When it comes to compliance, most everyone agrees that the privacy regulations set forth by the Health Insurance Portability and Accountability Act (HIPAA) are critical and worthy of being upheld – even if doing so means extra effort (and expense) by those entrusted to handle such personal data and information. For healthcare organizations, a full commitment to HIPAA compliance is obligatory but there are other groups that are similarly implicated. Those include organizations that may handle significant volumes of PHI for health plans provided to large employee populations, as well as organizations that offer level-, or “self-” funded insurance plans.
So whether you are a healthcare organization, a company that offers a self-funded insurance plan to their employees, is considering doing so, or is simply an organization that has a decent number of employees participating in the company-sponsored health plan, it is wise to make sure that you’re fully in the know. And, with that, fully understand the expectations, responsibilities and best-practices associated with safeguarding patients’ and/or employees’ personal data.
So, What is a Data Breach Anyway?
Most are surprised to find that the majority of breaches are actually not software breaches. In other words, they are not the result of some computer genius in a Cyrano de Bergerac mask, exploiting password weaknesses in order to sell others’ personal data to foreign spies or blackmail their helplessly breached corporate prey. While those types of things do happen, the instances are rare. Instead, we find that the vast majority of breaches are what are called “hardware breaches” which happen, simply, because of employee carelessness. For an example, some major hospital network contractor leaves his unencrypted laptop in the car and has it stolen. Yes, a very unfortunate and expensive, “whoops.”
The thing is, it is easy to imagine an employee of a restaurant chain who also happens to offer a self-funded insurance plan make the same mistake – suddenly, all the medical information of all those national restaurant chain employees hangs in the balance. This is where things can really get sticky. Fortunately, there are some sure-fire ways to prepare and safeguard an organization, as well as its patients’/employees’ most private and personal information. Because when there is a breach, no matter how it comes to pass, is bad for everyone.
So, Who Actually Enforces HIPAA?
The HHS Office for Civil Rights (OCR), does the job of enforcing HIPAA regulations. And based upon 2018 data, alone, they are staying busy. Just last year, HIPAA enforcement activity totaled $28.7 million levied against organizations for breaches of protected information, including one for $165M, the largest single settlement ever. What’s more, the OCR has what they call a “wall of shame” where they list all breach reports over the past two years and unfortunately, it appears that 2019 is already moving in the wrong direction at an epic clip.
It should also be said that just a few years back, the OCR was content to investigate only reported breaches. Not so, today. In the current environment, OCR is mandated to be proactive, identifying organizations that could potentially be vulnerable, auditing and then taking some form of corrective action if deemed appropriate.
Sr. Benefits Consultant
Phone #: 732-559-1156
Fax #: 732-559-1433
Cell #: 848-333-5994