[BreachExchange] 5 Lessons Learned in OCR HIPAA Settlements

[Audrey McNeil]

https://healthitsecurity.com/news/5-lessons-learned-in-ocr-hipaa-settlements

Healthcare organizations cannot assume that they will never experience a
data breach or data security incident. Failure to update safeguards or
audit controls could also lead to an OCR HIPAA settlement, which could be
paired with a high fine and a lengthy recovery process.

There are several key lessons to be learned from OCR HIPAA settlements over
the past two years. Covered entities and their business associates should
review their approaches to HIPAA compliance and ensure that employees at
all levels are properly and regularly trained.

Business associate agreements, audit controls, risk management, and the
data breach notification process are all areas that have been overlooked in
terms of data security. Basic technical, administrative, and physical
safeguards are also essential, and need to be updated to account for
electronic PHI (ePHI) in addition to paper formats.

BUSINESS ASSOCIATE AGREEMENTS (BAAS)

An individual or an organization may be considered a business associate,
according to HHS. A consultant who does hospital utilization reviews or an
attorney with PHI access are both examples, and require a business
associate agreement (BAA).

Business associates can be held liable to similar repercussions as covered
entities can under HIPAA regulations, including if PHI is compromised in a
healthcare data breach.

Illinois-based Center for Children’s Digestive Health (CCDH) agreed to a
$31,000 OCR HIPAA settlement in April 2017 after it was found to have not
had a proper BAA in place.

An OCR investigation found that CCDH did not have a BAA with FileFax, Inc.
Records and that the PHI of at least 10,728 individuals was disclosed to
FileFax “when CCDH transferred the PHI to Filefax without obtaining
Filefax's satisfactory assurance.”

OCR stated that CCDH must “develop, maintain, and revise, as necessary, its
written policies and procedures to comply with the Federal standards that
govern the privacy and security of individually identifiable health
information.”

Similarly, Care New England Health System (CNE) agreed to an OCR HIPAA
settlement in September 2016 for not having a BAA in place.

OCR determined that Woman & Infants Hospital of Rhode Island (WIH) – a CNE
covered entity – did not have an updated BAA in place when unencrypted
backup tapes with patient information were lost in 2015.

“From September 23, 2014, until August 28, 2015, WIH impermissibly
disclosed the PHI of at least 14,004 individuals to its business associate
when WIH provided CNE with access to PHI without obtaining satisfactory
assurances, in the form of a written business associate agreement, that CNE
would appropriately safeguard the PHI,” OCR said.

CNE agreed to a $400,000 settlement, while WIH agreed to a consent judgment
with the Massachusetts Attorney General’s Office (AGO) with a settlement of
$150,000.

AUDIT CONTROLS

One of the larger cases from the past couple of years was with Memorial
Healthcare Systems (MHS), which agreed to a $5.5 million settlement with
OCR.

MHS lacking audit controls was one of the leading factors, according to OCR
in its February 2017 release. Two incidents were reported, one involving
80,000 individuals’ PHI being disclosed when MHS gave a former employee of
an affiliated physician practice access to the data.

“Organizations must implement audit controls and review audit logs
regularly,” OCR Acting Director Robinsue Frohboese said in a statement. “As
this case shows, a lack of access controls and regular review of audit logs
helps hackers or malevolent insiders to cover their electronic tracks,
making it difficult for covered entities and business associates to not
only recover from breaches, but to prevent them before they happen.”

An MHS spokesperson explained in a statement emailed to
HealthITSecurity.com that the situation occurred six years prior and that
the organization “proactively reported the actions” of the involved
employees.

“Upon learning of the breaches, Memorial quickly acted to implement new,
sophisticated technologies designed to monitor use and access of patient
data, further restricted access to protect patient information, and enacted
new policies and procedures to enhance password security,” the statement
read.

“While Memorial strongly disagrees with many of OCR’s allegations, has
admitted no liability and has chosen to settle this case, it nevertheless
agrees with the importance OCR places on maintaining the security of
patient information.”

RISK MANAGEMENT

Implementing risk management plans are also an essential aspect to data
security, as was shown in the February 2017 OCR HIPAA settlement with
Children’s Medical Center of Dallas (Children’s).

Children’s agreed to a $3.2 million civil penalty, stemming from an
incident when an unencrypted, non-password protected Blackberry was
reported lost.

