Despite several HIPAA violations, recent data analysis found U.S. healthcare providers such as CVS and the VA face few punitive actions. Also in recent GRC headlines: Companies have two more years to meet the TLS requirement under PCI DSS, and experts foresee big changes ahead for the FCPA’s corruption enforcement practices.
Few penalties imposed on frequent HIPAA violators
CVS Health, Kaiser, the U.S. Department of Veterans Affairs and Walgreens were among hundreds of U.S. health providers that repeatedly violated the Health Insurance Portability and Accountability Act (HIPAA) between 2011 and 2014, according to an analysis of federal data by ProPublica, a non-profit newsroom. Despite numerous violations, sanctions against these providers have rarely been imposed, ProPublica’s research found.
The provider with the second-highest number of violations, CVS, pledged to improve its privacy safeguards or was reminded of its HIPAA obligations by the Office for Civil Rights (OCR) more than 200 times, according to ProPublica. The VA was the most persistent HIPAA violator, according to the data: Its clinics, hospitals and pharmacies violated HIPAA compliance 220 times, but the OCR never publicly reprimanded or sanctioned the health provider.
Experts say that while some privacy problems are to be expected among large healthcare providers, persistent complaints are a sign of organizational failures. Deven McGraw, deputy director for health information privacy at OCR, told ProPublica that the agency’s top priority is to investigate breaches that affect at least 500 people. She also acknowledged that the OCR can do more about providers who repeatedly violate HIPAA. Although OCR receives thousands of privacy complaints a year, it has issued fewer than 30 financial sanctions for privacy violations since 2009.
Merchants get two extra years to meet key PCI DSS requirement
The Payment Card Industry Security Standards Council (PCI SSC) announced last month that merchants that need to be compliant with Payment Card Data Security Standard (PCI DSS) version 3.1 now have until June 2018 to migrate away from vulnerable encryption protocols, two years later than the original date of June 2016.
Under PCI DSS 3.1, which was released in April 2015, organizations must migrate away from older versions of Transport Layer Security (TLS) — versions 1.0 and earlier — and any version of Secure Sockets layer (SSL) by this date. Furthermore, effective immediately, these organizations are prohibited from implementing new technology that relies on SSL and early TLS. According to a large body of research, these protocols were deemed cryptographically insecure and put payment data at higher risk of exposure.
One of the main reasons PCI SSC extended the deadline until June 2018 is because it hasn’t been seeing criminals accessing cardholder data through the protocol flaws, PCI SSC international director Jeremy King told eWeek. PCI SSC is trying to balance risks with operational needs, King added, but he also warned that the date change is not an excuse to “do nothing for two years.” Instead, he suggested merchants migrate away from the flawed protocols as early as possible.
Major changes to FCPA enforcement expected for 2016
The Foreign Corrupt Practices Act (FCPA) unit of the U.S. Justice department will be receiving more scrutiny and resources this year in light of low enforcement in 2015. The FPCA plans to add 10 new staff members, and DOJ leaders say they will focus on greater transparency as well as pursuing “high impact” bribery cases, The Wall Street Journal reported.
The Justice Department’s foreign corruption unit settled only two corporate FCPA cases last year, down 10 cases from 2014 and nine from 2013. The DOJ has indicated that it will put a policy shift into motion this year that will create rewards for companies that report violations and cooperate with the government. It will also put greater priority on prosecuting individuals.
Defense lawyers worry that the DOJ’s policy shift of incentivizing companies to completely cooperate maybe actually limit voluntary disclosure rather than encourage them, according to The Wall Street Journal. However, they also expect to see more compliance cooperation from companies as a result of the DOJ’s hiring of a compliance expert last year.