• search
Helping Organizations Achieve HIPAA Compliance ™
Call Today: (800) 733-6379

HIPAA Compliance Blog


The Severity of Noncompliance: Victims and Liability

The Severity of Noncompliance: Victims and Liability

by Alex Hirsch (SU)

We talk about the importance of HIPAA compliance all the time in the medical profession, and there’s a good reason for that. In today’s article, we’re taking a closer look at a major incident that happened not very long ago.

Columbia Surgical Specialists: A HIPAA Compliance Case Study

It was only recently that the computer systems of Columbia Surgical Specialists of Spokane were attacked with ransomware. The internal information of nearly 400,000 patients was suddenly encrypted by unknown perpetrators, and medical staff were unable to access anything during the attack.

The information included the patients’ full names, social security numbers, driver’s license numbers, and personal health-related data – all of which may or may not have been leaked to said perpetrators as a result. Ultimately, Columbia Surgical Specialists ended up paying the demanded $14,649.09 ransom (which is why it is called ransomware) to these criminals.

The good news is, the vulnerability that was exploited in order to access the CSS network server for installing the ransomware has since been addressed. Additionally, the internal protocols at the organization – along with workplace procedures – are being reviewed to prevent future attacks.

These are, of course, the correct steps to take, but they’re still only reactionary steps. Is it enough?

One HIPAA-Related Question Can Lead to More

Beyond how this breach personally impacts the patients and staff involved, the big question still looms: How was this even allowed to happen? I’m not implying any kind of internal conspiracy. I’m questioning what kind of safeguards were in place to prevent this kind of catastrophe.

As a reminder, in the United States, electronic protected health information (ePHI) management is covered under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule requirements. All covered entities, including hospitals, doctors' offices, and health insurance providers, must abide by HIPAA Security Rule guidelines when handling ePHI. 

Now we have more questions.

●      Were these guidelines followed to their fullest in this case?

●      Did this medical organization do everything it could to meet these guidelines?

●      What about ePHI stored in employees’ email accounts?

●      What about old data that may have been stored unsecurely and left connected to the internet?

It’s also worth noting that, according to HHS:

 “[Covered entities] are bound by the privacy standards even if they contract with others (called “business associates”) to perform some of their essential functions.”

Did Columbia Surgical Specialists contract with business associates? We might never know the full extent to which this information was – or still is – at risk.

Reaction to a HIPAA Violation Is Not Compliance

It’s not enough for a health care organization to react to a breach. Legally, non-compliance can become a nightmare for all parties involved; the individual who caused the breach is not the only one who ends up taking the blame. 

One single mistake has the potential to implicate an entire organization. And that doesn’t just result in hefty fines. It results in loss of the public’s trust and the organization’s reputation.

Help for Your Medical Practice with HIPAA Compliance

When we talk about complying with HIPAA rules, we’re not just talking about protecting potential victims from attack. We’re also trying to make medical professionals understand the severity of what noncompliance means for the practice as a whole. 

In this particular instance, Columbia Surgical Specialists has been open about the breach, and they did everything they could to respond to it after it occurred. But these rules are put in place in order to take a preventative approach, rather than a responsive one. The former can reduce risk and save you from a major liability.

If you are looking for a reliable partner in helping your medical practice comply with HIPAA and avoid making costly errors, contact us today at Colington Consulting. We look forward to hearing from you.

Comments are closed.