Over the past several months, a steady stream of security breaches, coupled with a number of settlements recently announced by the U.S. Department of Health and Human Services – Office for Civil Rights (“OCR”), have put healthcare providers on high alert. Several OCR decisions, including a $5.5 million settlement with Memorial Healthcare System last month—have highlighted the legal implications of security breaches in the wake of a record-setting year of hackers targeting the healthcare industry. The costs associated with a breach will likely far exceed any settlement with OCR because the significant majority of corrective action plans require providers to hire independent, third-party investigators to assess HIPAA compliance.
In reviewing some of the more significant settlements during the past several months, four (4) distinct themes seem to be evolving regarding the nature and scope of these breaches, which ca be summarized as follows:
- business associate agreements between providers (as covered entities) and vendors (as business associates) are an important target for OCR enforcement actions;
- failure to conduct or implement the findings from a risk assessment required by HIPAA can lead to significant fines and penalties over and above standard amounts of $1.5 million;
- “cloud service” providers are liable for failing to protect PHI; and
- OCR will take an organization’s failure to report a breach very seriously.
The healthcare industry has received substantial criticism over the past year for cybersecurity failures. Therefore, it is critical for security concerns to be handled on a timely basis at the executive level and with the full involvement of the organization’s board.