Inside TDV - The Data Vault Blog
University Pays $400,000 Over HIPAA Violations
In another example of just how important having a data management plan truly is, Idaho State University recently had to pay $400,000 to the U.S. Department of Health Human Services (HHS) over alleged violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule.
Yep, $400,000 for HIPAA violations. The penalty is the result of a breach of unsecured electronic protected health information of roughly 17,500 patients at the university’s Pocatello Family Medicine Clinic. What may be scarier is that it appears no files were truly compromised – they were merely left unprotected due to a disabled firewall that was left unchecked for 10 months.
So that nearly half a million dollars was in response to what could have happened, not even necessarily what did.
The Association of Corporate Counsel notes that this illustrates that simply having policies and procedures in place regarding protection of data that falls under HIPAA’s regulations isn’t enough. There has to be risk assessment and constant monitoring. Otherwise? You may be paying out nearly half a million dollars to the federal government.
Think of it this way: Could your medical practice or healthcare-related business absorb that kind of a hit over careless HIPAA violations?
So take a step back for a moment and think about how your data is protected. Are you storing paper records on-site or at a self-storage site that isn’t HIPAA compliant? What about your digital data backup? If you’re backing up to data tape, where are they being stored? And are you assessing the vulnerability of those files on a regular basis?
“Risk analysis, ongoing risk management, and routine information system reviews are the cornerstones of an effective HIPAA security compliance program,” said Leon Rodriguez, director of Health and Human Services’ Office for Civil Rights. “Proper security measures and policies help mitigate potential risk to patient information.”
If your records and data aren’t professionally protected in compliance with HIPAA regulations, and risk assessments frequently undertaken, the next $400,000 penalty could conceivably be coming out of your coffers. And that wouldn’t be good at all.
To find out how you can better manage your data and compliance to protect your company from the risk of HIPAA violations, please contact The Data Vault at 502.244.1151 or by filling out this easy-to-use online form.