Schellman becomes The First ISO 42001 ANAB Accredited Certification Body!

Contact Us
Services
Services
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships

Top HIPAA Security & Privacy Risks for Hospitals

Healthcare Assessments

With over two decades of HIPAA history behind us, more than a decade of mandatory compliance and federal compliance enforcement, and a shortage of resources to help hospitals achieve compliance, the healthcare industry is still plagued by non-compliance issues every year—particularly regarding risk and access management.

We know this because the Office of Civil Rights (OCR)—as part of its responsibility for HIPAA enforcement—actively conducts compliance reviews and investigates complaints of violations as well as data breaches. Upon confirming non-compliance, OCR publishes a press release describing the specific HIPAA violations found, the financial penalty imposed on the violator, and the corrective action plan detailing remediation requirements. OCR also generally monitors the violator for three years to ensure the corrective action plan is thoroughly implemented.

Aside from the OCR, other governing bodies have also become keenly aware of the security and privacy risks healthcare systems continue to face—New York Governor Kathy Hochul recently announced a new proposal that includes $500M in funding that hospitals can apply for the implementation and/or upgrade of their cybersecurity programs.

Still, even with more funding, it can be difficult to pinpoint the areas of highest impact when safeguarding patient information, and that can lead to lapses and gaps in compliance with HIPAA that garner hefty fines.

As experienced HIPAA assessors, we've analyzed the OCR Enforcement Results, and in this article, we’ll outline the reoccurring issues and top HIPAA risks for hospitals and other healthcare organizations to help ensure you take measures to mitigate them.

9 Pitfalls Hospitals Must Avoid for HIPAA Compliance

1. Data Breaches from Cybersecurity Attacks

 

In the first four months of 2023, healthcare providers across the U.S. reported 125 data breaches affecting 500 or more individuals to the OCR—77 of those data breaches (62%) were hacking incidents or breaches related to poor information technology.

Given the value and volume of their data, hospitals & other healthcare organizations are especially vulnerable to phishing attempts and ransomware attacks, and so you must stay up to date with current security standards and know how to protect your organization against these threats:

  • How to Prevent Ransomware Incidents: The best defense is a multi-pronged approach using regular patching, backup systems, and a recovery strategy—that means building in time and resources into the budget for recurring security updates and cybersecurity training, while regular software updates should help address security flaws favored by hackers. 
  • How to Prevent Falling Victim to Phishing: Employees should be trained to recognize phishing attempts—perhaps through simulated phishing attacks—and on what to do if they suspect an incident has occurred.

Too many continue to roll the dice with their patients’ protected health information (PHI)—a high-risk strategy, since the cost of operating an effective HIPAA-compliant security program is typically far less than the costs that result from a data breach.

2. Failure to Perform an Organization-Wide Risk Analysis

 

HIPAA requires healthcare organizations to conduct an accurate and thorough risk analysis to reveal the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the organization—if you know where you’re vulnerable, you can take steps to address those gaps with IT defensive measures and prepare yourself against potential threats.

The failure to perform an organization-wide risk analysis is one of the most common HIPAA violations to result in a financial penalty, and it’s no wonder—if risk analysis is not performed regularly, you won’t be able to determine whether any vulnerabilities to PHI exist.

That leaves them likely to remain unaddressed and opens the door for costly violations, as these organizations know, having recently settled for failure to conduct an organization-wide risk analysis:

  • Banner Health - $1.25M
  • Oklahoma State University - $875,000

3. Failure to Manage Security Risks / Lack of a Risk Management Process

 

Performing a risk analysis is essential, but it’s not just something you check off your compliance to-do’s—you must also properly manage the risks identified, and that starts by prioritizing them and addressing them in a reasonable time frame.

Knowing about risks to ePHI and failing to address them is another of the most common HIPAA violations penalized by the OCR, as Jackson Health System understands, having had to pay a recent HIPAA civil monetary penalty of $2.15M for the failure to manage identified risks.

4. Failure to Manage HIPAA Risks of Outsourcing to Business Associates

Of the 198 breaches affecting 500 or more individuals that were reported to the OCR in the first 4 months of 2023, 49 of them (25%) were by business associates. Every hospital and healthcare organization must protect itself through a well-defined and enforced business associate management program, as it’s your responsibility to ensure that vendors are also complying with HIPAA rules—that starts with implementing business associate agreements (BAA) with each of them.

