The Risks of HIPAA Non-Compliance in Password Security
Password security and HIPAA? You’ve got it down. You understand the new Omnibus Final Rule regulations and what they mean in regard to password security. You understand that HIPAA’s new definition of a “business associate” or “subcontractor” means that you, the brilliant IT service provider, are now bound by HIPAA rules and regulations and could be liable in the event of a breach.
Do you really get just how liable you might be, though?
Since the new HIPAA regulations took effect, I’ve had an uneasy feeling that many IT service providers are unaware of just how seriously these changes could affect them. The risk of your client throwing you under the bus in the event of a network security breach is a very real one, and the consequences could be severe.
Below are some questions I’ve been asked about HIPAA regulations as they relate to IT service providers:
“None of my clients are health care providers, so I don’t have to worry about HIPAA, right?”
Even if none of your clients are covered entities (also known as CE: health care providers, health care clearinghouses, health care plans), they may deal with electronic protected health information (ePHI), which makes them—and by default, you—obligated to adhere to HIPAA rules. For example, if one of your clients is a personal injury law firm, they will have sensitive medical information in their system. As their IT services provider, you probably have access to their entire system. This makes you a “business associate” by HIPAA standards. It’s worth noting that HIPAA doesn’t differentiate between having access to the system and actually accessing the system). Also, under the Omnibus changes, even “subcontractors” working for business associates are responsible for full HIPAA compliance.
“What are the penalties if I don’t comply with HIPAA?”
The Office for Civil Rights (OCR) enforces HIPAA standards, and if they find you to be non-compliant or responsible for a security breach, the penalties can be very harsh. Civil fine penalties vary greatly depending upon many factors (including whether or not the accused is guilty of willful neglect, etc.) but generally range from $100 to $50,000 or more per violation, with a maximum of $1,500,000 per year.
Criminal penalties are imposed on individuals who knowingly disclose or obtain protected information, and can include up to a one-year sentence or a maximum penalty of $50,000.
“Can I be sued by my client if I don’t help them meet HIPAA compliance?”
Yes, you can be sued by your client (for a breach of contract, business associate agreement, etc.), and you can also be prosecuted on a state or federal level. Under HIPAA’s regulations, as a “business associate,” you are directly responsible for HIPAA compliance.
In August of 2012, the first-ever lawsuit against a HIPAA business associate was settled out-of-court in Minnesota with the state attorney general’s office. The cases didn’t involve an IT service provider, but a debt collection agency whose employee had a laptop (containing ePHI) stolen from a car. As part of the settlement, the debt collection company ceased operations.
“Will I lose clients, or gain fewer new clients, if I don’t help them meet HIPAA compliance?”
Most likely, yes. The Omnibus regulation changes created quite a stir in the health care and legal world, and more than ever, businesses are fearful of encountering any noncompliance issues or a public security breach scandal. Covered Entities are looking for IT service providers who have a real understanding of HIPAA standards, and a solution for meeting them.
For example, HIPAA regulations spell out some network security guidelines—like password best practices and security training for employees. An IT service provider who can provide guidance on password security and HIPAA rules is a “must-have” for CEs.
Passwords are one of the main concerns for CE, and usually their weakest link in terms of HIPAA compliance. Ideally, an IT service provider will be able to offer their CE or business associate clients a real password solution—one that’s both effective and convenient. Advanced password management solutions, like multi-factor authentication (MFA) and single sign-on (SSO), are options that can help you differentiate yourself as an IT services provider with HIPAA compliance expertise.