Doctors have a lot of deal with these days, especially with all the new changes in health insurance and advances in modern medicine. Getting hacked has got to be a horrible experience for doctors, too, because not only does someone else have a copy of your data, the "bad guys" may be holding your data hostage (and charging you thousands of dollars to get it back). Or they might simply have deleted it from your network entirely (including your backups).
So what could be worse than that?
The short answer is that the law has no problem with kicking a company when it’s down, and so as your office might be struggling to figure out how badly you were hacked, to restore the lost data, and to get back to “business as usual,” the Department of Health and Human Services just might come along and fine you a million dollars or more.
Why One Company Was Fined 2.3 Million Dollars
In 2015, the FBI conducted an undercover operation where they bought some stolen medical records on the “Dark Web,” a part of the Internet that most people know nothing about. (Hint: It’s the marketplace for stolen data.) The FBI traced the source of the data back to a company called 21st Century Oncology, a company that does cancer testing. The FBI found "personally identifiable information" (PII) and "Personal Health Information" (PHI) with patient data, social security numbers, medical diagnoses, and much more.
In December 2017, the Office of Civil Rights, a part of the HHS, came to a $2.3 million settlement with 21st Century (21CO) for violating the HIPAA laws. Specifically, 21CO failed to...
- Conduct an accurate and thorough assessment of the potential risks and vulnerabilities of their data.
- Implement security measures sufficient to reduce risks and vulnerabilities sufficiently.
- Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.
- Have a written “business associate agreement” before disclosing protected health information to third-party vendors.
Why does this matter to a small medical office like yours?
Because the OCR doesn’t care how small or large your practice is. If your company was hacked and your data was breached, they will apply the HIPAA standards and fine you accordingly. And in case you were wondering, you could also end up in jail.
And what’s more, you don’t even have to get hacked to get fined.
Notice that the four things that the Office of Civil Rights listed, none of them have to do with the actual breach of the data. ALL of them have to do with following the procedures to protect your data. In other words, protecting yourself from multi-million dollar fines is easy.
Here’s how you protect yourself
If you are just learning about your potential risk for huge HIPAA fines, there is really only one thing you need to know:
Protecting your practice starts with a HIPAA Risk Assessment. Simply having your Assessment done can save you almost a quarter of a million dollars in fines. And maybe just as importantly, it provides a clear road map to becoming HIPAA compliant, securing your data, and protecting your staff and patients from the problems related to a data breach -- including having your business shut down.
Generally speaking, small businesses, including medical practices like yours, often don’t have the budget to protect themselves the way a big business can. But 21st Century Oncology shows that just having a big business budget doesn’t mean you’re going to do the right thing.
Even with a small business budget, you can get protection that greatly exceeds whatever 21CO was doing.
It might interest you to know that 21st Century Oncology has since filed for Chapter 11 bankruptcy protection.
If your business stores or uses Personally Identifiable Information or Personal Health Information (like a physician, optometrist, dentist, hospital, attorney, therapist, psychologist, manufacturer, or personal care organization normally does), you need to protect yourself from the effects of getting hacked and having your data breached.
Find out how easy it is to have your HIPAA Risk Assessment completed. Digital Uppercut is one of the most thorough and respected Regulatory Compliance companies in Los Angeles. Our approach, which combines regulatory compliance with security and solid IT, is unique in Southern California. Contact or call us today, and let’s chat about you, your business, and what we can do together to help protect it.
