As a healthcare cybersecurity and HIPAA professional, I want to share some insights on the process of investigating data breaches and issuing fines under the HIPAA regulations.
The process starts with the Office for Civil Rights (OCR), who is responsible for enforcing HIPAA regulations and investigating reported data breaches. When a covered entity or business associate experiences a data breach affecting 500 or more individuals, they are required to report the breach to the OCR within 60 days.
Once the OCR receives a breach report, they begin an investigation to determine the cause of the breach, the extent of the information that was compromised, and whether the covered entity or business associate took appropriate steps to mitigate the breach and prevent similar incidents from occurring in the future.
The length of time it takes for the OCR to investigate a reported data breach and issue a fine can vary depending on the complexity of the case and the level of cooperation from the covered entity or business associate. In some cases, the OCR may be able to quickly determine that the breach was caused by a simple error or oversight and issue a corrective action plan to address the issue. In other cases, the investigation may be more extensive, involving interviews with staff, forensic analysis of computer systems, and review of policies and procedures.
The OCR aims to complete investigations within 180 days of receiving a breach report, but in reality, the actual investigation time can vary widely. According to a recent report by the HHS Office of Inspector General, the average investigation time for HIPAA breach cases completed in 2020 was 329 days. However, this time frame included investigations that were completed in as little as 23 days and as long as 1,507 days.
There have been several high-profile investigations that have taken an extended period of time to resolve.
One notable example is the Anthem data breach in 2015, which affected nearly 79 million individuals. The OCR began investigating the breach shortly after it was reported, but the investigation took over three years to complete. In 2018, Anthem agreed to pay a $16 million settlement to resolve the case, which was the largest HIPAA settlement to date at the time.
Another example is the 2011 data breach at the Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates. The OCR began investigating the breach in 2011, but the case was not resolved until 2018, when the entities agreed to pay a $1.5 million settlement.
If the OCR determines that a covered entity or business associate violated HIPAA regulations and that the violation resulted in harm to individuals, they may issue a fine. The amount of the fine will depend on the severity of the violation and the extent of the harm caused. Fines can range from $100 to $50,000 per violation, with a maximum of $1.5 million per year for each violation.
Of course these penalties are often small compared to the overall cost of a breach, which in 2022 averaged over $10 million per incident with some soaring into the 100's of millions of dollars.
Given the significant risks and potential costs associated with data breaches and HIPAA violations, it's crucial for healthcare organizations to prioritize cybersecurity and compliance. One effective way to mitigate these risks is to engage with a consulting firm that specializes in healthcare cybersecurity and HIPAA assessments, such as Hale Consulting Solutions LLC. These firms can provide expert guidance on best practices for securing sensitive data, conducting risk assessments, and ensuring compliance with the HIPAA regulations. By working with a consulting firm, healthcare organizations can reduce the risk of data breaches, streamline the OCR investigation process, and minimize the financial and reputational costs of non-compliance.
"Prevention is better than cure." - Desiderius Erasmus.
For more information, check out the HHS HIPAA Enforcement Page.
.jpg)
.jpg)
.jpg)