This month, the U.S. Department of Health and Human Services’ (HHS’s) Office for Civil Rights (OCR) announced a $1.25 million settlement after a cybersecurity breach exposed a non-profit health organization’s data that was covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), constituting possible HIPAA violations. The potential HIPAA violations affected 2.81 million consumers. Indeed, incidents of cybersecurity breaches and data loss continue across all industries and have implications in multiple employment laws. In December 2022, the HHS applied an employer’s HIPAA obligations to online data tracking. The OCR guidelines included obligations to keep sensitive electronic health data secure and protected.
Possible HIPAA Violations and the Cybersecurity Incident
The OCR initiated its investigation after a breach report indicated a possible cybersecurity hack that compromised millions of users’ electronic personal health information (ePHI). In detail, compromised data included names, dates of birth, addresses, Social Security numbers, lab results, medications, diagnoses, and more. According to the OCR’s investigation, the organization’s potential HIPAA violations included:
- a lack of a risk analysis of the organization’s ePHI storage methods;
- insufficient systems monitoring;
- failure to use an authentication process to safeguard ePHI; and
- a lack of security measures during data transmission.
All in all, OCR investigators found that the potential HIPAA violations were long-term and pervasive. This was particularly concerning, considering the organization kept the ePHI of nearly 3 million users.
Employer Obligations Under HIPAA Security Rule
HIPAA is a federal law that requires the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. In turn, the HHS issued the HIPAA Privacy Rule to implement requirements under HIPAA. Standards under HIPAA also include cybersecurity obligations. The HIPAA Security Rule establishes standards to protect individuals’ ePHI. It requires administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of ePHI. In detail, covered entities under HIPAA include:
- most health-care providers,
- health plans,
- business associates, and
- health-care clearinghouses.
These covered entities may disclose personal health information only as expressly permitted or required by the HIPAA Privacy Rule.
Penalties for HIPAA Violations
As a result of the purported HIPAA violations, the organization paid $1.25 million to the OCR and agreed to a comprehensive corrective action plan. Briefly, the corrective action plan identifies steps the organization will take to resolve these HIPAA violations and protect ePHI in the future. Steps within the plan include the following:
- conducting a thorough risk analysis of data systems;
- developing and implementing a risk management plan;
- creating and distributing relevant policies and procedures, including a regular system review, an authentication process, and security measures during ePHI online transmission; and
- reporting to the HHS within thirty days of any future HIPAA violations.
The OCR also provides resources to help covered entities under HIPAA improve their cybersecurity and avoid HIPAA violations. Relevant HIPAA Security Rule Guidance Material includes educational tools, physical and technical safeguards, and information on performing a risk analysis.
Presently, many laws require businesses to take reasonable steps to protect personal information collected from customers, employees, or job applicants. Given that, all employees must know the common workplace cybersecurity threats and recognize what protections are available against cyberattacks. To assist employers, Personnel Concepts has developed an online, interactive Cybersecurity Awareness Training Program. Explicitly, businesses of any size and industry can help train employees on keeping personal information safe by using this resource.