3. Failure to Manage Security Risks / Lack of a Risk Management Process
Performing a risk analysis is essential, but it is not just a checkbox item for compliance. Risks that are identified must then be subjected to a risk management process. They should be prioritized and addressed in a reasonable time frame. Knowing about risks to PHI and failing to address them one of the most common HIPAA violations penalized by the Office for Civil Rights.
HIPAA settlements with covered entities for the failure to manage identified risks include:
Alaska Department of health and Social Services – $1.7 million penalty for the failure to perform risk analysis and risk management failures.
University of Massachusetts Amherst (UMass) – $650,000 penalty for risk
Metro Community Provider Network – $400,000 penalty for risk management failures.
Anchorage Community Mental Health Services – $150,000 penalty for the failure to manage risk to ePHI.
4. Failure to Enter into a HIPAA-Compliant Business Associate Agreement
The failure to enter into a HIPAA-compliant business associate agreement with all vendors that are provided with or given access to PHI is another of the most common HIPAA violations. Even when business associate agreements are held for all vendors, they may not be HIPAA compliant, especially if they have not been revised after the Omnibus Final Rule.
Notable settlements for these common HIPAA violations include:
Raleigh Orthopedic Clinic, P.A. of North Carolina – $750,000 settlement for the failure to execute a HIPAA-compliant business associate agreement.
North Memorial Health Care of Minnesota – $1.55 million settlement for failing to enter into a BAA with a major contractor and other HIPAA violations.
Care New England Health System– $400,000 settlement for the failure to update business associate agreements
5. Insufficient ePHI Access Controls
The HIPAA Security Rule requires covered entities and their business associates to limit access to ePHI to authorized individuals. The failure to implement appropriate ePHI access controls is also one of the most common HIPAA violations and one that has attracted several financial penalties.
Financial penalties issued to covered entities for ePHI access control failures include:
Anthem Inc. – $16,000,000 penalty for access control failures and other serious HIPAA violations.
Memorial Healthcare System – $5,500,000 penalty for insufficient ePHI access controls.
Texas Department of Aging and Disability Services – $1,600,000 penalty for risk analysis failures, access control failures, and information system monitoring failures.
University of California Los Angeles Health System – $865,500 penalty for the failure to restrict access to medical records.
Pagosa Springs Medical Center – $111,400 penalty for the failure to terminate access to ePHI after an employee termination and a lack of a business associate agreement.