[BreachExchange] Taking Measure of HIPAA Enforcement

Inga Goddijn inga at riskbasedsecurity.com
Wed Sep 21 17:38:42 EDT 2016


http://www.lexology.com/library/detail.aspx?g=20733adf-1e21-4cae-a10d-13df25cff0d9

Last month, the U.S. Department of Health and Human Services, Office for
Civil Rights (OCR) announced the largest settlement to date for alleged
violations of the Health Insurance Portability and Accountability Act
(HIPAA). Advocate Health Care Network, a large, nonprofit health system
based in the greater Chicago area, agreed to pay $5.55 million and adopt a
corrective action plan to settle a variety of allegations of HIPAA
noncompliance.

The Advocate settlement is the latest in a series of enforcement activities
that already have made for a record-breaking year. So far in 2016, OCR has
published nine resolution agreements requiring total payment of over $20
million, or an average of more than $2.2 million per settlement. By
comparison, from the April 2003 effective date of the HIPAA privacy rule
through the end of 2015, OCR entered into 29 settlements totaling
approximately $28 million.

It is clear enough that we are in a new era of HIPAA enforcement activity.
As massive data breaches continue to dominate headlines and with the second
phase of OCR’s HIPAA audit program now underway, covered entities and their
business associates have every reason to take stock of OCR’s enforcement
actions and carefully review their own compliance efforts.

*The Advocate Settlement*

The Advocate settlement resulted from three separate breach notification
reports submitted by Advocate on behalf of one of its subsidiaries,
Advocate Medical Group (AMG). The first incident involved the theft in July
2013 of four desktop computers from an AMG administrative office building.
In its breach report to OCR, which it submitted in August 2013, Advocate
concluded that the computers contained the unsecured electronic-protected
health information (ePHI) of approximately 4 million individuals. OCR began
an investigation shortly after receiving the report.

Approximately two weeks later, in September 2013, Advocate submitted
another breach report to OCR. The second incident involved the breach of
unsecured ePHI by a subcontractor billing company, Blackhawk Consulting
Group (Blackhawk). Advocate reported that, at some time between June and
August 2013, the ePHI of roughly 2,000 AMG patients had been potentially
compromised when an unauthorized third party accessed Blackhawk’s network.
Advocate reported a third breach in November 2013. The third incident
involved the theft of a laptop containing the unencrypted ePHI of more than
2,000 individuals from the car of an AMG employee.

In all, the three incidents involved the ePHI of approximately 4 million
individuals, including names, addresses, dates of birth, credit card
numbers with expiration dates, demographic information, clinical
information, and health insurance information.

Through its investigation, OCR determined that Advocate failed to comply
with HIPAA in a variety of ways. Specific findings highlighted in the
settlement agreement include:

   -

   Failure to conduct an accurate and thorough risk analysis that
   incorporated all of its facilities, information technology equipment,
   applications, and data systems using ePHI
   -

   Failure to implement policies and procedures to limit physical access to
   the electronic information systems housed within a large data support
   center (from which the four desktop computers were stolen)
   -

   Failure to obtain satisfactory assurances in the form of a written
   business associate agreement from Blackhawk that Blackhawk would
   appropriately safeguard all ePHI in its possession or control
   -

   Impermissible disclosure of the ePHI of approximately 2,000 individuals
   to Blackhawk when it failed to enter into a written business associate
   agreement with Blackhawk prior to disclosure
   -

   Failure to reasonably safeguard the data of more than 2,000 individuals
   when an AMG workforce member left an unencrypted laptop in an unlocked
   vehicle overnight

OCR announced that Advocate had agreed to a settlement with OCR to resolve
these allegations on August 4, 2016. The settlement agreement requires the
payment of $5.55 million and outlines a corrective action plan that will
last for two years. Corrective actions required by the plan include, among
other things: (1) modifying Advocate’s existing risk analysis; (2)
developing and implementing an enterprise-wide risk management plan to
address and mitigate any security risks and vulnerabilities found in the
risk analysis; (3) implementing a process for evaluating environmental and
operational changes; (4) developing an encryption report that covers all
Advocate devices and equipment that may be used to access, store, download,
or transmit ePHI; (5) reviewing and revising policies and procedures on (i)
device and media controls, (ii) facility access controls, and (iii)
business associates; and (6) developing an enhanced privacy and security
awareness training program. Advocate is required to submit the above
analyses, plans, and policies to OCR for its review and approval.

Advocate also is required to conduct internal monitoring of its compliance
with the corrective action plan as well as engage an independent
third-party assessor to review its compliance. The independent reviewer is
to provide reports of Advocate’s compliance directly to OCR.

In its press release announcing the settlement, OCR cited the extent and
duration of the alleged noncompliance (dating back to the inception of the
HIPAA security rule in some cases) as factors contributing to the
record-breaking penalty. OCR also highlighted the involvement of the
Illinois Attorney General in a corresponding investigation, the large
number of individuals whose information was affected, and the size of
Advocate.

*Enforcement Activities in 2016*

The Advocate settlement is the most recent in a string of significant HIPAA
enforcement actions. In July, OCR announced two settlements with large
health systems—one for $2.75 million and the other for $2.7 million.
Earlier this year, OCR announced a $3.9 million settlement involving a
biomedical research institute. In all, nine resolution agreements have been
published thus far this year. Collectively, these settlements require
payment of over $20 million, or an average of more than $2.2 million per
settlement.

