How Much Do Data Breaches Cost Businesses?
Data breaches cost businesses millions in fines, lawsuits, and lost customers. Learn the true financial impact and how to reduce your risk.
Read more about How Much Do Data Breaches Cost Businesses?
Healthcare Security Breach: $650,000 HIPAA Settlement
Partner
University of Massachusetts Amherst was recently hit with a Health Insurance Portability and Accountability Act (HIPAA) compliance settlement by federal regulators after suffering a healthcare security breach in 2013, according to DataBreachToday.com. The school had failed to include its Language, Speech, and Hearing Healthcare Services as part of a HIPAA-covered component of its health care system, meaning that the speech and hearing healthcare center was not subject to HIPAA privacy and security rule requirements when it should have been. Similarly, no security risk assessments were performed on the center until late in 2015.
Since UMass Amherst is an educational institution, it places the healthcare security breach in a unique context. In a university setting, certain components of the school are required to be HIPAA compliant and others are not. The university is responsible for drawing the line between what components need to be covered by special security measures and which do not.
Malware Causes Significant Healthcare Security Breach
A computer in the UMass Amherst’s Center for Language Speech and Hearing that was not equipped with a firewall became infected with malware in the summer of 2013, which resulted in the unauthorized disclosure of protected electronic information of 1,700 students, faculty and employees. Social Security numbers, names, dates of birth, addresses, health insurance information, medical diagnosis and medical procedure codes are just some of the types of student and employee data that was exposed in the breach. There was no clear evidence whether any data was copied from the breached computer, but it could not be ruled out and it is assumed that the data of the 1,700 affected individuals was exposed in the breach.
HIPAA Compliance Settlement
Despite the security breach being relatively small compared to some other health care system breaches in the past, UMass Amherst was required by federal regulators to pay $650,000 in a settlement and was required to adopt and implement a corrective action plan. The corrective action plan requires that the school:
- Must create and implement a risk management plan for the future.
- Review and revise the school’s policies and procedures concerning the identification of HIPAA-covered components of their operations.
- Perform an organization-wide risk analysis.
- Take time to train and/or retrain all employees concerning HIPAA compliance, procedures, and policies.
HIPAA Enforcement: Why Small Breaches Carry Large Penalties
The UMass settlement illustrates a principle that healthcare entities frequently underestimate: the size of a HIPAA breach does not determine the size of the penalty. OCR calculates penalties based on the covered entity’s culpability — specifically, what it knew about its compliance failures and whether those failures constituted willful neglect. A covered entity that never conducted a required risk assessment, as was the case with UMass, faces maximum penalty exposure because the failure to conduct a risk assessment is itself a standalone HIPAA violation that OCR has repeatedly characterized as the foundation of HIPAA compliance.
The HIPAA Risk Analysis Requirement
The HIPAA Security Rule, 45 C.F.R. § 164.308(a)(1), requires covered entities and business associates to conduct a thorough and accurate assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all electronic protected health information (ePHI) that the covered entity creates, receives, maintains, or transmits. This risk analysis must be documented, must cover all electronic information systems used by or on behalf of the covered entity, and must be updated periodically and in response to changes in the environment or operational environment.
Failure to conduct a required risk analysis is the single most common finding in OCR enforcement actions. OCR has brought cases resulting in settlements and civil monetary penalties against hospitals, clinics, insurers, and educational institutions solely on the basis of risk analysis failures, even where no breach occurred. When a breach does occur in the absence of a conducted risk analysis, as was the case with UMass, the penalty exposure is substantially higher because OCR can characterize the omission as willful neglect.
Hybrid Entities and HIPAA’s Component Coverage Rules
The UMass case raised an important compliance issue specific to large institutions: HIPAA’s hybrid entity rules. Many large organizations — universities, state and local governments, corporate conglomerates — perform some functions that qualify as healthcare operations subject to HIPAA and other functions that do not. These entities can elect to be treated as “hybrid entities” under 45 C.F.R. § 164.105, designating which components of the organization are covered “healthcare components” subject to HIPAA.
The UMass violation arose from the failure to include the Language, Speech, and Hearing Center in the school’s designated healthcare components when it should have been. This failure meant that HIPAA’s Security Rule requirements — including the requirement to conduct a risk analysis and to implement basic technical safeguards like firewalls — were not applied to a system that in fact processed PHI. Any covered entity that operates as a hybrid entity must periodically review and update its designation of covered healthcare components to account for changes in which units handle PHI.
The HIPAA Civil Monetary Penalty Structure
OCR is authorized under 42 U.S.C. § 1320d-5 to impose civil monetary penalties (CMPs) for HIPAA violations. The penalty structure is tiered based on the covered entity’s culpability:
- Category A — Did not know: $100 to $50,000 per violation, up to $25,000 per year for identical violations. A covered entity that lacked actual or constructive knowledge of the violation falls in this category.
- Category B — Reasonable cause: $1,000 to $50,000 per violation, up to $100,000 per year. The covered entity knew or should have known about the violation but the violation was not due to willful neglect.
- Category C — Willful neglect, corrected: $10,000 to $50,000 per violation, up to $250,000 per year. The violation was due to willful neglect, but the covered entity corrected it within 30 days.
- Category D — Willful neglect, not corrected: $50,000 per violation, up to $1.5 million per year. This is the maximum penalty category, applicable when the covered entity knew of the violation and failed to correct it.
These annual caps apply per violation category, meaning that a covered entity found to have multiple simultaneous violations — for example, a failure to conduct a risk analysis, a failure to implement firewall protections, and a failure to designate covered components — faces stacked penalty exposure. The UMass $650,000 settlement, though significant for a breach affecting only 1,700 individuals, reflected the multiple simultaneous violations OCR identified.
Corrective Action Plans and Resolution Agreements
OCR typically resolves enforcement actions through a Resolution Agreement, which includes both a monetary payment and a Corrective Action Plan (CAP). The CAP is the more operationally demanding component — it requires the covered entity to implement specific compliance measures, provide documentation to OCR demonstrating compliance, and submit annual compliance reports to OCR for a period of years. CAPs are not merely paperwork exercises. OCR monitors compliance with CAPs actively, and failure to comply with CAP requirements can result in additional enforcement action and additional monetary penalties.
Contact a Healthcare Data Breach Attorney
Cyber security is a rapidly changing area of law, and the data breach attorneys at Revision Legal work hard to stay up to date on the current state of HIPAA enforcement. Revision Legal has worked with businesses of all sizes to assess health care and other data breach issues and has helped clients in all 50 states. If you are concerned that your organization has experienced a HIPAA breach or if you have received notification of a potential HIPAA investigation, contact the experienced data breach attorneys at Revision Legal as soon as you can. Contact us using the form on this page or call us at 855-473-8474.
Extra, Extra!
Related Posts
Top Data Breaches of 2020: Ransomware on the Rise
Ransomware dominated 2020’s biggest data breaches. A look at the most damaging incidents and the cybersecurity lessons every business should learn.
Read more about Top Data Breaches of 2020: Ransomware on the Rise
Repurposing Pandemic Data: Legal Risks Businesses Face
Data collected during the COVID pandemic for one purpose cannot simply be repurposed. Here’s what businesses need to know about the legal risks.
Read more about Repurposing Pandemic Data: Legal Risks Businesses Face