The fourth consideration in this 9 HIPAA Network Considerations blog series, we look at whether ‘not knowing’ is a valid defense post-breach. Is Ignorance Bliss, or will that get you into trouble?
Remember, the HIPAA Omnibus Rule was released January 23, 2013, became effective March 26, 2013 with compliance to the updates se for September 23, 2013. Audits will also start up again for covered entities and business associates in late 2013 or early 2014.
- HIPAA Audits will continue
- The HIPAA Audit Protocol and NIST 800-66 are your best preparation
- Knowledge is a powerful weapon―know where your PHI is
- Ignorance is not bliss
- Risk Assessment drives your baseline
- Risk Management is continuous
- Security best practices are essential
- Breach discovery times: know your discovery tolerance
- Your business associate(s)must be tracked
Ignorance is not bliss
Gone are the days of using the excuse “I didn’t know, so I’m not accountable” for data breaches and PHI theft. The penalty tiers of the HIPAA Omnibus Final Rule clearly articulate that you will pay for ignorance moving forward. The penalty scheme comprises four tiers, shown in Table 1, adopted from the HITECH Act:
Tier 1―a violation that the covered entity did not know about, and while exercising reasonable diligence, would not have known that the covered entity violated a provision
Tier 2―a violation that was due to reasonable cause and not to willful neglect
Tier 3―a violation was due to willful neglect and was timely corrected
Tier 4―a violation was due to willful neglect and was not timely corrected
Table 1 Categories of Violations and Respective Penalty Amounts Available
|Violation Category||Each Violation||All such violations of an identical provision in a calendar year|
|(A) Did Not Know||$100 -- $50,000||$1,500,000|
|(B) Reasonable Cause||$1,000 -- $50,000||$1,500,000|
|(C) (i) Willful Neglect-Corrected||$10,000 -- $50,000||$1,500,000|
|(C) (ii) Willful Neglect-Not Corrected||$50,000||$1,500,000|
Many organizations interpret this to mean that their maximum penalty per year is $1.5 Million. However, the industry has seen several situations in 2012 and 2013 that the amount paid is much greater than this. This penalty structure is for each violation, with a maximum for that specific violation. For example, if someone loses a laptop and it has unencrypted PHI, the result could be a $1.5 million penalty. If data is then stolen from a server in the data center, that is a different violation and would also be subject to penalties that have a maximum of $1.5 million.
Plausible deniability does not mean that your organization would definitely fit into the ”Did Not Know” category. That category also states that it requires reasonable due diligence and still would not have known. If you refer back to the previous Know where your PHI is, Risk Assessment and Risk Management considerations, and you don’t know where PHI is in your network, or you don’t understand what your network vulnerability and gaps are, or you are not protecting your PHI against anticipated threats; you may find yourself in one of the Willful Neglect categories. And then ignorance is bliss can become very costly.
Network security best practices not only help to keep PHI safe, but they also may reduce the costs of penalties if a breach does occur. Your network is a critical place to exercise reasonable due diligence, and it is also your weapon to defend against beaches and electronic PHI theft from your network environment.
Action: Become informed and leave behind the ‘Ignorance is Bliss’ mantra. Understand the potential costs to your organization due to a breach of PHI, and learn how to use what you have in your network today to reduce those costs and risk.
Cisco’s Compliance Solutions teams focus on helping customers simplify meeting mandated compliance requirements. To learn more about Cisco® compliance solutions, please visit www.cisco.com/go/compliance.