- Maintaining PHI security must remain a top priority for covered entities and business associates year-round. Lackluster safeguards and irregular risk analyses can lead to potential data security issues, and even an OCR HIPAA settlement.
With four months of 2017 almost complete, there have been five settlements announced. Insufficient audit controls, a failure to send out timely notification, and overall weak ePHI security have all been underlined as key issues by OCR.
The most expensive settlement fine was $5.5 million, showing that healthcare organizations cannot expect a data breach to never take place at their facility.
Physical, technical, and administrative safeguards should be regularly updated, along with a risk analysis and subsequent risk management plan. Additionally, employee training is a key component of a strong data security plan. Physicians and staff members should know how to utilize equipment and technology, while still keeping PHI secure.
A federally-qualified health center (FQHC) recently agreed to settle potential HIPAA violations with OCR by paying $400,000.
Metro Community Provider Network (MCPN) failed to conduct a risk analysis and did not implement a corresponding risk management plan to address found risks and vulnerabilities, OCR determined.
“MCPN reported that on December 5, 2011, it became aware that a hacker accessed employees' email accounts and obtained 3,200 individuals' ePHI,” the resolution agreement said. “On April 6, 2012, HHS notified MCPN that it was initiating an investigation into the breach.”
MCPN reportedly did not conduct an accurate and thorough assessment of the potential risks and vulnerabilities to ePHI security, OCR maintained. The FQHC also “failed to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.”
In the largest OCR HIPAA settlement of 2017 thus far, Memorial Healthcare Systems agreed to pay $5.5 million following allegations from 2012.
One incident allegedly involved MHS employees inappropriately accessing patient information, including names, dates of birth, and Social Security numbers. MHS sent an additional report a few months later when it discovered that further impermissible access had occurred.
“MHS failed to implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports,” from January 1, 2011 to June 1, 2012, according to OCR.
MHS also did not implement necessary policies and procedures in that time frame to “establish, document, review, and modify a user's right of access to a workstation, transaction, program, or process.”
Lacking audit controls were a key factor in the settlement, OCR added. MHS will need to identify risks and vulnerabilities found at MHS related to enterprise-wide PHI security, and also show that it has implemented and maintains a risk management plan to address such risks and vulnerabilities.
In February 2017, Children’s Medical Center of Dallas (Children’s) was given a full OCR civil money penalty of $3.2 million from alleged ePHI disclosure and several years of HIPAA non-compliance.
Children’s first filed a breach report in 2010, when an unencrypted, non-password protected Blackberry was reported lost. Approximately 3,800 individuals had their ePHI on the device.
A second breach notification was submitted three years later, where an unencrypted laptop containing the PHI of 2,462 individuals was stolen.
“OCR’s investigation revealed Children’s noncompliance with HIPAA Rules, specifically, a failure to implement risk management plans, contrary to prior external recommendations to do so, and a failure to deploy encryption or an equivalent alternative measure on all of its laptops, work stations, mobile devices and removable storage media until April 9, 2013,” HHS stated.
OCR Acting Director Robinsue Frohboese said in a statement that identifying security risks and then immediately correcting them is critical.
“Although OCR prefers to settle cases and assist entities in implementing corrective action plans, a lack of risk management not only costs individuals the security of their data, but it can also cost covered entities a sizable fine,” Frohboese stated.
MAPFRE Life Insurance Company of Puerto Rico (MAPFRE) agreed to an approximate $2.2 million settlement earlier in 2017, following allegations of a lack of ePHI safeguards.
MAPFRE had filed a breach report on September 29, 2011, explaining that a USB drive containing ePHI had been stolen from the MAPFRE IT department.
OCR determined in its investigation that MAPFRE failed to conduct its risk analysis and implement risk a management plans, contrary to its prior representations. The organization also did not utilize encryption “or an equivalent alternative measure on its laptops and removable media until September 1, 2014.”
“Covered entities must not only make assessments to safeguard ePHI, they must act on those assessments as well” OCR Director Jocelyn Samuels said in a statement at the time of the settlement. “OCR works tirelessly and collaboratively with covered entities to set clear expectations and consequences.”
Along with conducting a risk analysis and implementing a risk management plan, MAPFRE must also implement a process for evaluating environmental and operational changes. OCR also determined that MAPFRE needs to review, and revise if necessary, its current Privacy and Security Rules policies and procedures.
The first 2017 OCR HIPAA settlement was with Presence Health, and involved a $475,000 payment. The healthcare network submitted a breach notification but then allegedly had a delayed notification process, according to OCR.
“Presence Health failed to notify, without unreasonable delay and within 60 days of discovering the breach, each of the 836 individuals affected by the breach, prominent media outlets (as required for breaches affecting 500 or more individuals), and OCR,” the agency stated.
The incident in question occurred in 2013, when Presence discovered that paper-based operating room schedules containing PHI was missing from the Presence Surgery Center at the Presence St. Joseph Medical Center in Joliet, Illinois.
“Covered entities need to have a clear policy and procedures in place to respond to the Breach Notification Rule’s timeliness requirements” OCR Director Jocelyn Samuels said in a statement at the time of the settlement. “Individuals need prompt notice of a breach of their unsecured PHI so they can take action that could help mitigate any potential harm caused by the breach.”