associates. 79 Accordingly, while the focus of this Article is protecting PHI
from outside cyber-attacks, the need to synthesize organizational security
efforts across various entities ( i.e., covered entities, business associates, and
other subcontractors that handle PHI) highlights the need for industry-wide
5. HIPAA Risk Assessment
Overall, the HITECH Act and the implementing regulations that followed
left unchanged the data security measures originally required under HIPAA.
Nonetheless, the law substantially increased civil and criminal penalties for
those who experience a breach, which of course includes a cyber-attack.
There are plenty of examples of data breaches that resulted in large
settlements, even before the Omnibus Rule was released. For example, in
2012, the Massachusetts Eye and Ear Infirmary agreed to a $1.5 million
settlement with HHS after “an unencrypted personal laptop containing the [e-
PHI] of [the group practice’s] patients and research subjects was reported
stolen.” 80 In still another breach, in 2009 Blue Cross Blue Shield of
Tennessee was fined $1.5 million for violating HIPAA privacy and security
rules as a result of 57 unencrypted hard drives being stolen from one of the
company’s leased facilities, which compromised the e-PHI of over one
million individuals. 81 (The company subsequently spent another $17 million
on investigation, notification, and mitigation steps, including $6 million on
data encryption). 82 The penalties may far exceed $1.5 million if an entire
data center at a large facility is compromised in an ongoing cyber-attack that
goes unnoticed for months or years.
All of the addressable measures above are only required under HIPAA if
a covered entity or business associate deems the measure “reasonable and
appropriate” following an analysis of its security environment and the
measure’s likely contribution to the protection of e-PHI. 83 Accordingly, a
necessary analytical step in the HIPAA compliance analysis is to carefully
examine the nature of the cybersecurity threat. If the threat is minimal,
companies may legitimately conclude certain addressable measures related
to cybersecurity are unreasonable and inappropriate, thereby avoiding severe
79. See Id. § 164.504(e)( 3) (2013).
80. Erin McCann, Massachusetts Group to Pay $1.5M HIPAA Settlement, HEALTHCARE
IT NEWS (Sept. 17, 2012), http://www.healthcareitnews.com/news/massachusetts-group-pay-
81. Dina Overland, Blue Cross spend $18.5M on HIPAA violation, FIERCE HEALTHCARE
PAYER (Mar. 14, 2012), http://www.fiercehealthpayer.com/story/blue-cross-fined-15m-hipaa-
83. Id. § 164.306(d)( 3)( i) (2013).