The carrot, the stick, and the donkey: A HIPAA safe harbor?

Ty Greenhalgh

Ty Greenhalgh

By Ty Greenhalgh

Ty Greenhalgh (Ty.G@Claroty.com), Regional Director, Virginia Beach, VA.

The carrot and the stick are a metaphor depicting the combination of both reward and punishment attempting to induce a desired behavioral response. We have all seen memes or cartoons of two riders racing donkeys. The losing rider is beating his donkey with a thorned switch and spurring it to move faster. The winner smugly sits in his saddle, casually holding out a baited pole in front of his donkey. Is one strategy better than the other? Are they more effective when used together? A new bill was recently signed into law that is passing out carrots to the healthcare industry.

The stick

In 2016 and 2017, the Office for Civil Rights (OCR) conducted HIPAA compliance audits of 166 covered entities (CEs) and 41 business associates (BAs).[1] The compliance effort ratings demonstrated 86% and 78% of the organizations documented inadequate effort and misunderstood HIPAA requirements related to risk analysis and risk management.

In 2018, during the Health Information and Management Systems Society convention in Las Vegas, I was shocked to hear then-Director of OCR Roger Severino announce, “The big juicy egregious breach is my priority… People need to come into compliance.” Clearly OCR was signaling the healthcare industry to improve its cybersecurity posture, or else—the stick. While healthcare organizations made sincere attempts to improve their security and compliance with HIPAA, these efforts did not translate into cybersecurity breach reductions.

Cybersecurity breaches of 500 records or more steadily increased from 2018 to 2021: 369, 512, 663, and 714 incidents respectively.[2] During this time, OCR settled 53 cases with resolution agreements or corrective action plans (CAPs), with settlements exceeding $63 million dollars.[3] This figure does not reflect the costs to CEs and BAs for continued audits, impact to operations, legal fees, and CAPs. In September of 2021, OCR appointed a new director, Lisa J. Pino, who was formerly senior counselor at the U.S. Department of Homeland Security responsible for US cyber breach mitigation and developing new cybersecurity regulatory protections.[4]

Despite the CAPs and fines from OCR, organizations continue to misunderstand the requirements of HIPAA’s Security and Privacy rules. The majority of investigations still find inadequate risk analysis and risk management practices. CEs and BAs consistently confuse the required gap analysis, risk analysis, and technical analysis, ultimately leaving the organization noncompliant and vulnerable. In 2018, OCR published an extremely helpful comparison between a risk analysis and gap analysis in an effort to help reduce confusion.[5]

While there have been no further audits since 2016, it is rumored OCR may hire a third party to handle HIPAA compliance and create a permanent audit program. If OCR is considering an increase in usage of the stick, it would make sense to offset that behavioral conditioning with an incentive like this new law.

This document is only available to members. Please log in or become a member.
Become a Member Login
 


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field

First name field cannot be blank!
Last name field cannot be blank!
We will send you an email that will give you access to this entire article.
Email field cannot be blank!
Enter a valid email!
Company field cannot be blank!
Enter a valid company!
Title field cannot be blank!

We're committed to your privacy. The Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA) uses the information you provide us to contact you about our relevant content, products, and services. For more information, check out our Privacy Policy.


About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook X LinkedIn
Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings