HIPAA Crackdown on Security Hacks

By Rita Pyrillis

Apr. 19, 2015

Image courtesy of Flickr/Perspecsys

Health care security breaches are on the rise with headline-making hacks at insurer Anthem Inc. and NewYork-Presbyterian Hospital, giving employers reason to be concerned.

This year, the Department of Health & Human Services’ Office for Civil Rights is conducting Health Insurance Portability and Accountability Act, or HIPAA, compliance audits, and HR departments need to prepare, according to Gordon Rapkin, CEO of Archive Systems Inc., an HR document manager based in Fairfield, New Jersey. The office hasn’t announced when audits will commence. 

“Employers need to know that they are obligated to protect this information, they must show that they are capable of protecting this information and prove that their employees have been trained to do so,” Rapkin said. “You must be able to prove all that in a very short window of time if you’re unfortunate enough to be selected for an audit.”

Columbia University and NewYork-Presbyterian Hospital were fined a combined $4.8 million for failing to secure the health records of more than 6,000 patients.

In 2011 and 2012, the HHS conducted a pilot phase of the audits selecting 150 “covered entities,” which include providers and health plans, including employers that sponsor them, according to the HHS. Those chosen have 10 business days to provide supporting documents, Rapkin said.

“You don’t want to be in a situation where you are tagged for an audit and can’t respond in a timely fashion,” he said. “That triggers fines, and the fines have been hefty. It’s like a disaster plan. It’s incumbent on organizations to have one in place.”

In 2014, Columbia University and NewYork-Presbyterian Hospital were fined a combined $4.8 million for failing to secure the health records of more than 6,000 patients. In 2013, Anthem Inc. (then known as WellPoint Inc.) was fined $1.7 million when the health records of more than 600,000 patients were made available to unauthorized users.

Rapkin urged employers that have not yet conducted a HIPAA risk assessment to do so as soon as possible.

He said employers should focus on training employees to understand HIPAA policies and procedures and take an inventory of safeguards to protect physical and electronic information. If a breach occurs, employers must be vigilant about notifying individuals whose information was compromised.

“In the past it was easier to sweep things under the rug,” he said. “You can’t hide by saying, ‘Well someone left a laptop at Dunkin’ Donuts, but we don’t know if it’s been breached.’ You must notify any individual affected even if you only have reason to believe that you’ve been breached.”

Initially HIPAA was about health information portability — the ability to take records from one vendor or provider to another, he said. “It advanced to be much more about security as requirements like the HITECH Act came into play.”

The HITECH, or Health Information Technology for Economic and Clinical Health Act of 2009, required that organizations publicly report breaches that involve more than 500 patients, increased fines for violations, mandated that the HHS conduct audits, and extended the rules to third parties that work with health care organizations.

Rita Pyrillis is a writer based in the Chicago area.


blog workforce

We build robust scheduling & attendance software for businesses with 500+ frontline workers. With custom BI reporting and demand-driven scheduling, we help our customers reduce labor spend and increase profitability across their business. It's as simple as that.

Book a call
See the software

Related Articles

workforce blog


4 Ways to Maximize HR and WFM Data

Technology and cloud-based applications and platforms enable companies to gather more data, but can the...

workforce blog


How to prevent workforce management system outages: mitigation through redundancy

Summary Workforce management data breaches and outages are a very real threat Businesses should build r...

data breach, network security, payroll system, system outage, workforce management

workforce blog


Kronos (UKG) data breach leaves businesses in the dark for “several weeks”

Summary Workforce management company Kronos (UKG) suffers ransomware data breach Kronos Private Cloud a...

data breach, Kronos, ransomware, security, UKG