HIPAA training and Cyberattacks against healthcare providers cost healthcare organizations $5.6 billion in 2020. This includes the cost of resources lost due to shutdowns and the burden of fines.
The Department of Health and Human Services Officer for Civil Rights holds healthcare providers liable for negligence. The OCR imposes fines and other penalties for HIPAA violations.
It doesn’t matter whether the organization violated HIPAA for malicious reasons. An organization may neglect its responsibility to its patients. Either way, violations put patient privacy at risk.
This month, two significant HIPAA cases made headlines. This month’s HIPAA news also underscores the importance of abiding by state-level patient privacy laws.
First, Dominion National finally settled a 2019 class-action lawsuit for $2 million. The harmed class filed the suit in Virginia after hackers breached the health plan’s security system. Attackers compromised 2.9 million patients’ data for ten years.
Second, the OCR is investigating the Lake County Health Department and Community Health Center. The investigation explores the impact of a security breach. It compromised 705 individuals’ private information.
What Is HIPAA?
1996’s Health Insurance Portability and Accountability Act are known as HIPAA. Five types of organizations and institutions must abide by HIPAA.
HIPAA Regulates Healthcare Organizations
HIPAA applies to private healthcare companies, non-profit healthcare-adjacent organizations, and public organizations. The Department of Health and Human Services enforces HIPAA.
It establishes which organizations must meet HIPAA standards. HIPAA is a federal law that regulates:
- Healthcare providers
- Medical practices
- Government and private health insurance groups
- Local and regional public health departments
- Clearinghouses and tech companies that work with private patient information
HIPAA maintains patients’ privacy and access in healthcare settings.
In essence, HIPAA protects patients’ private health information (PHI). It mandates high, precise security standards and practices. These practices concern how organizations store and transfer patient data.
The HHS updates these mandates as technology changes and cybersecurity threats evolve. These mandates include processes that maintain patients’ anonymity when necessary.
HIPAA Mandates and Regulations
HIPAA also stipulates when an organization may legally share or transfer PHI. Healthcare organizations may only share or transfer PHI with a patient’s authorization.
There are rare emergencies where patients cannot authorize an organization to share their PHI. Yet, transferring this data is critical to saving their lives. HIPAA also codifies reasonable safeguards an organization must apply in these contexts.
Lastly, HIPAA codifies regulations that ensure patients have fair, timely access to health plans and their PHI. The mandate also stipulates tax regulations that apply to healthcare organizations.
Dominion Health Settlement
Dominion National is a health plan organization that encompasses a dental health service. In 2019, Dominion National notified patients of a data breach. It compromised patients’ personal health information.
Investigators determined that hackers had breached patient data repeatedly since 2010. Dominion National leaders only discovered the security breach in 2019. At that time, the breach affected 2.9 million patients.
Hackers broke into Dominion National’s data storage system. They stole or held personal data for ransom. This included patients’ Social Security Numbers and diagnostic information.
As a result, anonymous buyers stole some patients’ identities. The breach and the resulting identity thefts caused financial losses. They also caused psychological distress for many of the affected patients.
This distress led the affected patients to file a class-action lawsuit against Dominion National. Dominion National violated HIPAA regulations and patient privacy laws in Virginia and Oregon.
Private Cause of Action
An individual or harmed class cannot file a lawsuit against a healthcare organization even when it violates HIPAA regulations. Instead, patients must file a complaint with the Department of Health and Human Services Office for Civil Rights.
Then, the OCR investigates. It will choose to impose fines or penalties against an organization that violates HIPAA.
But, in this case, harmed patients could file a class-action lawsuit with the United States District Court. This is because Dominion National also violated patient privacy laws in Virginia.
$2 Million Settlement
The United States District Court ruled that Dominion National violated patient privacy laws. The court found Dominion National negligent in its maintenance of data security.
Dominion National still needed to update its cybersecurity system. It did not check on the security status in almost nine years.
This neglect led to the long-term breach of patient data. The United States District Court ordered Dominion National to pay the harmed class a $2 million settlement.
Individual harmed patients can claim reimbursement for damages until October 2021. Patients may claim up to $7500 for damages caused by identity theft. They may also submit a claim for up to $300 to cover out-of-pocket expenses for credit monitoring services and $100 for lost time.