The following table summarizes the settlement agreements announced to date
in 2016:

*Entity*

*Settlement*

*Date*

*Key Allegations*

Advocate Health Care Network

$5,550,000

August 4, 2016

Three separate breach incidents; failure to perform organization-wide risk
analysis; failure to execute business associate agreement; failure to
implement facility access controls

University of Mississippi Medical Center

$2,750,000

July 21, 2016

Theft of laptop and network vulnerabilities without appropriate security
safeguards

Oregon Health & Science University

$2,700,000

July 18, 2016

Theft of laptops and unencrypted thumb drive; failure to enter into
business associate agreement with cloud-based storage provider; failure to
perform organization-wide risk analysis

Catholic Health Care Services of the Archdiocese of Philadelphia

$650,000

June 29, 2016

Theft of unencrypted mobile device owned by business associate; failure to
perform risk analysis; failure to have mobile device policies and procedures

New York Presbyterian Hospital

$2,200,000

April 21, 2016

Disclosure of two patients’ PHI to film crews and staff during the filming
of television series

Raleigh Orthopaedic Clinic, P.A.

$750,000

April 19, 2016

Failure to execute business associate agreement prior to disclosing PHI

Feinstein Institute for Medical Research

$3,900,000

March 17, 2016

Theft of laptop with patient and research participant information; failure
to have adequate security management process

North Memorial Health Care of Minnesota

$1,550,000

March 16, 2016

Theft of laptop; failure to enter into a business associate agreement with
major contractor; failure to perform organization-wide risk analysis

Complete P.T., Pool & Land Physical Therapy, Inc.

$25,000

February 16, 2016

Disclosure of PHI in advertising without authorization

Aside from their number and size, the settlements are noteworthy for a few
reasons. First, these enforcement actions involve a variety of covered
entities—from large health systems and a biomedical research institute to a
physical therapy practice and an orthopedic surgery group—as well as a
business associate. Second, most of the enforcement actions arose from
breach reports submitted by the entities to OCR. In many of these cases,
the breach resulted from stolen laptops or devices that were not encrypted.
Third, although the facts of each case vary considerably, many involve some
of the same HIPAA compliance issues, including failure to conduct an
adequate risk analysis and failure to enter into a business associate
agreement. Finally, in each of these enforcement actions, the entity was
required to enter into a corrective action plan, which usually requires
ongoing reporting to OCR and in many cases lasts two years. In several
cases, such as the Advocate settlement, the OCR has required the
appointment of a monitor for continuous oversight.

Of course, the settlements alone do not fully describe OCR’s enforcement
activities. As of July 31, 2016, OCR had received over 137,770 HIPAA
complaints and initiated over 885 compliance reviews. While it has resolved
the vast majority of these cases, OCR still has over 5,000 open cases. It
is likely that some of these cases will result in monetary settlements.

OCR has also announced an initiative to more widely investigate the root
causes of breaches affecting fewer than 500 individuals. OCR investigates
all reported breaches involving 500 or more individuals. Historically, each
OCR regional office has had discretion as to whether to take action on
smaller breaches. Under the new initiative, the regional offices will still
retain discretion to prioritize which smaller breaches to investigate, but
each office will increase its efforts to address noncompliance related to
these breaches. OCR has indicated that its regional offices will consider
the following factors, among others: (1) the size of the breach; (2)
whether the breach involved theft of or improper disposal of unencrypted
protected health information; (3) whether the breach involved unwanted
intrusion to information technology systems; (4) the amount, nature, and
sensitivity of the information involved; and (5) instances where numerous
breach reports from the same entity raise similar issues.

Lastly, OCR is in the process of implementing the second phase of its audit
program. The Health Information Technology for Economic and Clinical Health
Act requires OCR to conduct periodic audits of covered entities and
business associate compliance with the HIPAA privacy, security, and breach
notification rules. In 2011 and 2012, OCR implemented a pilot audit program
that involved 115 covered entities. In March of this year, OCR announced
the second phase of the audit program, which includes both covered entities
and business associates. The first set of audits under this program are
desk audits focused on several key focus areas. All of the desk audits are
expected to be completed by the end of December 2016. In 2017, OCR will
begin to conduct comprehensive on-site audits. The audits are primarily
intended to be a compliance improvement activity; however, they will be
used to help OCR determine what types of corrective action it should pursue
in the future.

*Concluding Thoughts*

More settlements, more money, same problems. It has been a banner year for
OCR in HIPAA enforcement, with more settlements and a bigger haul than ever
before. Yet, many of the enforcement actions involve relatively
straightforward allegations of noncompliance, such as the lack of adequate
risk analyses and risk management plans, failure to enter into business
associate agreements, or failure to implement appropriate policies and
procedures.

Covered entities and business associates should be mindful of these
enforcement actions and use them as an opportunity to critically evaluate
their own compliance efforts. Among other things, HIPAA-covered
organizations should consider: (1) reviewing their risk analyses, revising
as necessary to capture changes in where information is located and how it
is transmitted; (2) evaluating workforce training efforts; (3) reviewing
the adequacy of existing policies and procedures, including those regarding
responding to potential breaches; (4) encrypting ePHI where possible; and
(5) assessing cyber liability and breach-related insurance policies.
Breaches cannot always be prevented, but the associated risk of loss can be
mitigated substantially with careful planning.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160921/4b32b4db/attachment.html>


More information about the BreachExchange mailing list