Failure to enter into a HIPAA-compliant BAA with all vendors is a frequent flashpoint for OCR settlements, including these recent ones:

  • Raleigh Orthopedic Clinic, P.A. of North Carolina – $750,000
  • North Memorial Health Care of Minnesota – $1.55M
  • Care New England Health System– $400,000

5. Denying Patients Access to Health Records/Exceeding Timescale for Providing Access

 

The HIPAA Privacy Rule gives patients the right to access their medical records and obtain copies on request, and so denying them that, or overcharging for copies, or failing to provide records within 30 days is a violation of HIPAA. OCR made HIPAA Right of Access violations one of its key enforcement objectives in late 2019, and as of early 2023 has settled more than 40 cases.

To avoid this issue, healthcare organizations should implement policies and procedures for granting patients access to their PHI and ensure that staff members are aware of and trained on these policies and procedures.

6. Insufficient ePHI Access Controls

 

There are two ways in which violations for unauthorized access or disclosures occur:

1. Unauthorized
Employee Access:

The act of accessing the health records of patients for reasons other than those permitted by the Privacy Rule—most often committed by employees snooping on healthcare records of family, friends, neighbors, co-workers, and celebrities.

To Avoid This: Check the controls, policies, and procedures that govern employee access to patient data, as these are both essential to HIPAA compliance and guide employees on what is appropriate—yours should dictate what use and disclosure is allowed per job function, and you should train employees to ensure they’re aware of their limitations.

*Also take care to terminate employee access to ePHI immediately upon their departure from your hospital and their surrendering of credentials.

2. Unauthorized Access by Another Entity:

Covered entities must implement the appropriate controls to limit access to ePHI to authorized individuals—recent financial penalties issued to covered entities for failure to do so include that issued to Memorial Healthcare System for $5.5M.

To Avoid This: Implement:

  • User authentication controls that provide unique login credentials for each employee
  • Access controls that enable administrators to designate different ePHI access levels using those unique login credentials

Audit controls that track access to data to ensure that ePHI is accessed appropriately by each employee

 

7. Impermissible Disclosures of Protected Health Information

 

Disclosures of PHI that are not permitted under the HIPAA Privacy Rule and can attract a financial penalty include:

  • Disclosing PHI to a patient’s employer for a purpose not permitted by the Privacy Rule
  • Potential disclosures following the theft or loss of unencrypted laptop computers
  • Careless handling of PHI, disclosing PHI unnecessarily,
  • Not adhering to the ‘minimum necessary’ standard
  • Disclosing PHI after patient authorizations have expired

8. Failure to Use Encryption or an Equivalent Measure to Safeguard ePHI on Portable Devices

 

While encryption is not mandatory under HIPAA Rules, if you decide not to use it, you must use an alternative, equivalent security measure in its place, and not doing so results in a violation—recent settlements for the failure to encrypt data and implement appropriate device and media controls to safeguard ePHI include that issued to Lifespan Health System Affiliated Covered Entity for $1.04 million.

Keep in mind that one of the most effective methods of preventing data breaches is to encrypt ePHI, and that breaches of encrypted ePHI are not reportable security incidents unless the key to decrypt data is also accessed.

9. Exceeding the 60-Day Deadline for Issuing Breach Notifications 

 

The HIPAA Breach Notification Rule requires covered entities to issue notifications of breaches without unnecessary delay, and certainly no later than 60 days following the discovery of a data breach.

It’s important to remember that this period begins when it is known or by reasonable diligence should have been known that a breach of PHI has occurred, not when the investigation is complete, even if it is initially unclear whether the incident constitutes a breach as defined in the rule.

Moving Forward with HIPAA Compliance

These nine common pitfalls, as well as other failures to comply with the requirements of HIPAA, can trigger an investigation by the OCR, and the potential resulting penalties and costs can be severe—especially if a compliance failure has led to a compromise of ePHI.

Having read all this now, you may be wondering, if OCR visited your hospital today to conduct a compliance review or an investigation, how would you fare? Would any of these failures be found in your hospital? To help you sleep better at night, make sure to check out articles that can help:

About Schellman

Schellman is a leading provider of attestation and compliance services. We are the only company in the world that is a CPA firm, a globally licensed PCI Qualified Security Assessor, an ISO Certification Body, HITRUST CSF Assessor, a FedRAMP 3PAO, and most recently, an APEC Accountability Agent. Renowned for expertise tempered by practical experience, Schellman's professionals provide superior client service balanced by steadfast independence. Our approach builds successful, long-term relationships and allows our clients to achieve multiple compliance objectives through a single third-party assessor.