Insurance giant Anthem was recently tagged with a $16 million-dollar HIPAA penalty. What can you do to keep your solo or small practice from getting hit?
Earlier this month, the Department of Health and Human Services’ Office of Civil Rights (OCR) issued a press release stating Anthem would pay the OCR $16 million, the largest-ever HIPAA settlement, following the largest-ever health data breach in U.S. history. This settlement nearly triples the previous high of $5.5 million that Florida-based Memorial Healthcare System paid the OCR in 2016.
OCR Director Roger Severino stated in the press release that, “Unfortunately, Anthem failed to implement appropriate measures for detecting hackers who had gained access to their system to harvest passwords and steal people’s private information.” Director Severino continued, “We know that large healthcare entities are attractive targets for hackers, which is why they are expected to have strong password policies and to monitor and respond to security incidents in a timely fashion or risk enforcement by OCR.”
Unfortunately, this is not where Anthem’s issues ended. The release finishes by stating that, “In addition to the impermissible disclosure of electronic protected health information (ePHI), OCR’s investigation revealed that Anthem failed to conduct an enterprise-wide risk analysis, had insufficient procedures to regularly review information system activity, failed to identify and respond to suspected or known security incidents, and failed to implement adequate minimum access controls to prevent the cyber-attackers from accessing sensitive ePHI, beginning as early as Feb. 18, 2014.”
This begs the question: If this could happen to Anthem, which failed to prospectively and retroactively address its HIPAA compliance issues despite having ample resources to do so, could this happen to a solo or small practice group that does not have the same resources? The answer is, uncontrovertibly, yes.
In the last several months, ransomware and other cyberattacks have targeted solo and small practices causing an overwhelming number of patient medical and personal information breaches. What can solo and small practices do to protect themselves from such attacks? Here are three suggestions:
OCR’s press release states Anthem failed to conduct an enterprise-wide risk analysis. If Anthem had done this, the severity of the hack could have been lessened. Small or solo practices must conduct a risk analysis rather than simply they do not get audited. But, it is not enough to simply conduct a risk analysis-the covered entity must also address identified risk gaps and work to close them. The worst thing a practice can do is conduct a risk analysis and do nothing with the results.
From OCR’s perspective, if the practice conducts a risk analysis, it means they know where the risk gaps are. If the practice knew about the risks, but failed to do anything about them, fines tend to be larger. Therefore, practices must conduct a risk analysis and proactively address the identified risk gaps. Failure to do so could lead to an attack and subsequent penalties.
In the corrective action plan Anthem agreed to as part of its settlement, one potential HIPAA violation was Anthem’s failure to meet “[t]he requirement to implement sufficient procedures to regularly review records of information system activity.” The corrective action plan requires Anthem to address its deficiencies uncovered during the OCR’s investigation and report its compliance to the OCR. How does your practice stand up?
Audit trails can help practices determine if someone is attempting to hack in, whether the hack was successful, and how to mitigate the hack before it causes major compliance headaches, among other issues. While this can take an office manager or physician a significant amount of time, it is still cheaper than fines. Conducting audit trails is also necessary to protect ePHI and comply with HIPAA.
HIPAA auditors will ask practices multiple questions with respect to written policies and procedures. They likely will begin by asking, “Do you have written policies and procedures?” If so, they will follow up by asking, “Do you have written policies and procedures for granting access to your ePHI to staff, vendors, and/or software concerning who actually need access?” If the answer is also yes, they will ask, “Have you sufficiently trained your staff on these policies and procedures?”
Answer no to any of these questions, and your practice could be subject to penalties similar to those OCR imposed upon Anthem. Practices should focus on prospective compliance instead of spending hard-earned resources resolving OCR disputes. It is better for a practice to be proactive than reactive when it comes to HIPAA compliance. Therefore, it is vital to ensure your practice has written policies and procedures and has trained your staff on those policies and procedures.
Anthem likely is wishing it had prospectively complied with HIPAA, as doing so may very well have helped avoid the OCR’s stiff fine. Anthem has legal, risk management, and compliance teams dedicated to HIPAA compliance. They were still targeted and hit by cyberattacks and, subsequently, tagged with massive penalties from the OCR.
If you are a practice group owner, or are a member of a small practice group, who is protecting you? Are you simply relying on your office manager or compliance officer to keep you in compliance? Is this person qualified?
Anthem has 16 million reasons why simply trusting your HIPAA compliance team may be insufficient. Instead, your practice should heed the words of former President Ronald Reagan and, “Trust, but verify.” Doing so could help your practice group ensure HIPAA compliance and avoid breaches and OCR penalties.
Kyle Haubrich, JD, is counsel at Sandberg Phoenix in St. Louis and focuses his practice on the rapidly evolving areas of healthcare law-specifically on HIPAA and MACRA regulations-for individuals, group practices, and hospital-based physicians.
Jacob Grimes, JD, is an associate attorney at Sandberg Phoenix, where he is a member of the firm’s health law practice group. Jacob’s practice focuses on advising healthcare entities and providers on regulatory matters and defending medical malpractice claims.