- Healthcare organizations cannot assume that they will never experience a data breach or data security incident. Failure to update safeguards or audit controls could also lead to an OCR HIPAA settlement, which could be paired with a high fine and a lengthy recovery process.
There are several key lessons to be learned from OCR HIPAA settlements over the past two years. Covered entities and their business associates should review their approaches to HIPAA compliance and ensure that employees at all levels are properly and regularly trained.
Business associate agreements, audit controls, risk management, and the data breach notification process are all areas that have been overlooked in terms of data security. Basic technical, administrative, and physical safeguards are also essential, and need to be updated to account for electronic PHI (ePHI) in addition to paper formats.
Business associate agreements (BAAs)
An individual or an organization may be considered a business associate, according to HHS. A consultant who does hospital utilization reviews or an attorney with PHI access are both examples, and require a business associate agreement (BAA).
Business associates can be held liable to similar repercussions as covered entities can under HIPAA regulations, including if PHI is compromised in a healthcare data breach.
READ MORE: The Role of Risk Assessments in Healthcare
Illinois-based Center for Children’s Digestive Health (CCDH) agreed to a $31,000 OCR HIPAA settlement in April 2017 after it was found to have not had a proper BAA in place.
An OCR investigation found that CCDH did not have a BAA with FileFax, Inc. Records and that the PHI of at least 10,728 individuals was disclosed to FileFax “when CCDH transferred the PHI to Filefax without obtaining Filefax's satisfactory assurance.”
OCR stated that CCDH must “develop, maintain, and revise, as necessary, its written policies and procedures to comply with the Federal standards that govern the privacy and security of individually identifiable health information.”
Similarly, Care New England Health System (CNE) agreed to an OCR HIPAA settlement in September 2016 for not having a BAA in place.
OCR determined that Woman & Infants Hospital of Rhode Island (WIH) – a CNE covered entity – did not have an updated BAA in place when unencrypted backup tapes with patient information were lost in 2015.
“From September 23, 2014, until August 28, 2015, WIH impermissibly disclosed the PHI of at least 14,004 individuals to its business associate when WIH provided CNE with access to PHI without obtaining satisfactory assurances, in the form of a written business associate agreement, that CNE would appropriately safeguard the PHI,” OCR said.
CNE agreed to a $400,000 settlement, while WIH agreed to a consent judgment with the Massachusetts Attorney General’s Office (AGO) with a settlement of $150,000.
One of the larger cases from the past couple of years was with Memorial Healthcare Systems (MHS), which agreed to a $5.5 million settlement with OCR.
MHS lacking audit controls was one of the leading factors, according to OCR in its February 2017 release. Two incidents were reported, one involving 80,000 individuals’ PHI being disclosed when MHS gave a former employee of an affiliated physician practice access to the data.
“Organizations must implement audit controls and review audit logs regularly,” OCR Acting Director Robinsue Frohboese said in a statement. “As this case shows, a lack of access controls and regular review of audit logs helps hackers or malevolent insiders to cover their electronic tracks, making it difficult for covered entities and business associates to not only recover from breaches, but to prevent them before they happen.”
An MHS spokesperson explained in a statement emailed to HealthITSecurity.com that the situation occurred six years prior and that the organization “proactively reported the actions” of the involved employees.
“Upon learning of the breaches, Memorial quickly acted to implement new, sophisticated technologies designed to monitor use and access of patient data, further restricted access to protect patient information, and enacted new policies and procedures to enhance password security,” the statement read.
“While Memorial strongly disagrees with many of OCR’s allegations, has admitted no liability and has chosen to settle this case, it nevertheless agrees with the importance OCR places on maintaining the security of patient information.”
Implementing risk management plans are also an essential aspect to data security, as was shown in the February 2017 OCR HIPAA settlement with Children’s Medical Center of Dallas (Children’s).
Children’s agreed to a $3.2 million civil penalty, stemming from an incident when an unencrypted, non-password protected Blackberry was reported lost.
