Healthcare organizations have many reasons to remain compliant with HIPAA. Keeping ePHI (electronic protected health information) secure ensures their partners and patients trust them. Data breaches, all too common in the industry, come with lots of costs, both financial and reputational. One of these is the possible fines that the HHS (Department of Health and Human Services) OCR (Office of Civil Rights) can levy against them, as the agency enforces HIPAA.
Unfortunately, many organizations have incurred these fines along with public disclosure of their non-compliance. In the end, it can cost them millions, and that’s a much greater cost than performing cybersecurity best practices, including penetration testing.
In this post, we’ll review the penalties for HIPAA violations, look at some recent cases, and discuss the value of penetration testing in healthcare.
OCR Fines and Penalties: What Are They?
The OCR can issue financial penalties to any organization that must abide by HIPAA rules regarding the collection, use, transmission, or storage of ePHI. The reason behind the fines is obviously to deter organizations from failing to comply and ensure there is accountability. There is a penalty structure in place based on the knowledge an entity has regarding the violation. So, what constitutes a HIPAA violation?
When Does a HIPAA Violation Occur?
A violation means that a HIPAA-covered entity doesn’t comply with one or more provisions in the HIPAA Privacy, Security, or Breach Notification Rules. Violations can be deliberate or unintentional. A deliberate violation could be if an employee knowingly shares ePHI with someone that should not have access to this information. An unintentional act could be if a hacker is able to infiltrate a hospital’s network via phishing or some other tactic and then steals ePHI.
While the unintentional example isn’t the result of deliberate actions, it’s negligence just the same. It indicates that the organization wasn’t following best practices relating to cybersecurity, such as conducting risk assessments and pen tests.
So, what happens if a violation happens? What could you have to pay?
The Tiers of HIPAA Fines and Penalties
The severity of the violation corresponds to the tier of fines. The OCR uses penalties as a last resort for the most egregious incidents. They’ll often work on voluntary compliance programs or delivery of technical advice to correct noncompliance. Should they decide to hand down fines, here are the tiers:
- Tier 1: A covered entity was unaware of or didn’t have the ability to avoid it but showed a reasonable amount of diligence to comply with HIPAA rules. The minimum fine is $100 per violation up to $50,000.
- Tier 2: The organization should have been aware of but wasn’t able to avoid the violation even with a reasonable amount of care. It’s not a willful neglect of HIPAA rules. The minimum fine is $1,000 per violation up to $50,000.
- Tier 3: In this category, the violation is the direct result of “willful neglect” of HIPAA rules in cases where organizations attempted to correct the violation. The minimum fine is $10,000 per violation up to $50,000.
- Tier 4: The final tier is the most serious, with willful neglect confirmed and no effort made by the entity to correct the violation within the 30 days provided. The minimum fine is $50,000 per violation.
The OCR has the discretion to waive fines for those falling under unknown violations, but there is no waiver for those committing willful neglect. The OCR does adjust these numbers annually to consider inflation. The 2023 update from the OCR disclosed these numbers.
- Tier 1: $127 as the minimum penalty, with the maximum set at $63,973
- Tier 2: $1,280 as the minimum penalty, with the maximum set at $63,973
- Tier 3: $12,794 as the minimum penalty, with the maximum set at $63,973
- Tier 4: $63,973 as the minimum penalty, with the maximum set at $1,919,173
Additionally, the OCR 2019 Notice of Enforcement Discretion applied new maximum annual penalties for those in violation of HIPAA. The annual caps are:
- Tier 1: $31,987
- Tier 2: $127,974
- Tier 3: $319,865
- Tier 4: $1,919,173
Since 2008, when penalties became leviable, there haven’t been a lot of organizations that have had to pay up. However, 2022 had a high case number of 22, the most of any year yet. Let’s look at some cases and explore why OCR fined these entities and what the lessons are.
