[BreachExchange] A Trio of OCR HIPAA Breach Resolutions: Is Your Organization HIPAA Compliant?

[Inga Goddijn]

https://www.natlawreview.com/article/trio-ocr-hipaa-breach-resolutions-your-organization-hipaa-compliant

Over the past thirty days, the Office for Civil Rights
<https://www.hhs.gov/ocr/index.html> (“OCR”) has reached three HIPAA breach
resolutions, signaling to organizations that are covered entities and
business associates under HIPAA, the importance of instituting basic best
practices for data breach prevention and response.

On November 26th, the OCR announced
<https://www.hhs.gov/about/news/2018/11/26/allergy-practice-pays-125000-to-settle-doctors-disclosure-of-patient-information-to-a-reporter.html>
a
settlement with Allergy Associations of Hartford, P.C. (Allergy
Associations), a health practice specializing in allergies, due to alleged
HIPAA violations resulting from a doctor’s disclosure of patient
information to a reporter. A doctor from Allergy Associations was
questioned by a local television station regarding a dispute with a
patient, and disclosed the patients’ protected health information (PHI),
the investigation found. The OCR concluded that such disclosure was a
“reckless disregard for the patient’s privacy rights”. Allergy Associations
agreed to a monetary settlement of $125,000 and corrective action plan that
includes two years of monitoring HIPAA compliance.

*» A well thought out media relations plan together with regular security
and awareness training, even for doctors, would go a long way toward
reducing these risks.*

Again on December 4th, the OCR announced
<https://www.hhs.gov/about/news/2018/12/04/florida-contractor-physicians-group-shares-protected-health-information-unknown-vendor-without.html>
that
it had reached a settlement with the physician group, Advanced Care
Hospitalists PL (ACH) in Florida, over alleged HIPAA violations resulting
from the sharing of protected health information (PHI) with a vendor.
According to OCR’s announcement, ACH engaged an unnamed individual to
provide medical billing services without first entering into a business
associate agreement (BAA). While it appeared the individual worked for
Doctor’s First Choice Billing (“First Choice”), First Choice had no such
record of this individual or his activities. ACH later became aware that
the patient’s PHI was visible on First Choice’s website, with nearly 9,000
patients’ PHI potentially vulnerable. In the settlement ACH did not admit
liability, but agreed to adopt a robust corrective action plan including
the adoption of business associate agreements, a complete enterprise-wide
risk analysis, and comprehensive policies and procedures to comply with the
HIPAA rules. In addition ACH agreed to a $500,000 payment to the OCR.

*» This is not the first time the OCR has reached settlements with covered
entities over not having business associate agreements in place. Covered
entities should consider a more formal vendor assessment and management.
That is, certainly make sure there is a BAA in place, but also assess the
business associate’s policies, procedures, and practices.*

And finally, on December 11th, the OCR announced
<https://www.hhs.gov/about/news/2018/12/11/colorado-hospital-failed-to-terminate-former-employees-access-to-electronic-protected-health-information.html>
a
settlement with Pagosa Springs Medical Center (PSMC), a critical access
hospital in Colorado, for potential HIPAA privacy and security violations.
The settlement is in response to a complaint that a former employee of PSMC
continued to have remote access to the hospital’s scheduling calendar which
included patients’ electronic protected health information (ePHI), after
termination of his employment relationship. OCR’s investigation revealed
that PSMC did not have a business associate agreement in place with its
web-based scheduling calendar vendor, or with the former employee. PSMC
agreed to implement a two-year corrective action plan which includes
updates to its security management and business associate agreement,
policies and procedures, and workforce training. In addition, PSMC agreed
to an $111,400 payment to the OCR.

“It’s common sense that former employees should immediately lose access to
protected patient information upon their separation from employment,” said
OCR Director Roger Severino.  “This case underscores the need for covered
entities to always be aware of who has access to their ePHI and who
doesn’t.”

*»This is a lesson for all businesses – when employees leave the
organization (or are moved from a position that permits access to certain
protected information), immediate changes should be made to their access –
this includes physical and electronic access.*

This series of recent settlements serves as a reminder of the seriousness
in which the OCR treats HIPAA violations. In October, in honor of National
Cybersecurity Awareness Month
<https://www.dhs.gov/national-cyber-security-awareness-month>, the OCR
together with the Office of the National Coordinator for Health Information
Technology <https://www.healthit.gov/> jointly launched an updated HIPAA
Security Risk Assessment (SRA) Tool
<https://www.healthit.gov/providers-professionals/security-risk-assessment-tool>
to
help covered entities and business associates comply with the HIPAA
Security Rule
<https://www.hhs.gov/hipaa/for-professionals/security/index.html>. This is
an excellent tool
<https://www.natlawreview.com/article/onc-and-ocr-update-hipaa-security-risk-assessment-tool-national-cyber-security>
to
help organizations conduct an enterprise-wide risk analysis. Alternatively,
our HIPAA Ready product provides a scaled approach for midsized and smaller
healthcare practices and business associates. In the end, healthcare
organizations and their business associates need to address basic best
practices including: terminating employee access in a timely manner,
maintaining proper business associate agreements, and having a plan for
media relations.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20181231/8baa448c/attachment.html>