It’s not uncommon for our blog to feature information regarding cybersecurity or warnings against items such as CMMC/NIST and HIPAA violations. The reasons are varied: while these compliance standards exist for good reason—generally to protect private and/or sensitive information—they also are centered around cybersecurity strategies.
As well, as a large company recently discovered, CMMC/NIST/PCI/HIPAA violations can also come with a hefty price tag.
We’ve discussed compliance in general in past blog posts, so I won’t rehash it all here. (You can learn more about CMMC, HIPAA, and PCI here. CMMC and HIPAA are explored more in depth by clicking each respective link.)
The Health Insurance Portability and Accountability Act of 1996
Commonly known as HIPAA, this legislation is intended to protect personal information (generally medical, which is called electronic protected health information or e-PHI) kept stored by healthcare provider locations (or their associated agents). As outlined in the above link, the primary categories of HIPAA data care involves both physical and technical safeguards.
The Excellus Breach
In the case of Excellus (and thus parent company Lifetime Healthcare, Inc.), a data breach occurred sometime no later than December 2013. Unfortunately, the breach was primarily one of snooping, and no clues were discovered to the invasion until August 2015. In the process, somewhere between 9 and 10.5 million persons’ information was exposed, possibly including names, addresses, social security numbers, birthdates, health information, insurance information, and financial account information.
Upon discovery, the company offered those affected two years of credit monitoring and worked with FBI resources to determine the forensics of the situation. A class action lawsuit was issued to address alleged inadequate information protections, delays in informing affected persons, and lack of resources to victims to deal with the breach.
Still, despite company efforts to right the ship after the breach, simply exposing e-PHI can result in one or more HIPAA violations. After some years of litigation, the parent company settled with US Dept of Health and Human Services in a $5.1 million penalty. Other costs associated with the settlement, such as legal fees, were not publicly disclosed. Additionally, the HHS settlement requires execution of a corrective action plan to avoid future HIPAA violations. While the settlement is not specific to the actions required, Excellus must conduct risk analyses and develop risk management plans (to include process and timeline for implementation, evaluation, and revision). At each step, these must then be submitted for approval by HHS.
What Does That Have To Do With My Healthcare Business?
Excellus’s failure can be a lesson learned for other businesses that are responsible for digital medical information (or any other e-PHI as defined by the legislation). But it won’t magically come together! Involve your IT or drop a note to compliance experts! Our team can help you plan and execute steps to align your business or organization with HIPAA, keep you from jumping through bureaucratic costs and hoops due to a series of HIPAA violations, and—most importantly—keep your client medical records safe.