Help Me With HIPAA: Enforcement and More News (Ep 266)

 August 14, 2020

By  Anton Kiorolgo

HIPAA Say What!?!

This one comes from OCR themselves. Just released yesterday. It claims HIPAA has “mandatory” risk assessments must be done and the way to do it is to contact these people. HIPAA Say What!?!

Alert: Postcard Disguised as Official OCR Communication

August 6, 2020

OCR has been made aware of postcards being sent to health care organizations disguised as official OCR communications, claiming to be notices of a mandatory HIPAA compliance risk assessment.  The postcards have a Washington, D.C. return address, and the sender uses the title “Secretary of Compliance, HIPAA Compliance Division.” The postcard is addressed to the health care organization’s HIPAA compliance officer and prompts recipients to visit a URL, call, or email to take immediate action on a HIPAA Risk Assessment.  The link directs individuals to a non-governmental website marketing consulting services.

The postcard below is not from HHS/OCR.

pasted image 0 3

HIPAA covered entities and business associates should alert their workforce members to this misleading communication.  This communication is from a private entity – it is NOT an HHS/OCR communication.  Covered entities and business associates can verify that a communication is from OCR by looking for the OCR address or email address on any communication that purports to be from OCR.  The addresses for OCR’s HQ and Regional Offices are available on the OCR website at https://www.hhs.gov/ocr/about-us/contact-us/index.html, and all OCR email addresses will end in @hhs.gov.  If organizations have additional questions or concerns, please send an email to: OCRMail@hhs.gov.

Suspected incidents of individuals posing as federal law enforcement should be reported to the Federal Bureau of Investigation.

Years ago I think someone else pulled this stunt. Things are not going to go well for these people. They may be FB Certified HIPAA Experts but they clearly have just enough knowledge to get themselves in trouble. I doubt OCR will be nice to them if they really did get some business from this FUD mailing. The scare tactics like these create a list of problems. 1 – Spreads misinformation about HIPAA requirements, 2 – Implies that OCR is involved here, 3 – Anyone who actually falls for it will pay a premium for what will likely be inadequate services.

————————-[17:38]Police are looking into this one. I guess we know who has finally learned this is not a joke. X-rays of male genitalia may have been shared online by central Pa. imaging employee: police

pasted image 0 2

Data Breach Costs Continue Rising

[27:25]The latest version of the Annual Cost of a Data Breach Report from Ponemon Institute. This is the 15th year they have done the report. IBM sponsors it now. There wasn’t much big news in there from a healthcare perspective. The numbers keep going up in this one just as it usually does.

data breach costs centers
pasted image 0 4
pasted image 0

Of course, 2020 must include a cost factor for COVID related issues. They have added a special category for increased costs due to adjustments made for the pandemic. $137,000 is designated at an additional cost expected due to the volume of remote work this year.

pasted image 0 6

[37:17]But, we use this report for more data than just the total costs. This report is one that we use to set priorities. It lists the things you can do to “Amplify” or “Mitigate” the costs of the breach. Many people debate the numbers on the totals or by record but very few will argue that the cost factors aren’t pretty accurate.

pasted image 0 5
pasted image 0 5

[39:42]And guess what, this report tells us some good ideas! One important one is that you can’t just throw money at the problem. If you don’t spend the money in the right way it really doesn’t help, according to this report. The number one way to make data breach costs worse is to have complex security systems.

Security skill shortage is another issue. If you have folks making ti complex and then you don’t have people with the skills to monitor everything plus keep it up and running it will

Testing incident response plan, having a business continuity plan, and actually having an incident response team are the top three ways to mitigate your data breach costs. You know what else is near the top? Employee training!

Tune in to the audio for the full rundown we cover about the data in the report. But one point that I want to make clear is yes, the costs are increasing and were already expensive. However, this report shows that the ways to make it worse tend to involve throwing money at the problem without a plan. The ways to make it better are the things not on most management radar when they think about building a secure environment.

Subscribe to our newsletter now!