[BreachExchange] HHS Office of Civil Rights and $15 Million in HIPAA Settlement Payments in 2016

Inga Goddijn inga at riskbasedsecurity.com
Wed Jul 27 19:55:40 EDT 2016 

http://www.natlawreview.com/article/hhs-office-civil-rights-and-15-million-hipaasettlement-payments-2016

For years, many questioned whether the *HIPAA* privacy and security rules
would be enforced. The agency responsible for enforcement, *Health and
Human Services’ Office for Civil Rights (OCR)*, promised it would enforce
the rules, but just after a period “soft” enforcement and compliance
assistance. That period appears to be ending. During the first seven months
of 2016, OCR has announced <http://www.hhs.gov/hipaa/newsroom/index.html>
nearly $15,000,000 in settlement payments to the agency relating to a wide
range of compliance failures alleged against covered entities and business
associates. At the same time, OCR is conducting audits of covered entities
around the country, and plans similar audits of business associates later
this year. If you have been waiting to tackle HIPAA compliance, it is
probably a good time to get it done.

Below is a summary of the circumstances that led to some of the settlements
and civil monetary penalties:

   -

   *Stolen laptop, vulnerable wireless access*. Following notification to
   OCR of a breach involving a stolen laptop (not an uncommon occurrence!),
   OCR investigated and reported discovering that electronic protected health
   information (ePHI) on the covered entity’s network drive was vulnerable to
   unauthorized access via its wireless network – users could access 67,000
   files after entering a generic username and password. OCR also cited among
   other things failures to implement policies and procedures to prevent,
   detect, contain, and correct security violations, to implement certain
   physical safeguards. Settlement $2.75M
   -

   *Vulnerabilities identified must be timely addressed*. In another case,
   a covered entity had conducted a number of risk analyses since 2003, but
   the OCR claimed these analyses did not cover all ePHI at the entity. OCR
   also reported that the covered entity did not act timely to implement
   measures to address documented risks and vulnerabilities, nor did it
   implement a mechanism to encrypt and decrypt ePHI or an equivalent
   alternative measure, despite having identified this lack of encryption as a
   risk. Settlement $2.7M.
   -

   *Not-for-profits serving underserved communities not immune. *A data
   breach affecting just over 400 persons caused by the theft of a
   company-issued iPhone triggered an OCR investigation. The iPhone was
   unencrypted and was not password protected, and contained extensive ePHI
   including SSNs, medical diagnosis, and names of family members and legal
   guardians. According to OCR, among other things, the covered entity had no
   policies addressing the removal of mobile devices containing PHI from its
   facility or what to do in the event of a security incident. In its public
   announcement, OCR acknowledged that the $650,000 settlement was *after*
   considering that the covered entity provides unique and much-needed
   services to elderly, developmentally disabled individuals, young adults
   aging out of foster care, and individuals living with HIV/AIDS.
   -

   *No business associate agreement*. When a covered entity’s business
   associate experienced a breach affecting over 17,000 patients, OCR again
   investigated. It claimed no business associate agreement was in place,
   leaving PHI without safeguards and vulnerable to misuse or improper
   disclosure. Settlement $750,000.
   -

   *Civil monetary penalties against home care provider. *In only the
   second time OCR has sought civil penalties under HIPAA, a judge awarded
   $239,800 in penalties due to privacy and security compliance failures. In
   this case, a patient complaint led to an OCR investigation – the patient
   complained that an employee of the covered entity left PHI in places where
   an unauthorized persons had access and in some cases abandoned the
   information altogether. Other compliance issues included covered entity’s
   maintaining inadequate policies and procedures to safeguard PHI taken
   offsite, and storing PHI in employee vehicles for extended periods of time.

It is true that these are only a handful of cases with large settlement
amounts. But the agency does seem to be sending a message – that is, it
wants to see compliance and it is not afraid to seek significant settlement
amounts from covered entities or business associates, large or small. In
some cases, relatively simple steps such as making sure to have business
associate agreements in place, can help avoid these kinds of enforcement
actions.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160727/254e6d1e/attachment.html>

More information about the BreachExchange mailing list