[BreachExchange] Recent HIPAA Privacy and Security Settlements and Lessons Learned

[Audrey McNeil]

http://www.jdsupra.com/legalnews/recent-hipaa-privacy-and-security-27501/

Although the fate of the Affordable Care Act remains undecided, enforcement
of the HIPAA privacy and security regulations by the Office for Civil
Rights (OCR) of the U.S. Department of Health and Human Services is
ongoing, with three settlements and one assessment of penalties already in
2017. The settlements and penalties so far total over $11 million, with one
of the settlements equaling the largest ever, at $5.5 million. These four
cases provide helpful lessons for covered entities and business associates,
as well as warnings that HIPAA compliance might be less expensive than
noncompliance.

The smallest settlement so far in 2017 was for $475,000 for paper Protected
Health Information (PHI) of over 800 individuals that was “missing” from a
health care provider, and for failure to provide breach notices within the
regulatory time limits. This is not the first time breach notices were
late, but it is the first time OCR has specifically identified late notices
as an alleged violation.

The largest settlement so far in 2017 was for $5.5 million. It arose when
an employee of a physician practice that was affiliated with the covered
entity (a large health care provider) left employment with the affiliate,
but the covered entity did not terminate the former employee’s access to
PHI for over a year, leaving the PHI of about 80,000 individuals available
to the individual.

Another large settlement in 2017 was for $2.2 million, and it arose from
the theft of a USB device that was left overnight in an insurance company’s
IT department and contained the PHI of over 2,200 individuals. OCR alleged
that the covered entity failed to conduct an appropriate risk assessment,
failed to implement a security awareness and training program for its
workforce members, failed to implement an encryption mechanism, and failed
to have policies and procedures to comply with the HIPAA security rules.

Finally, a penalty assessment of $3.2 million was imposed against a large
medical center that had several HIPAA issues over a period of years,
including the loss of an unencrypted phone, theft of an unencrypted laptop
from the covered entity’s premises and access to PHI given to unauthorized
workforce members. OCR found that the covered entity did not act in a
timely fashion, despite knowing of the risks presented by the unencrypted
devices as early as 2007, and continued to issue such devices until 2013.

Lessons for Covered Entities and Business Associates

These and other recent enforcement actions provide important lessons and
reminders, including the following:

Don’t use unsupported software (i.e., out-of-date versions) and apply
patches regularly and promptly.
Train your workforce that idle curiosity (i.e., snooping) is forbidden and
a HIPAA violation.
Pay close attention to Internet scheduling tools, which can present special
problems.
After routine maintenance, always check that firewalls are reactivated and
security settings are appropriate.
Wipe any hard drives (which many copiers have) before reselling or
returning to leasing companies.
Implement strong policies and procedures regarding taking PHI offsite,
handling while offsite and protecting it from others (family members,
neighbors, visitors in the home, etc.).
Never leave PHI or a device containing PHI in a vehicle unless the PHI or
device is secured.
Review business associate agreements to make sure they’ve been updated for
legal requirements and any changes in the services to be rendered by the
business associate.

With a total of over $11 million in settlements and penalties already in
2017, this is on pace to be a record year for HIPAA enforcement. Although
many covered entities and business associates balk at the cost of HIPAA
compliance, HIPAA noncompliance can be even more expensive.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170410/07116bde/attachment.html>