[BreachExchange] HIPAA Hat Trick: Security Violations Lead to Three Major Settlements

Thu Aug 11 19:18:40 EDT 2016

http://www.lexology.com/library/detail.aspx?g=022a367f-de44-4302-9717-
72b4f030b692

Look no further than the last three weeks for proof that HIPAA enforcement
is on the rise.

Failure to maintain the security of information systems containing patient
information has cost healthcare providers over $10 million in recent
settlements of alleged violations of the Health Insurance Portability and
Accountability Act (HIPAA). The Department of Health and Human Service’s
Office for Civil Rights (OCR) is making it clear that enforcement of
HIPAA’s security requirements is a priority and not likely to slow down.
Indeed, OCR recently announced three major settlements of alleged HIPAA
security violations in as many weeks. The settlements all involve large
health systems and include the largest ever settlement of HIPAA claims, at
a record $5.55 million.

On July 18, 2016, OCR announced that Oregon Health & Science University
(“OHSU”) agreed to pay $2.7 million and enter into a three-year
comprehensive corrective action plan as part of a settlement following
OCR’s investigation of OHSU’s compliance with the HIPAA Security Rule.

OCR reports that OHSU submitted multiple reports of HIPAA breaches
involving the unsecured protected health information (PHI) of thousands of
individuals. Two of the breaches involved unencrypted laptops, and the
third involved a stolen, unencrypted thumb drive. OCR’s investigation
uncovered widespread security vulnerabilities and failure to comply with
the HIPAA Security Rule. For example, OCR found that OHSU stored electronic
PHI (ePHI) of more than 3,000 individuals on a cloud-based server, but OHSU
did not have a business associate agreement in place with the vendor. OCR
determined that this oversight put 1,361 individuals at significant risk of
harm.

Although OHSU has performed security risk assessments periodically since
2003, the risk assessments did not cover all of the ePHI in OHSU’s
information systems, and OHSU did not address the vulnerabilities
identified in the risk assessments. For example, although OHSU identified
that its lack of encryption of ePHI stored on its workstations was a risk,
it failed to implement encryption or an equivalent protection. OCR also
found that OHSU lacked policies and procedures required by the Security
Rule to prevent, detect, contain, and correct security violations.

Just a week after the OHSU announcement, OCR announced a similar settlement
with the University of Mississippi Medical Center (“UMMC”) for $2.75
million. Like OHSU, OCR investigated UMMC’s HIPAA compliance after UMMC
reported a HIPAA breach involving a stolen laptop containing ePHI.

OCR’s investigation found that users of UMMC’s wireless network could use a
generic username and password to access an active directory on UMMC’s
network drive containing 67,000 files. OCR estimates that the directory
included files containing the ePHI of 10,000 patients. OCR also found that
UMMC violated the Security Rule by failing to implement appropriate
security policies and procedures, restrict access on workstations that
access ePHI to authorized users, and assign unique user names for
identifying and tracking users of systems containing ePHI. Further, UMMC
failed to notify each individual whose ePHI was reasonably believed to have
been affected by the breach of the stolen laptop.

Finally, in keeping with its once-a-week settlements,OCR announced on
August 4, 2016 that it had entered into the largest ever settlement of
HIPAA claims with Advocate Health Care Network (“Advocate”). Advocate
agreed to pay $5.55 million, due in part to the extent and duration of
Advocate’s alleged noncompliance and the large number of individuals whose
PHI was affected.

OCR investigated Advocate’s HIPAA compliance after it reported three
separate HIPAA breaches involving its subsidiary, Advocate Medical Group,
affecting approximately 4 million individuals. OCR reports that Advocate
failed to conduct accurate and thorough risk assessments, implement
appropriate security policies and procedures, enter into written business
associate agreements to protect ePHI, and reasonably safeguard an
unencrypted laptop that was left in an unlocked car.

Takeaways

Aside from confirming that HIPAA enforcement is dramatically up, these
settlements highlight the importance of Security Rule compliance.  Among
other things, this means that covered entities (and business associates)
must:

have adequate security policies and procedures to prevent, detect, contain
and correct security violations;
have thorough risk assessments that assess all information systems
containing ePHI;
respond to all risks and vulnerabilities that they have identified in their
risk assessments; and
handle security breaches in accordance with the requirements of the Breach
Notification and Security Rules — and be prepared for significant breaches
to result in enforcement actions.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160811/eb824c7f/attachment.html>