The Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) has announced the biggest HIPAA violation settlement yet—that is, $16 million, smashing the previous record of $5.55 million, which Advocate Health Care settled for in 2016. This latest settlement pushed the total amount of civil money penalties and settlements in lieu thereof over the $100 million mark. That’s a lot of money to help fund OCR’s enforcement efforts.

In January 2015, Anthem, the nation’s second largest health insurer, discovered that hackers had gained access to its systems and its members’ sensitive data. The hackers had used phishing emails to gain access to the data of 78.8 million plan members, including names, addresses, dates of birth, medical identification numbers, employment information, email addresses, and Social Security numbers.

The resulting OCR investigation found the following HIPAA violations:

• 45 C.F.R. § 164.308(u)(1)(ii)(A). Failure to conduct a comprehensive, organization-wide risk analysis to identify potential risks to the confidentiality, integrity, and availability of electronic protected health information (“EPHI”).
• 45 C.F.R. § 164.308(a)(1)(ii)(D). Failure to implement policies and procedures for regularly reviewing records of information system activity.
• 45 C.F.R. § 164.308 (a)(6)(ii). Failures relating to identifying and responding to detection of a security incident leading to a breach.
• 45 C.F.R. § 164.312(a). Failure to implement sufficient reasonable and appropriate technical policies and procedures for electronic information systems that maintain EPHI and to allow only authorized persons/software programs to access that EPHI.
• 45 C.F.R. § 164.502(a). Failure to prevent the unauthorized accessing of the EPHI of 78.8 million individuals that was maintained in its data warehouse.

These violations are not uncommon. They are the violations that we have been preaching about in this blog for years—that is, failure to do a risk analysis, failure to update the risk analysis, failure to implement and enforce necessary reasonable and appropriate policies and procedures based on the results of the risk analysis, and failure to respond properly to a security incident.

Fortunately, I have never had to represent a client who had not done a risk analysis and had then had a breach because I’m quite sure that my seven for seven string of no sanctions against my clients arising from an OCR investigation would have come to a screeching halt.

Failure to conduct and keep written documentation of a risk analysis at this point—that is, after a risk analysis has been required for close to 20 years now and lack thereof has been involved in the majority of seven-figure HIPAA settlements―and failure to implement and enforce policies and procedures are simply unacceptable, particularly because they need not be expensive or difficult to do. Yes, you are likely nowhere nearly so big as Anthem, so you most likely will not have to face an eight-figure fine. But could you afford a six-figure one?

Alice here: Yes, once again, I am here to try to sell things to keep you and us in business. If you need help with your risk analysis, either initially or for an update, Jon Tomes has written a Risk Analysis ToolKit to provide the structure and tools to help you complete the requirement. You and your risk analysis team can fill it out and document your decisions as to what is reasonable and appropriate for you to adopt in the way of policies and procedures and be done with it. Or you could send your completed risk analysis to Jon to review and render his professional opinion as the country’s leading HIPAA expert (IMO) as to whether it is sufficient to keep you from getting that free trip to Leavenworth or that very expensive trip to the bank. If you have Jon’s Compliance Guide to HIPAA and the DHHS Regulations, 6^th edition, with the accompanying HIPAA Documents Resources Center CD, also 6^th edition, you can find the Risk Analysis ToolKit on the CD. It is also available with a review by Jon at https://www.veteranspress.com/product/hipaa-risk-analysis-toolkit.

If you need guidance on how to draft the policies and procedures that your risk analysis has shown are reasonable and appropriate for your organization, Jon has also written The Complete HIPAA Policies and Procedures Guide, with the accompanying CD of several dozen HIPAA policies and procedures templates for you to adapt to your situation. Make sure that you train your entire workforce on HIPAA in general and on the HIPAA policies and procedures according to who needs to know what to perform their duties for you.

Keep your written documentation of all of these HIPAA compliance efforts where you can find them easily and quickly if HHS shows up demanding your HIPAA compliance documentation. We recommend keeping all of it in Your Happy HIPAA Book. Jon included tabs in the three-ring binder for everything that you need to document and a checklist for each tab. I recommend adding the date that you check off each item in each checklist.

If you have had a security incident that you were unsure as to what exactly to do about, or if you are concerned that you may have one, consider reading Jon’s book How to Handle HIPAA and HITECH Act Breaches, Complaints, and Investigations: Everything You Need to Know.

As always, thanks for reading Jon’s blog, buying his books, attending our seminars and webinars, and hiring Jon for HIPAA consulting. We wish you every success with your HIPAA compliance efforts.