I’m working on a breach post for later today but started mulling over the question of whether HHS needs to start fining covered entities who have repeat breaches where the entity did not seem to adequately harden their security after the first breach or to really learn from experience.
This is 2010. The excuse “we were in the process of encrypting” or “now we’re going to encrypt” seems inadequate. HIPAA went into effect in 1996. Why are some of these easily avoidable breaches still occurring? HHS has adopted an educative and corrective approach, but how many times do some entities need to be educated before the government starts hitting them with fines in addition to the other costs of a breach?
Do you think that it would help if HHS started handing out fines to repeat offenders? If so, what scenarios would you think should lead to fines? I’d nominate inadequately secured PHI on a device stolen off-premises as my first nomination. As a close second, repeated theft of devices from hospital premises where the data at rest were not adequately protected.
Your thoughts?
I used to work for a Mental Health agency in Maine. The idiot IT Manager used to state that as long as he thought the data security was “good enough” then the agency was HIPAA-compliant.
They subsequently bought a new software package that was file-server based which means that any user had full access to the data files in the directory. The files themselves could be accessed (without any auditing) by right-clicking on the file itself and using Notepad read all the client data, for example.
When I brought this to their attention, they just blew it off. I believe that they changed their backend database to PervasiveSQL (an SQL wrapper for bTrieve files). You could no longer use Notepad to access the data you had to use Wordpad.
This vendor is now trying to become the preferred vendor in California.