude of observed failures within its own HIPAA compliance program, according to OCR.
In the past, loss of unencrypted laptops or other computer hardware with patient information would have been considered a concerning but ultimately a relatively small infraction. In 2016, such failures will cost your health care entity hundreds of thousands or even millions of dollars.
Roughly 50% of health care breaches came secondary to lost or stolen computer equipment, typically laptops. 55% of compromised patient records were the result of a failure to encrypt data.
How Your Entity Can Address Its Health Care IT Security Issues
We continue discussing these issues here because all health care entities need to take note: HIPAA enforcement is here. The run of more than a decade of accepted non-compliance is at its end and your health care entity must be prepared for the inevitable audits and enforcement for any uncovered violations. As such, it is essential that your health care organization implement strong encryption systems to keep your sensitive data safe. For devices that represent a natural threat for physical loss like laptops, implementing encryption of work-related folders, developing and implementing a security plan, and educating staff in the proper use of said systems are essential to bullet-proof security.
Whether you work with Medicus Solutions or another medical IT security company, we encourage you to not wait for an OCR audit to start your review and act on your security deficiencies. Get an independent party to review your security and compliance with HIPAA regulations and do everything you can to be above and beyond reproach. In doing so, your entity can ensure that its patients are as protected as reasonably possible and avoid any consequence or penalty from HHS even in the unexpected event of a breach. Fail to do so and your entity may be the next one we write about being hit with harsh penalties from HHS.
The good news: Medicus Solutions can help! Our team specializes in medical IT solutions including implementation, ongoing support, and related services. We can quickly evaluate the quality of your current security solutions, test your backups and networks, scan for vulnerabilities, implement new secure systems and services as needed, and much more. If your organization would like an evaluation from a team with more than 20 years of experience in IT security services, we encourage you to contact us today.
About Medicus Solutions:
Medicus Solutions, LLC (http://msinc.com/) is an Alpharetta, GA based company that specializes in providing IT management solutions to improve the efficiency, security and stability of your company’s operations. Medicus offers a range of IT services that work both independently and in unison to ensure your company operates securely, seamlessly and efficiently. Featuring secure email and backup services, virtual hosting services, HIPAA-approved file encryption systems, and much more. For more information about Medicus Solutions, please call our main office in Alpharetta at 678-495-5900 or visit our website.
Medicus Solutions writes about news, technologies, and educational topics that are defining the future of health care IT solutions and security issues at its blog: http://msinc.com/blog/