The Office of Civil Rights (OCR) has been alluding to a large-scale HIPAA audit for quite some time now — and it looks like that threat will soon come to pass.
A pilot audit (dubbed “Phase 1”) was conducted back in 2011 and 2012 to assess a sampling of 115 covered entities (businesses that are liable for HIPAA compliance), and “Phase 2” is now (slowly) underway. It’s not just companies that fell victim to a big breach or that were previously found non-compliant that are likely to be audited. The Office of Civil Rights (OCR) is broadening its scope in an effort to increase awareness about compliance requirements.
Today, every covered entity is a potential audit candidate, from individual and organizational health service providers to health plans and health care clearinghouses. In the fall of this year, business associates, too, can expect to be notified as part of the HIPAA Omnibus Rule.
While the chances of actually being audited are still relatively low, there are several reasons why companies should become HIPAA compliant today.
The Cost of Non-Compliance is Simply Too Steep
There have already been $15 million in settlements this year via the OCR, $5.5 million of which happened just last month. That’s a lot of money for a small business, and a pain, at the very least, for a larger business.
Who was involved in these settlements? Not just covered entities, but their business associates, too. And today, business associates include companies providing services ranging from legal to actuarial, accounting to consulting, data aggregation to accreditation, and more. In other words, it applies to a lot of businesses. Also, a covered health care provider, health plan, or health care clearinghouse can be a business associate of another covered entity.
Put simply, if you deal in any way, shape, or form with health care data or companies, you need to be HIPAA compliant and are eligible for auditing. And while the cost of an audit itself could be tens to hundreds of thousands of dollars (depending on your company size and requirements), the fines for non-compliance can range in the millions, including*:
- HHS fines: up to $1.5 million/violation/year
- Federal Trade Commission fines: $16,000/violation
- Class action lawsuits: $1,000/record
- State attorney generals: $150,000 – $6.8 million
- Free credit monitoring for affected individuals: $10 – $30/record
- ID theft monitoring: $10 – $30/record
- Lawyer fees: $2,000+
- Breach notification costs: $1,000+
- Business associate changes: $5,000+
- Technology repairs: $2,000+
For some, these fines (not to mention the bad PR, customer attrition, and more) can be devastating.
Healthcare Data Breaches are Both Frequent and Costly
Healthcare data is clearly a common target. The average cost of a healthcare breach, according to the Ponemon Institute’s Sixth Annual Report on Healthcare Data Privacy and Security, is over $2.2 million for covered entities and more than $1 million for business associates. So coupled with the numbers above, this could get expensive.
While a large number of healthcare breaches make the headlines (Anthem, Premera Blue Cross, and Community Health Systems — among too many others), many more do not. Ponemon reported that nine in 10 healthcare organizations have experienced a data breach in the past two years, and 45 percent of them had more than five breaches in that time period.
While compliance doesn’t always equal security, it becomes pretty clear what HIPAA is trying to achieve in terms of protecting healthcare data. And in talking with many of our own customers, we’ve found that companies are preemptively putting in place practices like continuous monitoring of their systems and networks, user access controls, audit logs, and file integrity monitoring.
Then, when it comes to meeting HIPAA requirements, these companies find they’re already well on their way, making HIPAA not as painful as it could be if they were starting from scratch. We also hear from customers that by having Threat Stack in place, they are able to meet a broad range of these requirements without additional work. This is a big deal when it comes to streamlining tools and processes.
While HIPAA compliance won’t guarantee security or prevent every single breach, it’s a very big step in the right direction.
Business Associate Agreements Necessitate HIPAA Compliance
As I mentioned earlier, business associates are fast moving into the spotlight for HIPAA auditing. Not only that, but as part of the HIPAA Omnibus Rule, covered entities are required to have their business associates sign a business associate agreement (BAA) saying they’re HIPAA compliant.
You see, when a covered entity is breached and/or audited, they are required to hand over their list of business associates. Today in the cloud, that can mean everyone from your cloud service provider (CSP) to your data storage company to your accounting service. Business associates are eligible to be audited as well, and can face significant penalties if found to be non-compliant. The OCR is pretty strict about this:
“If you use a cloud service, it should be your business associate. If they refuse to sign a business associate agreement, don’t use the cloud service.”
– David S. Holtzman of the Health Information Privacy Division of OCR
Even if the company you do business with doesn’t yet require a BAA to be in place (don’t expect this to last much longer), it’s still in your very best interest to become HIPAA compliant to protect yourself in the case of a breach.
HIPAA Is a Big Business Driver
You’re probably all too familiar with the sales security questionnaire. No matter how many compliance audits you’ve passed or how many credentials you have, customers — especially the big ones — are going to ask you to fill out their security questionnaires before they even consider doing business with you. With big business on the line, you want to get it right.
Many of their questions will ask about how you’re handling employee logins and access controls, how your systems are monitored for attacks, and how you encrypt data. Those are all pretty standard compliance requirements, too. But unlike compliance bodies like HIPAA, it’s your customers who will feel the true brunt of the pain if you don’t do the things you should be doing and are breached, exposing their data. So, naturally, they want to ask many more detailed questions to really understand how their data would be be protected if they were to do business with you.
The bottom line: Being HIPAA compliant can help you strengthen your business.
Getting Ahead of the Curve: Becoming HIPAA Compliant
While the chances of being audited are still relatively low, if you deal in healthcare data in any way, you simply must be HIPAA compliant. Companies are running out of excuses not to be compliant, especially as the cost of a breach can become significantly higher than the cost of achieving compliance.
Chances are you’re already putting in place many of the same protections and answering a lot of the same questions that you would if you went through an audit, so it’s worth it on many fronts to go ahead and become HIPAA compliant. And because compliance can be a major business enabler, it’s worth the extra time and expense to get it done.
If you have questions, tweet us @ThreatStack, or send an email to [email protected]