HIPAA Penalties Sting Outside the Healthcare Field Too

Bob ChaputBenefiting from Healthcare’s Lessons Learned

By Bob Chaput, CEO of Clearwater Compliance
Twitter: @ClearwaterHIPAA

Most companies in the U.S. likely feel that Health Insurance Portability and Accountability Act (HIPAA) violations are strictly a healthcare industry concern. But any company with a self-funded group health plan (GHP) is now subject to HIPAA regulations, and the penalties imposed for violations are getting too costly to ignore.

Due to changes in the civil monetary penalty system under the government’s Omnibus Final Rule, the penalties for HIPAA violations involving willful neglect have risen from $25,000 per violation to an alarming $1.5 million. And since a healthcare data breach typically involves multiple HIPAA violations, a company’s GHP can potentially incur penalties totaling many millions of dollars.

Companies outside the healthcare field can benefit from the painful lessons learned by hospitals and other HIPAA-covered entities in recent years. Since 2012, every healthcare organization that has undergone an Office for Civil Rights investigation resulting in a corrective action plan has been cited for failing to conduct a thorough risk analysis beforehand. Many healthcare organizations have learned the hard way that a risk analysis involves much more than a security assessment or a so-called “penetration test” of IT system safeguards.

Because they’ve been burned, many healthcare systems are moving to more rigorous risk methodologies and benchmarks, such as the guidelines from the National Institute of Standards and Technology (NIST). That’s because the NIST approach involves a formal process for assessing risk based on assets, threats, vulnerabilities, controls, likelihood and impact, and the HIPAA Security Rule is based on the NIST Security Framework.

Until recently, it’s been prohibitively expensive and time-consuming to conduct a rigorous NIST-style risk analysis because the job is too difficult to handle manually. But now there are cloud-based software solutions that are both comprehensive and easy-to-use. These tools walk organizations through every facet of risk analysis and help operationalize the entire compliance program.

The healthcare industry, perhaps more than any other field, understands that risk analysis is not a “once and done” task; it’s a process that gets stronger over time. A NIST-caliber risk analysis can become the cornerstone of a risk-management program in any field, not just one that deals daily with confidential patient data.

Achilles Heel: Your Group Health Plan

Any GHP with more than 50 participants must now meet specific requirements under the HIPAA privacy and security rules and the HITECH breach notification rule. These provisions also apply to the plan’s many business associates (BAs) who handle eligibility, enrollment, claims management, IT services and more.

Group plans are now required to have BA agreements for all service providers with access to protected health information (PHI). These agreements need to impose the same PHI restrictions and conditions that apply to the plan sponsor.

Any company—whether it’s in banking, aviation, manufacturing or any other industry—can face costly HIPAA penalties if just one business associate snoops into confidential patient records. It’s a growing problem in both urban and rural locations. BAs in metropolitan areas are more likely to snoop into celebrities’ health records; those in rural areas are tempted to view the health records of friends and neighbors in the community.

A NIST-style risk analysis can help uncover any weaknesses in your plan’s current management of BA agreements. The process starts by determining exactly where health data “lives” in your group plan—on paper, electronically and even verbally. This helps your GHP authorize and limit access to confidential data and lays the groundwork for effective policies and procedures. It’s also important to provide ongoing HIPAA training for all BAs who handle sensitive data and to keep training logs that show regulators that you’re being diligent in that effort.

Because a group plan’s many BAs are now subject to stringent HIPAA regulations, even companies outside the healthcare field are on the radar of federal regulators. The best way to avoid seven-figure penalties is to conduct a thorough risk analysis and refine that process year after year.

About the Author: Bob Chaput is CEO of Clearwater Compliance, a HIPAA/HITECH advisory firm based in Brentwood, TN.

This article was originally published on The Privacy Advisor and is republished here with permission.