- Cancer care services provider 21st Century Oncology (21CO) recently agreed to a $2.3 million OCR settlement, following a 2015 data breach.
OCR found in its investigation that 21CO impermissibly disclosed the PHI of 2,213,597 of its patients and “failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of the ePHI.”
21CO also failed to implement security measures to reduce risks and vulnerabilities and failed to implement procedures to regularly review information system activity. This included having audit logs, access reports, and security incident reports.
The organization also disclosed PHI to its business associates without having a proper business associate agreement in place, according to OCR.
The organization must also comply with a Corrective Action Plan (CAP), which requires 21st Century Oncology designate an individual to serve as a Compliance Representative. This individual must be knowledgeable about HIPAA and its policies, and will be responsible for “assuring 21CO’s compliance.”
READ MORE: 5 Lessons Learned in OCR HIPAA Settlements
The CAP also requires the following:
- Completion of risk analysis and risk management plan
- Revision of policies and procedures related to information system security, access establishment, and modification and termination
- Adopt and distribute its policies and procedures
- Establish business associate agreements
- Conduct internal monitoring and external assessments related to information security
21CO will also need to maintain all documents and records relating to CAP compliance for six years, so OCR can inspect and copy the documents if necessary.
The data breach in question occurred in 2015 when an unauthorized party gained access to a 21CO database. The FBI notified the organization of the incident on November 13, but a forensics investigation determined on the intruder may have accessed the database on October 3, 2015.
“We continue to work closely with the FBI on its investigation of the intrusion into our system” 21st Century said in an earlier statement. “In addition to security measures already in place, we have also taken additional steps to enhance internal security protocols to help prevent a similar incident in the future.”
21CO also recently reached a settlement with the Department of Justice for $26 million over allegations that the provider had submitted false or inflated meaningful use attestations.
“The Justice Department is committed to zealously investigating improper financial relationships that have the potential to compromise physicians’ medical judgment,” Acting Assistant Attorney General Chad A. Readler said in a statement. “However, we will work with companies that accept responsibility for their past compliance failures and promptly take corrective action.”
The organization reported that it knowingly submitted or enabled the submission of false attestations to CMS about its physicians’ EHR use. 21CO hoped to earn incentive payments and avoid downward payment adjustments from meaningful use requirements. Employees also falsified data about 21CO’s EHR use, fabricated EHR use reports, and superimposed EHR vendor logos onto false reports to make them look legitimate.
“This settlement represents our office’s continued commitment to ensuring compliance with important federal health care laws,” Middle District of Florida Acting U.S. Attorney Stephen Muldrow said in a statement. “We appreciate that 21st Century Oncology self-reported a major fraud affecting Medicare, and we are also pleased that the company has agreed to accept financial responsibility for past compliance failures.”
Failing to have proper business associate agreements and comprehensive audit controls in place are consistently top issues that are cited within OCR HIPAA settlements.
The Center for Children’s Digestive Health (CCDH) agreed to a $31,000 OCR HIPAA settlement in April 2017 over a lack of BAAs.
The Illinois facility did not have a BAA with FileFax, Inc. Records, according to OCR. The PHI of at least 10,728 individuals was disclosed to FileFax “when CCDH transferred the PHI to Filefax without obtaining Filefax's satisfactory assurance.”
Memorial Healthcare Systems (MHS) agreed to a $5.5 million settlement with OCR in February 2017. In that case, MHS was found to not have audit controls and did not regularly review its audit logs.
One of the two corresponding data breaches involved a former employee of an affiliated physician practice gaining access to the data of 80,000 individuals.
“As this case shows, a lack of access controls and regular review of audit logs helps hackers or malevolent insiders to cover their electronic tracks, making it difficult for covered entities and business associates to not only recover from breaches, but to prevent them before they happen,” OCR Acting Director Robinsue Frohboese said in a statement.