The OCR’s Notorious Wall of Shame

AVOIDING HIPAA BREACHES AND THE “WALL OF SHAME”

Healthcare technology is constantly evolving, with the goal of improving efficiency and increasing access. And while that may offer more effective processes and support better care coordination, it also leaves many providers finding it exceedingly difficult to remain compliant amid all of the security measures in the Health Insurance and Patient Accountability Act (“HIPAA”). Whether dealing with staffing shortages, clinic expansion or a lack of training, avoiding breaches of personal health information (“PHI”) is both a top priority and an ongoing challenge.

When breaches do occur, HIPAA requires they be reported to the U.S. Department of Health & Services Office for Civil Rights (“OCR”). Violations that affect 500 individuals or more must be reported within 30 days of discovery to impacted individuals and within 60 days to the OCR and local media. OCR also publishes information identifying these breaches on what has become known as the OCR “Wall of Shame”.  Established under the HIPAA Breach Notification Rule and HITECH Act, the Wall of Shame lists the names and other details of organizations under investigation due to a violation that has occurred within the last 24 months. To state the obvious, you do not want to be placed on this list.

VIOLATIONS ARE HAPPENING MORE OFTEN THAN YOU MAY THINK

• In 2021, 607 violations affecting nearly 45 million individuals were submitted to the OCR and are now visible on the Wall of Shame (a 20% increase in breaches compared to 2019, only two years prior) ¹
• Breaches have increased 84% in the last five years, with 329 reported in 2016²
• The average cost per record breached hit $499 in 2020 on an upward trend, totaling $13.2 billion for the year³
• Unauthorized access/disclosure accounts for 34% of violations every year, up 162% over the past three years⁴
• Hospitals typically account for 30% of all large data breaches⁴

FACING THE CONSEQUENCES

Most often, the OCR resolves cases through voluntary compliance or by accepting a covered entity’s plan to address the breach and adjust policies and procedures to avoid future violations. For severe cases, the Enforcement Final Rule of 2006 allows the OCR to issue financial penalties to covered entities that fail to comply with HIPAA Rules. There are currently four main tiers of such violations⁵:

• Tier 1, $100 – $50,000 per breach: A violation that the covered entity was unaware of and could not have reasonably avoided.
• Tier 2, $1,000 – $50,000 per breach: A violation that the covered entity should have been aware of but could not have avoided.
• Tier 3, $10,000 – $50,000 per breach: This violation is considered to be the result of willful neglect in instances where corrective measures were taken within a reasonable timeframe.
• Tier 4, $50,000 per breach: This violation is considered to be the result of willful neglect in instances where no corrective measures were taken to resolve the breach.

While less common, criminal penalties do exist in addition to fines for various violations, including malicious intent (i.e., selling data for harm or commercial gain).

THE BOTTOM LINE

So what’s the bottom line? The best way to stay away from the Wall of Shame is to have a plan. Make sure your organization has systems and processes in place that protect patient data, with many quality checks along the way.

1. https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
2. https://www.hipaajournal.com/largest-healthcare-data-breaches-of-2016-8631/
3. https://www.beckershospitalreview.com/cybersecurity/healthcare-data-breaches-up-55-1-in-2020-report-finds.html
4. https://techjury.net/blog/healthcare-data-breaches-statistics/#gref
5. https://www.hipaajournal.com/what-are-the-penalties-for-hipaa-violations-7096/