HIPAA Fines for Getting Hacked? Yes, It Can Happen.

February 02, 2017

Data breaches are on the rise, and many hackers are targeting medical records. A report conducted by Accenture estimates that one in thirteen patients will experience the theft of their personal information. This can result in financial loss for the patients, who can become victims of medical identity theft, and for the organizations, which can be charged HIPAA fines.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was designed to improve the national health care system. The HIPAA Privacy Rule protects the privacy of individuals’ medical records by limiting who has access to those records. Under HIPAA, organizations that handle medical records are responsible for keeping the information safe and private.

This means that if an organization is hacked and protected patient information is stolen, the organization can be fined. It might sound like a bad case of victim blaming, but each organization is expected to enact safeguards to prevent unauthorized parties from accessing information.

Who’s Affected?

Health insurance companies, health providers, billing companies and other organizations contracted to handle medical information are required to follow HIPAA guidelines. This does not normally include employers. However, HIPAA does apply to employers who provide workplace wellness programs that are part of a group health plan.

What’s the Worst That Can Happen?

A data breach can be a nightmare. Organizations have to deal with understandably upset individuals and the bad press that results. They may also have to pay hefty fines.

It’s not just a hypothetical issue, either. The University of Massachusetts Amherst had to pay $650,000 after a malware infection compromised protected data. The university was also required to establish a corrective action plan to prevent future incidents.

The U.S. Department of Health and Human Services Office for Civil Rights maintains an online record of data breaches affecting at least 500 individuals. A search for breaches caused by hacking or IT incidents (which are grouped together in the database) yields 95 results for the year 2016 as of December 19, 2016. Some of these breaches affect millions of individuals.

How Can Organizations Avoid Fines?

Organizations must follow the HIPAA Security Rule.

To help organizations deal with cybersecurity risks, the National Institute of Standards and Technology published the Framework for Improving Critical Infrastructure Cybersecurity (or Cybersecurity Framework for short). A crosswalk that maps the Cybersecurity Framework to the HIPAA Security Rule is available here.

Organizations must keep up with the latest technology and risks in order to protect the information they store. Additionally, organizations should document all practices so that they can prove that all necessary precautions have been taken. Cyber liability insurance is also a good idea. Talk to your Heffernan agent for details.