“OCR’s investigation revealed Children’s noncompliance with HIPAA Rules, specifically, a failure to implement risk management plans, contrary to prior external recommendations to do so, and a failure to deploy encryption or an equivalent alternative measure on all of its laptops, work stations, mobile devices and removable storage media until April 9, 2013,” HHS stated.
Lacking risk management was also cited in the October 2016 settlement with St. Joseph Health (SJH).
In that case, SJH agreed to a $2,140,500 million settlement after it was found to have failed to examine or modify a new file server when it was implemented.
“Evidence indicated that SJH failed to conduct an evaluation in response to the environmental and operational changes presented by implementation of a new server for its meaningful use project, thereby compromising the security of ePHI,” OCR wrote.
SJH did not conduct a risk analysis across the organization and assessed potential risks and vulnerabilities to ePHI in a “patchwork fashion.”
The HIPAA data breach notification process must also be timely, with organizations adhering to the required HHS timeline in notifying individuals and law enforcement agencies.
For example, Presence Health agreed to a $475,000 OCR HIPAA settlement after it experienced a data breach and then had a reportedly delayed breach notification process.
“Presence Health failed to notify, without unreasonable delay and within 60 days of discovering the breach, each of the 836 individuals affected by the breach, prominent media outlets (as required for breaches affecting 500 or more individuals), and OCR,” the investigation found.
Presence stated that there was a delay in the notification process because of miscommunications between its workforce members.
Regardless of the size of a potential healthcare data breach, individual notification must take place without unreasonable delay or no later than 60 days following the breach discovery, according to HHS. Covered entities must make an annual report when fewer than 500 people are affected.
Organizations must also adhere to state data breach notification processes. In June 2017, CoPilot Provider Support Services, Inc. agreed to a $130,000 settlement with New York when it was found to have violated state notification law.
CoPilot reportedly waited over one year to provide notice that a data breach exposed 221,178 patient records, the New York Attorney General’s Office explained.
“Healthcare services providers have a duty to protect patient records as securely as possible and to provide notice when a breach occurs,” Attorney General Schneiderman said in a statement. “Waiting over a year to provide notice is unacceptable. My office will continue to hold businesses accountable to their responsibility to protect customers’ private information.”
Basic HIPAA Safeguards
HIPAA technical safeguards, physical safeguards, and administrative safeguards are the backbone to any organization’s approach to compliance and data security.
As technology continues to evolve and organizations have more ePHI, it becomes more important for entities to update their security measures and account for new tools.
Advocate Health Care (Advocate) agreed to a $5.5 million OCR HIPAA settlement in August 2016, following multiple alleged HIPAA violations and noncompliance issues.
OCR investigated three incidents, and found that Advocate did not “conduct an accurate and thorough assessment of the potential risks and vulnerabilities to all of its ePHI,” and also failed to “implement policies and procedures and facility access controls to limit physical access to the electronic information systems housed within a large data support center.”
Advocate also did not have “satisfactory assurances” in a BAA that the business associate would maintain ePHI security, nor did the entity reasonably safeguard an unencrypted laptop.
“We hope this settlement sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals’ ePHI is secure,” then-OCR Director Jocelyn Samuels said in a statement. “This includes implementing physical, technical, and administrative security measures sufficient to reduce the risks to ePHI in all physical locations and on all portable devices to a reasonable and appropriate level.”
The need for updated safeguards that account for new technologies was also highlighted in the April 2017 settlement with Pennsylvania-based CardioNet.
CardioNet agreed to a $2.5 million settlement after it had reportedly did not have a sufficient risk analysis and risk management processes in place when a laptop containing ePHI was stolen.
“CardioNet’s policies and procedures implementing the standards of the HIPAA Security Rule were in draft form and had not been implemented,” OCR said in a statement. “Further, the Pennsylvania –based organization was unable to produce any final policies or procedures regarding the implementation of safeguards for ePHI, including those for mobile devices.”