“Not Me”. Premera Blue Cross will pay $6.84 million and Athens Orthopedics will pay $1.5 million-dollar. The key phrase we found on these and other cases was “systemic noncompliance with the HIPAA Rules”. The problem as we see it is that most of the people we talked with think that this will not happen to them, yet they have no idea of their level of exposure. At the very least, we recommend that they address all Standards of HIPAA Security and that they ensure that their Business Associates understand and follow the dictates of the Omnibus Rule.

• “Premera Blue Cross (PBC) has agreed to pay $6.85 million to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) and to implement a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules related to a breach affecting over 10.4 million people. This resolution represents the second-largest payment to resolve a HIPAA investigation in OCR history. PBC operates in Washington and Alaska and is the largest health plan in the Pacific Northwest, serving more than two million people.”

https://www.hhs.gov/about/news/2020/09/25/health-insurer-pays-6-85-million-settle-data-breach-affecting-over-10-4-million-people.html#:~:text=Premera%20Blue%20Cross%20(PBC)%20has,HIPAA)%20Privacy%20and%20Security%20Rules

• Athens Orthopedic Clinic PA (“Athens Orthopedic”) has agreed to pay $1,500,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) and to adopt a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. Athens Orthopedic is located in Georgia and provides orthopedic services to approximately 138,000 patients annually.

https://www.hhs.gov/about/news/2020/09/21/orthopedic-clinic-pays-1.5-million-to-settle-systemic-noncompliance-with-hipaa-rules.html

The challenge as we see it is that most Organizations believe that they have a viable security program as required by HIPAA yet the reality is that most of the programs we look at are not even close. For example; does your Security Risk Analysis meet the requirements of the law?

Understand that not all Security Risk Analysis are the same and that the law specifies that you are required to conduct an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI)

Looking at it from a different angle. Imagine that you are in court and that they ask you about any one of the standards under HIPAA. Can you provide a policy and evidence demonstrating that you have met this requirement? Considering that mandatory fines can reach up to fifty thousand dollars ($50,000.00) per incident; can you afford not to verify your compliance status?

The bottom line is that no one is safe and that at any point in time you may be the subject of the next “news release” from OCR.