If every affected patient filed a claim for reimbursement, Dominion National would have to pay over $2 million in settlements.
But, there is a legal cap on settlement payments in this case. So, in practice, Dominion National will not have to pay over $2 million.
OCR Investigates Lake County Health
This month, the OCR opened an investigation into a security breach in Lake County, Nebraska. The Lake County Health Department and Community Health Center reported a security breach. This breach may have compromised the PHI of 705 patients.
The Nebraska Department notified patients of the breach within 60 days, per HIPAA regulations. No patients have suffered damage.
The security breach was allegedly due to a “software error,” rather than a cyberattack. The error caused the Lake County Health Department and Community Health Center to send PHI to a third party.
This was without the patient’s authorization. The PHI included patient Social Security Numbers.
The regional HHS says LCHD fixed the error. HHS officials from the state of Nebraska encourage affected patients to file reports with the police. They may also file reports with credit bureaus to create a potential fraud alert.
HIPAA Challenges Rural Health Departments
Rural health departments and community health organizations face extra barriers to HIPAA compliance. These departments need more budget restrictions than larger organizations do. This limits rural health departments’ access to software security upgrades.
Covid-19 has also stretched Lake County Health Department’s budget. Officials must carefully follow HIPAA and Covid regulations and deal with patient access issues. Affordable HIPAA training is critical in this context.
Patients in rural communities also face barriers when someone violates their privacy. Some patients affected by the Lake County Health Department breach cannot access a phone or the internet. This makes it harder to protect themselves from identity theft and other potential fallout from the breach.
OCR’s investigation is ongoing. OCR may choose not to impose fines over a HIPAA violation if it determines no patients came to harm.
What Is HIPAA Training?
HIPAA training is a series of classes that teach organizations the ins and outs of HIPAA regulations. Healthcare organizations can sign up for HIPAA training classes to earn HIPAA certification. A good example of HIPAA training, especially important during this pandemic, is the bloodborne pathogens training.
HIPAA training empowers healthcare organizations to abide by HIPAA regulations. Training prevents HIPAA violations by teaching all employees the current HIPAA standards.
It also provides checklists and strategies. An organization can install these strategies to secure, maintain, and transfer PHI within the bounds of the law.
Trained healthcare organizations provide patients with timely access to their own PHI. They don’t impose unreasonable barriers. Training empowers institutions to create policies that align with federal and state guidelines.
HIPAA Training Differences
Healthcare organizations can also prevent violations of state privacy laws. A trained organization can avoid a class-action lawsuit filed for violating state law. Thus, many HIPAA training programs offer integrated lessons on meeting state regulations.
Healthcare organizations can choose HIPAA training classes based on their medical sub-field. All classes cover the strategies and resources an organization needs to stay compliant.
But, some HIPAA training is specific. It emphasizes practices that prevent common pitfalls in specific healthcare contexts.
For example, a business maintaining patients’ dental records will face certain challenges. These challenges differ from a rural county community health center. Medical coders have different tasks using patient data than hospital administrators do.
While both must abide by HIPAA regulations, each organization will find different HIPAA classes useful. Different classes tackle the hurdles of abiding by HIPAA mandates with different solutions.
What Is HIPAA Certification?
The HHS’ OCR does not certify organizations as HIPAA-compliant. Instead, organizations can earn HIPAA certification through third parties.
HIPAA certification tells patients that a healthcare organization takes their privacy seriously. HIPAA-certified institutions earn patients’ trust. They show that their policies and procedures align with federal guidelines.
Organizations that offer HIPAA training also frequently offer evaluations. These training organizations can certify an organization as HIPAA-compliant. The healthcare practice must meet regulatory standards.
Meet HIPAA Compliance Standards Today
Meeting HIPAA standards build patients’ trust in your organization. It also protects your practice from fines and penalties. These add up if your institution violates HIPAA.
Your organization is more likely to run afoul of HIPAA when inadvertently:
- Employees are ignorant of HIPAA regulations
- Your HIPAA-compliance practices or policies are out of date
- Your organization lacks the technology to protect patient data effectively
Any healthcare organization can avoid these missteps. You don’t need to wait for an OCR investigation to improve your organization’s HIPAA compliance practices. Prevent HIPAA violations before they happen.
Look into HIPPA training and certification today. Choose from among dozens of classes and bundles. Integrate HIPAA compliance into your organization.