If your organization hosts data regulated by the US government, you’re familiar with the scare tactics used to sell hosting services. But what lurks behind those vague threats of expensive lawsuits and unfair liability burdens? HIPAA is nearly 100 pages long and few providers actually know what it requires. Unfortunately, it took a massive breach of healthcare-record data to give us a clearer picture, but let’s take a closer look at what we can glean from the incident.
As the largest fully integrated healthcare system in Illinois, Advocate Health Care Network’s mismanagement of electronic medical records (EMR) came as quite a shock. Regardless of your feelings on such a sizable provider being unable to maintain secure EMRs, what can’t be argued is the precedent set by last month’s $5.5-million settlement.
How exactly did it come to such a historic penalty? The answer is threefold. Firstly, Advocate failed to perform the risk assessments mandated by HIPAA regulations — an oversight that could have potentially prevented the other two infractions. Secondly, Chicago’s premier healthcare network failed to obtain proper written agreements with each of the business partners who had access to its data, which may have gone unnoticed if one of its associates had not been the subject of a security breach.
The final infraction, and arguably the most directly relevant to Advocate’s internal security policies, was the unsatisfactory safeguards in place on two stolen laptops with confidential medical information. While the breach of its business partner’s network only put 2,000 EMRs at risk, the stolen computers had access to almost 4 million.
So, if you’re tired of vague platitudes about ‘penalties for lax data compliance’ or the ‘liability risks of mediocre security,’ this is your answer: inadequate preventative measures, unfit business partners, and poor internal security protocols can spell millions in damages. Unfortunately, this isn’t just an aberrant case — the total punitive damages for HIPAA noncompliance in 2015 totaled $6.2 million; after just over eight months into 2016, they currently stand at $20.3 million.
Keep your company’s name off the growing list of companies that didn’t have suitable systems in place when it mattered most. Our technology management best practices provide a full range of security processes. We’d love to tell you all about it.