If your organization has found itself in the unfortunate position of committing a Health Insurance Portability and Accountability Act (HIPAA) violation, then you are likely familiar with HIPAA resolution agreements .
RELATED : What is HIPAA? Or is it HIPPA?
A HIPAA resolution agreement is a settlement that aims to resolve complaints by the U.S. Department of Health & Human Services (HHS) Office for Civil Rights (OCR) against a business associate or covered entity (CE) . CEs include healthcare organizations, health insurance companies, or private practices. In the resolution agreement, the CE agrees to perform certain obligations under a corrective action plan and submit regular reports to HHS for a specified period of time, generally for three years. Some HIPAA resolution agreements include a resolution payment. During the time period specified in the resolution agreement, HHS actively monitors the CE’s compliance with the agreed-upon commitments. If the CE fails to demonstrate necessary compliance or take corrective action, they may have to pay civil money penalties (CMPs) to HHS.
Given the potential severity of a HIPAA CMP and the risk a violation presents to protected health information (PHI) , it’s important that organizations demonstrate constant vigilance to protect themselves against potential HIPAA violations .
Organizations must extensively train all of their employees in how to properly safeguard documents that contain PHI. Whether it’s securing physical documents with sensitive data or ensuring digital files are encrypted, all employees should be aware of and follow the necessary precautions.
Encrypting data is not necessarily a strict HIPAA requirement; however, data encryption is a common tool healthcare organizations use to protect PHI in case a device is lost, stolen, or hacked.
RELATED: HIPAA Email Encryption Requirements: What You Need to Know
Email phishing attacks and data breaches are on the rise; healthcare organizations must keep antivirus software updated and active on every device containing PHI. Email and network server breaches are among the most common cyberattacks, followed by paper and film breaches. There are many ways an organization could violate HIPAA; all too often, data breaches reveal the gaps in the organization’s defenses and lead to exposure of PHI, an OCR investigation, and potentially costly fees and penalties.
OCR may implement a combination of the above steps to reach a case resolution.
RELATED: What to Do After You Violate HIPAA
It is essential that healthcare organizations understand the extensive ramifications of a HIPAA violation and subsequent resolution agreement. HIPAA violations not only present a great risk to an organization’s patients but can also be extraordinarily expensive when it comes to fines. Every year, OCR reviews thousands of HIPAA cases. In 2018 alone, HIPAA violations cost companies a collective $28.7 million in fines. HIPAA civil money penalties range depending on the severity of the organization’s HIPAA violation:
An organization’s best chance of avoiding costly HIPAA fines is to implement the best possible cybersecurity.
RELATED: US Fertility Sued Over Ransomware Attack
RELATED: Excellus Health Plan Fined $5.1 Million for Data Breach
Utilizing a high-quality cybersecurity program such as Paubox Email Suite Plus can safeguard organizations against potential violations and expensive HIPAA resolution agreements. With our patented email encryption technology, Paubox Email Suite Plus protects your patients’ data and allows you to send and receive HIPAA compliant email with ease. ExecProtect , an essential, patented feature of Paubox Email Suite Plus, guards against display name spoofing emails, a common hack that opens organizations up to data breaches. With extensive phishing , ransomware , and spam protection, Paubox Email Suite Plus removes the burden from staff to encrypt their email and eliminates the risk of human error accidentally exposing PHI to a data breach.
RELATED: Hacking and Human Error: Two Enemies of HIPAA Compliance
Protect your organization’s patients from data breaches and avoid costly CMPs by strengthening your email program security.