Although the Security Rule does not require encryption, if a breach occurs, failure to encrypt is likely to invite scrutiny from OCR, other regulators and plaintiffs’ attorneys. Moreover, even if ePHI is lost or stolen, breach-reporting obligations may be excused if encryption is in accordance with National Institute of Standards and Technology (NIST) standards.
Risk analysis is a recurring theme in OCR’s resolution agreements and Security Rule guidance. In August 2013, OCR expressed a similar focus on risk analysis when settling with Affinity Health Plan Inc. for returning used photocopy machines without erasing PHI from the copier hard drives. In its press release, OCR stated, “covered entities are required to undertake a careful risk analysis to understand the threats and vulnerabilities to individuals’ data, and have appropriate safeguards in place to protect this information.”
This settlement is a reminder of the importance of taking appropriate steps to protect the privacy and security of PHI. Parties will pay a high price for their failure to take appropriate steps to protect the confidentiality and security of PHI. In addition to the monetary fine, addressing the breach and the resulting investigation will result in other heavy costs. For example, legal and consulting costs can be substantial; attention of staff members and leadership is diverted; and a corrective action plan can be significantly more expensive and time consuming to implement than if effective policies and procedures had been employed. Moreover, it is difficult to quantify the adverse impact of a breach on one’s reputation and relationships. Thus, even when covered entities diligently pursue HIPAA compliance, they should still consider cyber insurance or other means to offset the potential for incurring the immense costs of a breach or investigation.
Action Steps
To avoid potentially significant costs and liabilities for HIPAA noncompliance and to minimize the likelihood and consequences of a data breach, proactive steps should be taken to ensure that systems, policies and procedures comply with the HIPAA Rules and applicable state law. Accordingly, consider:
- Reviewing written HIPAA privacy, security and breach notification policies and procedures, and updating them if necessary;
- Identifying and reviewing all business associate relationships and business associate agreements;
- Assessing potential risks and vulnerabilities to the confidentiality, integrity and availability of all ePHI through the performance of risk analysis;
- Engaging in risk management to identify and take action on security gaps and promptly correcting identified HIPAA violations;
- Documenting HIPAA-related determinations and actions;
- Training workforce members to comply with the HIPAA Rules and promptly identifying, investigating and responding to possible data breaches;
- Encrypting ePHI to the extent feasible;
- Avoiding unnecessary disclosures of PHI; and
- Obtaining cyber insurance.
HIPAA compliance is imperative, and taking proactive measures can help you avoid a bigger issue down the road.