“OCR’s investigation revealed Children’s noncompliance with HIPAA Rules,
specifically, a failure to implement risk management plans, contrary to
prior external recommendations to do so, and a failure to deploy encryption
or an equivalent alternative measure on all of its laptops, work stations,
mobile devices and removable storage media until April 9, 2013,” HHS stated.

Lacking risk management was also cited in the October 2016 settlement with
St. Joseph Health (SJH).

In that case, SJH agreed to a $2,140,500 million settlement after it was
found to have failed to examine or modify a new file server when it was
implemented.

“Evidence indicated that SJH failed to conduct an evaluation in response to
the environmental and operational changes presented by implementation of a
new server for its meaningful use project, thereby compromising the
security of ePHI,” OCR wrote.

SJH did not conduct a risk analysis across the organization and assessed
potential risks and vulnerabilities to ePHI in a “patchwork fashion.”

BREACH NOTIFICATION

The HIPAA data breach notification process must also be timely, with
organizations adhering to the required HHS timeline in notifying
individuals and law enforcement agencies.

For example, Presence Health agreed to a $475,000 OCR HIPAA settlement
after it experienced a data breach and then had a reportedly delayed breach
notification process.

“Presence Health failed to notify, without unreasonable delay and within 60
days of discovering the breach, each of the 836 individuals affected by the
breach, prominent media outlets (as required for breaches affecting 500 or
more individuals), and OCR,” the investigation found.

Presence stated that there was a delay in the notification process because
of miscommunications between its workforce members.

Regardless of the size of a potential healthcare data breach, individual
notification must take place without unreasonable delay or no later than 60
days following the breach discovery, according to HHS. Covered entities
must make an annual report when fewer than 500 people are affected.

Organizations must also adhere to state data breach notification processes.
In June 2017, CoPilot Provider Support Services, Inc. agreed to a $130,000
settlement with New York when it was found to have violated state
notification law.

CoPilot reportedly waited over one year to provide notice that a data
breach exposed 221,178 patient records, the New York Attorney General’s
Office explained.

“Healthcare services providers have a duty to protect patient records as
securely as possible and to provide notice when a breach occurs,” Attorney
General Schneiderman said in a statement. “Waiting over a year to provide
notice is unacceptable. My office will continue to hold businesses
accountable to their responsibility to protect customers’ private
information.”

BASIC HIPAA SAFEGUARDS

HIPAA technical safeguards, physical safeguards, and administrative
safeguards are the backbone to any organization’s approach to compliance
and data security.

As technology continues to evolve and organizations have more ePHI, it
becomes more important for entities to update their security measures and
account for new tools.

Advocate Health Care (Advocate) agreed to a $5.5 million OCR HIPAA
settlement in August 2016, following multiple alleged HIPAA violations and
noncompliance issues.

OCR investigated three incidents, and found that Advocate did not “conduct
an accurate and thorough assessment of the potential risks and
vulnerabilities to all of its ePHI,” and also failed to “implement policies
and procedures and facility access controls to limit physical access to the
electronic information systems housed within a large data support center.”

Advocate also did not have “satisfactory assurances” in a BAA that the
business associate would maintain ePHI security, nor did the entity
reasonably safeguard an unencrypted laptop.

“We hope this settlement sends a strong message to covered entities that
they must engage in a comprehensive risk analysis and risk management to
ensure that individuals’ ePHI is secure,” then-OCR Director Jocelyn Samuels
said in a statement. “This includes implementing physical, technical, and
administrative security measures sufficient to reduce the risks to ePHI in
all physical locations and on all portable devices to a reasonable and
appropriate level.”

The need for updated safeguards that account for new technologies was also
highlighted in the April 2017 settlement with Pennsylvania-based CardioNet.

CardioNet agreed to a $2.5 million settlement after it had reportedly did
not have a sufficient risk analysis and risk management processes in place
when a laptop containing ePHI was stolen.

“CardioNet’s policies and procedures implementing the standards of the
HIPAA Security Rule were in draft form and had not been implemented,” OCR
said in a statement. “Further, the Pennsylvania –based organization was
unable to produce any final policies or procedures regarding the
implementation of safeguards for ePHI, including those for mobile devices.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170801/447e6088/attachment.html>