Submitted on Wed, 2014-03-26
By Alex Thibodeau

There are millions of attempted cyber-attacks in the U.S. every day and your local health department could be liable for hundreds of thousands of dollars in fines and damages. How prepared are you for a data breach?

hipaa compliance fines

Between 2009 and 2013, a total of 730 healthcare data breaches of 500 records or more were reported to the U.S. Department of Health and Human Services Office for Civil Rights (OCR). All told, more than 24 million electronic protected health information (ePHI) records were compromised within those four years (or about 33,000 per breach). Throughout all of those cases though, a local health department was never fined by the OCR for HIPAA non-compliance. Skagit County Washington just changed that.

Skagit County – What Happened?

Skagit County, comprised of around 100,000 people in northwest Washington, recently became the first local government to be fined due to HIPAA non-compliance. The fines total $215,000 for failure to act after a security breach. The two-week data breach that took place during September 2011 exposed the ePHI of 1,600 people on the county’s public web server. The county didn’t report the breach to the U.S. Department of Health and Human Services Office for Civil Rights until more than two months later and did not notify all of those impacted by the breach either. The OCR also found that Skagit County had not given enough attention to data security for the six years prior, lacking “sufficient policies and procedures to prevent, detect, contain and correct security violations.”

HIPAA Security Compliance

HIPAA, established in 1996, requires the U.S. Department of Health and Human Services to regulate the privacy and security of health information. In order to maintain compliance with HIPAA, local health departments must:

  • Ensure the confidentiality, integrity, and availability of all ePHI they create, receive, maintain or transmit
  • Identify and protect against reasonably anticipated threats to the security or integrity of the information
  • Protect against reasonably anticipated, impermissible uses or disclosures
  • Ensure compliance by their workforce.

Further, the local health departments need to constantly review and optimize their security systems protecting data as threats constantly evolve. Failure to comply, as you can see, leads to fines and penalties.

How Can Your Local Health Department Prevent Being Fined?

This is not a security threat that will go away. In fact, it’s increasing every year. More than 90% of companies report being hacked in the past twelve months. Utah’s state government alone faces more than 20 million cyber-attack attempts per day (up from one million a day two years ago). It’s gotten so bad that Computerworld Magazine calls security breaches a “statistical certainty”. Even the most well-funded and well-prepared organizations are susceptible to breaches. Just look at what happened to Target during the holiday season, where almost 70 million people had their personal data intercepted.

As Skagit County can now attest to, being prepared to effectively respond to cyber-attacks is just as important as preventing them. The HIPAA non-compliance penalties they face stem from their reaction to the breach and not so much the breach itself.

Learning from Skagit County’s penalties, and in accordance with the OCR’s regulations to avoid fines, the Los Angeles County Department of Health Services has been proactive in containing a breach of more than 169,000 records last month. The department has notified all patients, posted notices on its website, and contracted with a billing vendor to fix the security hole and enhance their security for future use.

That last point is key. Partnering with a HIPAA-compliant billing and data solution will take all your headaches away. No longer will you have to worry about the complicated compliance process, as it’s all taken care of for you. Data security is a vital component of running a healthcare clinic today, and the OCR will fine your department if you can’t keep up.

From securing data and ensuring compliance (should a data breach ever occur) to helping your local health department develop preventative in-house security protocols, partnering with the right organization is a must in this day and age. Give our local health experts a call today to learn more about the SMART Health Suite and how it can help you avoid costly fines and maintain HIPAA compliance.

About the Author

Healthcare Analyst and Detroit native, Alex Thibodeau, is commited to Chicago's youth initiatives. Before joining the SMART Health Claims team, Alex worked as the lead Journalism instructor for the Midtown Educational Foundation. You can contact Alex at athibodeau@upp.com.