Having a Security Incident Response Plan (SIRP) will allow an organization to respond to a security incident. We define the steps of a SIRP here.
An article over at Government Health IT has a question and answers segment that Leon Rodriguez, director of the Office of Civil Rights (OCR) at the Department of Health and Human Services had at the recent Healthcare IT News/HIMSS Media Privacy & Security Forum.
Rodriquez made it clear that organizations that have a SIRP in place and act quickly and decisively about large breaches will receive less severe or no monetary penalties. But organizations that do not act or correct issues related to a breach will receive much higher monetary penalties.
“One of the first things we look at is what did the entity do to analyze the root cause of the breach,” he said. “[And] what did it do to remedy the root causes. Huge points for the entity that acts decisively to deal with those issues, to identify the reasons for the breach.”
He went on to illustrate a case where there was a breach but no action was taken to correct the issues related to the breach.
Rodriguez: I can talk about the converse…there is a specific entity that was subject of enforcement where there was a very clear failure to have corrected the issues related to the breach for many months after the breach. That ended up really really increasing the monetary exposure of that entity. And so one of those $1.5 million wage fines you’ll see if you look at our chart of recoveries was that kind of situation.
Rodriguez also points at that they are organizations that have had breaches but have failed to report them. He expects to find some of these organizations soon. It can be assumed from his above comments that an organization that has purposely failed to report a breach will be looking at severe penalties.
Rodriguez: We do have a safe harbor for breach reporting, and that is where the information lost is in a form that is unusable, unreadable or undecipherable. And I am aware of entities that have conducted and, more or less, correctly conducted analysis. I think there is another group of entities out there that don’t even do that, and I think we’re going to find them soon. So far, we haven’t had that case where there was a clearly reportable case that wasn’t [reported]…I think there is a lot of breach activity out there that’s not getting reported.
OCR had its biggest year of enforcement collections and collected close to $4 million in fines. Even with that amount, Rodriguez made it clear that only a small amount of organizations made up the $4 million.
“We’re still talking about a relatively small number of entities affected. We’ve only had, all told, about 10 of these cases.”
Leon Rodriquez and OCR continue to send a clear message to organizations, that are covered by HIPAA regulations, that enforcement will continue. Furthermore, monetary fines will be handed out to those organizations that fail to report, respond or correct data breaches.