Recent HIPAA Violations and Fines
Banner Health (2023)
Banner Health paid a fine of $1,250,000 for a HIPAA violation. The settlement was the result of a 2016 hack. After the breach, the OCR began an investigation. They found “long-term, pervasive noncompliance with the HIPAA Security Rule.” The company had no analysis of risks and vulnerabilities, performed insufficient monitoring, did not implement authentication processes, and lacked security measures to protect ePHI.
While not all organizations are culpable for hacks, the OCR found Banner Health didn’t have the proper mechanisms in place to defend against them. The company could have avoided this debacle with proper risk assessments and pen tests.
Oklahoma State University Center for Health Sciences (2022)
Oklahoma State University Center for Health Sciences received an $875,000 fine. The cause was again a hacking breach. The investigation uncovered violations, including:
- Impermissible use and disclosure of PHI
- Failure to conduct a risk analysis
- Lack of audit controls, security incident response and reporting, and performing evaluations
Again, the organization could have prevented this cyberattack with the right cybersecurity practices. Their failures exposed the ePHI of nearly 280,000 people.
Excellus Health Plan (2021)
The OCR levied its heftiest fine to date of $5.1 million. It stemmed from a data breach that impacted 9.3 million people. The OCR investigation found the organization to be in violation of five standards from the HIPAA rules. OCR’s investigation revealed potential violations of the HIPAA Rules, including failure to perform an enterprise-wide risk analysis and implement risk management, information system activity review, and access controls.
If the insurer had followed best practices around assessments and pen testing, they could have determined the vulnerabilities present before hackers did.
The Best Way to Avoid HIPAA Fines? A Strong Cybersecurity Program with Risk Assessments and Penetration Testing
If you don’t want to be on the other end of an investigation by OCR, your best option to avoid this is by developing and maintaining a strong cybersecurity plan. As part of this, you should focus on what will best support compliance—risk assessments and pen testing.
HIPAA Risk Assessments Are Required
HIPAA risk assessments are a requirement of the HIPAA Security Rule and appear in the Breach Notification Rule. The goal is to find weaknesses and correct them. The OCR has requirements for these evaluations. It includes six steps:
- Collecting data and classifying the location of ePHI
- Identifying and documenting potential threats and vulnerabilities
- Evaluating current security measures
- Determining the likelihood of a threat occurrence
- Assessing the possible impact of such an occurrence
- Defining the level of risk
You’ll also want to perform penetration testing in conjunction with the risk assessment.
HIPAA Penetration Testing Is a Smart Investment
HIPAA doesn’t require pen testing, but it can reveal a lot of valuable information about how your organization complies with the HIPAA Security, Privacy, and Breach Notification Rules. Pen tests simulate a cyber incident with ethical hackers attempting to penetrate your network and access ePHI.
You’ll engage with an experienced, trusted partner to conduct a HIPAA penetration test. There are several provisions within the rules that align with pen testing:
- A pen test should assess the risks and vulnerabilities relating to the confidentiality, integrity, and availability of ePHI.
- Organizations should regularly review the mechanisms they have to be HIPAA compliant.
- A pen test should identify how you create, receive, transmit, and maintain ePHI.
- Entities must also be aware of how their vendors and partners access, create, receive, and maintain ePHI.
- You need to define all the threats to data security, including human, natural, and environmental.
- A pen test should review if there are any irregularities internally relating to the privacy of ePHI.
- A response to a simulated breach can be critical to complying with the Breach Notification Rule.
- Testers should know what transforms general health information to ePHI according to the 18 identifiers that HHS specifies.
- A pen test may need special approaches for some applications because of how they use or embed data.
A thorough pen test ends with a report of all the vulnerabilities that need to be addressed at a priority level. You’ll then form a remediation plan to execute within your organization, and you can often rely on your pen testing provider to assist with this to ensure the corrective action is speedy.
The bottom line is that health entities must be vigilant not to become a headline. The team at Blue Goat Cyber can help you do this with our assessments and pen testing services. Schedule a discovery call today with us to start the conversation.