HIPAA: A Case Study in SC

HIPAA rules have been applied by the federal government to protect the data of customers, patients, and users. The introduction and enforcement of HIPPA has stemmed the flood of data breaches in business organizations and the criminals who profit from selling customer data to other companies and nefarious individuals. We have discussed what HIPAA is and its role in business in previous blogs, this blog will focus mainly on the recent violations that cyber security authorities have seen in South Carolina.

A recent report revealed that the Medical University of South Carolina suspended 13 employees last year due to HIPAA violations. These employees intentionally snooped into the private data of patients, a clear violation of policy. Employee actions such as snooping, are hard to prevent. However, when an organization clearly enforces policy and takes a heavy-handed approach with security violations, they demonstrate “due care”, a requirement under most regulations.

Looking at other violations, the Department of Health and Human Services claimed that in 2017, there were 58 total data breach cases in the hospital and over the past 5 years, 307 data breach cases occurred. The number of breaches, not surprisingly, lead to the firing of 30 members of the non-physician staff but, due to MUSC acting swiftly, the authorities ignored most of these infractions.
​
This information may lead you to believe that MUSC was fined millions of dollars for the exposed patient information. However, we were unable to locate any information that indicates they incurred any fines. Cases such as this happen regularly, organizations can avoid fines if they act quickly in the face of a breach and demonstrate due care. Fines occur when healthcare organizations do not take patient privacy seriously but clearly, MUSC does.

To clarify: all HIPAA breaches, large or small, are required to be reported to the proper channels. However, the authorities only publicly report data breach cases in which the data of over 500 individuals has been compromised.
​
As already seen, not all organizations are fined after a breach. Organizations, like MUSC, who take action as soon as possible and report the breach, are doing what is right by their patients and the Office of Civil Rights and the HHS recognize the effort. The lesson for companies to learn here is that breaches are going to happen but how you handle them determines your fate.

Tandem Cyber Solutions is here to answer questions about HIPAA compliance. If you are unsure whether you business will pass a compliance audit, please reach out to us TODAY!