We have found out that the topic of HIPAA Security Compliance is a slippery road that most covered entities and business associates do not understand. Most of the time, when we ask the question regarding HIPAA Security compliance the answer is always yes. This actually surprises us as it is almost impossible to be 100% in compliance with HIPAA Security.
In some cases, these Covered Entities and Business Associates know enough to answer our questions properly. Sometimes they may even have an employee or resource that is somewhat competent about the topic of HIPAA Security and compliance, yet they fail to document their actions or do not recognize that their documentation is not strong enough to meet the HIPAA Security compliance requirements.
We consider the failure to answer basic questions or provide documentation to be the $1 million dollar. We say $1 million as one of the reports we followed mentioned this amount as the average settlement for HIPAA Security violators. Of course, there have been higher settlement amounts such as:
| Organization | Violation | Settlement |
| Memorial Health Systems (MHS) | Failed to implement audit procedures to review, modify, and/or terminate users’ right of access. | $5.5 million |
| Advocate Health Care Networks | Failed to accurately assess potential risks to its information technology systems and ensure that it and its business associates had adequate protections in place. | $5.55 million |
| New York Presbyterian Hospital and Columbia University | Failed to implement technical safeguards to prevent data breach. | $4.8 million |
| Triple-S Management Corporation | Penalty for multiple data breaches that had been suffered as a direct result of HIPAA-compliance failures. | $3.5 million |
The commonality we see in all of them is the implementation of a corrective action plan that normally includes:
- Security Risk Analysis with is corresponding Security Management Plan
- Revision or development of policies and procedures
- Adoption and distribution of policies and procedures to all personnel, and
- Training
Just for giggles we include items of each of the above-mentioned settlements in the table below.
| Organization | Settlement Terms |
| Memorial Health Systems (MHS) | Implement Corrective Action Plan that includes:
· Completion of full risk analysis and risk management plan · Revision of policies and procedures · Adoption and distribution of policies and procedures · Internal monitoring and engagement of third party to assess compliance program · Reporting of action items |
| Advocate Health Care Networks | Implement Corrective Action Plan that includes:
· Completion of full risk analysis and risk management plan · Create HHS-approved plans to secure its IT systems handling protected patient health information. |
| New York Presbyterian Hospital and Columbia University | Implement Corrective Action Plan that includes:
· Completion of full risk analysis and risk management plan · Revising policies and procedures, · Training staff and · Providing progress reports |
| Triple-S Management Corporation | Implement Corrective Action Plan that includes:
· Development of comprehensive HIPAA compliance plan · Completion of full risk analysis and risk management plan · Revising policies and procedures, · Training staff and personnel employed by its business associates. |
Considering the above information and our own field experience we created the following ten questions which will assist you in answering the question of: HIPAA Security; are you in compliance?
- Do you have a hard copy of a completed a HIPAA Security Risk Analysis (164.308(a)(1)(ii)(A)) for the previous calendar year?
- Do you have a hard copy of a HIPAA Security Management plan (164.308(a)(1)(ii)(B)) that accompanies your last HIPAA Security Analysis?
- Do you have copies of the Security Reminders (164.308(a)(5)(ii)(A)) provided to your staff for last year?
- Do you have a hard copy of a completed Evaluation (164.308(a)(8)) for the previous calendar year?
- Do you have copies of Business Associate Agreements (164.308(b)(1)) for all your business associates?
- Do you have copies of your facility security plan (164.310(a)(1)?
- Do you have logs (164.312(b)) that have been reviewed to ensure that the access to ePHI have been conducted by authorized individuals?
- Do you have documentation showing that information within the system has not been modified (164.312(c)(2))?
- Do you have assurances that your Business Associates are in compliance with HIPAA Security (Omnibus Rule)?
- Have you reviewed or updated your policies and procedures and have documentation showing these actions?
If you answer no to any of the above questions or if you don’t have the documentation to prove any of the above actions, you are not in compliance with HIPAA Security.
The reality is that HIPAA Security compliance should be considered a team sport. HIPAA Security compliance deals with Information Technology, human resources, facility security and much more. For every requirement identified in the rule covered entities and business associates must develop policies and procedures, train their staff members and document completion of those activities.
Sadly to say, if you are not in compliance with HIPAA Security there are only two viable options we recommend: contract a competent expert to help your organization develop all the relevant policies and assist with the implementation or look into EPI Compliance as this application not only provides you with policies and procedures, training and security reminders but also provides a monthly guide to assist you with the actions covered entities and business associates must complete.
In summary, do not make the 1 million dollar and make sure your organization is in fact doing what they need to do in order to be in compliance with HIPAA Security.