The Department of Health and Human Services Office for Civil Rights (OCR) recently
fined a Denver health center $400,000 for events connected to a data breach that happened in 2011. This is the smallest fine the OCR has assessed so far in 2017.
You may wonder why we're bringing this up. The violation had nothing to do with printed documents or mail. The offender is a covered entity under HIPAA, not a Business Associate like DDS customers.
Under HIPAA, Covered Entities include health plans and health care providers. Business Associates are individuals or companies that have access to protected health information and assist a covered entity with functions like claims processing or billing.
We're writing about this news because of lessons that
do apply to the document industry and the service providers who handle data and documents containing protected health information.
The Denver healthcare provider is not paying the OCR $400,000 and adopting a strenuous corrective action strategy because of the 2011 breach. They are paying because of the subsequent investigation.
The OCR investigates cases where over 500 patient records are compromised to see if the guilty organization violated HIPAA rules. In this case, the investigation showed the covered entity took sufficient actions after the breach to prevent future phishing attacks. But OCR investigators also uncovered several HIPAA violations. The most serious offense was a missing risk analysis.
In the eyes of the OCR, an entity that fails to assess the confidentiality, integrity, and accessibility of protected health information cannot be certain to have identified all the risks. If they can't identify all the risks, they cannot assume they have implemented sufficient measures to decrease those risks. These were the problems that provoked the HIPAA fines.
The OCR understands the impracticality for a covered entity to protect itself completely from something like a phishing attack. Had they done an adequate risk analysis before the breach, the financial damage to the Denver healthcare provider would likely have been minor. The expensive part wasn't the data breach; it was the lack of preparation.
The questions print service providers should ask themselves are:
1. Have we done a sufficient risk assessment?
2. Have we taken reasonable steps to lower the risks to HIPAA-acceptable levels?
3. Can we afford the consequences of an OCR investigation?
Phishing attacks can't be 100% prevented. Neither can document integrity errors. Unlike phishing however, systems like DDS'
can catch document integrity errors before print/mail service providers become responsible for a HIPAA privacy breach.
If you have yet to assess your HIPAA risks, call us. We will help you find the weak points in your workflow and suggest suitable remedies.