What's at Risk?

Your reputation and financial stability

“All health care providers, large and small, need to take their HIPAA obligations seriously,” said OCR Director Roger Severino. “The failure to implement basic HIPAA requirements, such as an accurate and thorough risk analysis and risk management plan, continues to be an unacceptable and disturbing trend within the health care industry.”

Director Severino is the outgoing head of the OCR at HHS, and in March of 2020 a physician in Utah agreed to pay a fine of $100,000 to the OCR (the Office of Civil Rights) to settle a violation of the HIPAA Security Rule that impacted his more than 3000 patients. Health Care Provider Pays $100,000 Settlement to OCR for Failing to Implement HIPAA Security Rule Requirements | HHS.gov

Perhaps your healthcare practice has taken the proactive step of investing in a cybersecurity insurance policy, your covered right? Not exactly, as it is likely that your insurance provider is expecting you to meet the same level of HIPAA Security Rule compliance as the auditors at the state and Federal level.   An example from 2019 highlights just this:

In February of 2019 Cottage Health Systems of CA agreed to settle a fine with the OCR of $3,000,000. Cottage Health Settles Potential HIPAA Violations for $3 Million | HHS.gov In addition to their fine they agreed to settle a class action lawsuit from 2015 related to the patient data breach for more than $4,000,000. Cottage Health Systems was then sued by Columbia Insurance the company that issued the cybersecurity policy for more then $5,000,000 to recover the full loses incurred form the settlement of the class action lawsuit. Columbia Insurance concluded that Cottage Health Systems had violated the terms of its policy. Enforcing the ‘Mistake Exclusion’ in Data Breach Insurance (tripwire.com)