- The Office for Civil Rights (OCR) has shown with several of its recent HIPAA settlements that both covered entities and business associates are liable for potential HIPAA violations.
OCR has said that as healthcare technology continues to evolve and organizations implement new tools to improve patient care, there is more potential risk to the privacy and security of individuals’ health information.
However, OCR added that it will focus “its enforcement efforts and its resources” in areas of alleged non-compliance and “where corrective action under HIPAA may be the only remedy.”
This has been proven in several of the recent OCR HIPAA settlements, which in total have reached approximately $13.5 million.
St. Joseph Health
READ MORE: 5 Lessons Learned in OCR HIPAA Settlements
Healthcare organizations must evaluate and address potential security risks when operational changes affect ePHI, otherwise they could face potential HIPAA violations.
St. Joseph Health (SJH) agreed to an approximate approximate $2,140,500 million OCR HIPAA settlement following reports that it had publicly accessible files containing ePHI from 2011 to 2012. The organization notified OCR on February 14, 2012 that certain files containing ePHI were publicly accessible on the internet from February 1, 2011, until February 13, 2012, via Google and possibly other internet search engines.
SJH bought a new server to store its files, which is when the information reportedly became accessible to the public. The server also had a file sharing application with a default setting that allowed anyone with internet access the ability to access the files.
“Evidence indicated that SJH failed to conduct an evaluation in response to the environmental and operational changes presented by implementation of a new server for its meaningful use project, thereby compromising the security of ePHI,” OCR wrote in its statement.
Additionally, the organization did not conduct an “enterprise-wide risk analysis.” SJH had contractors assess potential risks and vulnerabilities to ePHI in a “patchwork fashion.”
Care New England Health System
In September 2016, Care New England Health System agreed to an OCR HIPAA settlement for $400,000 and was also found to have not properly adhered to business associate requirements.
OCR explained in a statement that Woman & Infants Hospital of Rhode Island (WIH) was a CNE covered entity, and had lost unencrypted backup tapes that held the ultrasound studies of approximately 14,000 individuals.
A business associate agreement (BAA) was in place, but it was not updated until August 28, 2015 and “did not incorporate revisions required under the HIPAA Omnibus Final Rule.”
“This case illustrates the vital importance of reviewing and updating, as necessary, business associate agreements, especially in light of required revisions under the Omnibus Final Rule,” OCR Director Jocelyn Samuels said in a statement. “The Omnibus Final Rule outlined necessary changes to established business associate agreements and new requirements which include provisions for reporting.”
Advocate Health Care
The largest OCR HIPAA settlement to date took place in August 2016, when Advocate Health Care agreed to a $5.55 million settlement.
In that case, Advocate had multiple alleged HIPAA violations and noncompliance issues.
“We hope this settlement sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals’ ePHI is secure,” OCR Director Jocelyn Samuels said in a statement at the time. “This includes implementing physical, technical, and administrative security measures sufficient to reduce the risks to ePHI in all physical locations and on all portable devices to a reasonable and appropriate level.”
Three data breach notification reports were submitted to HHS between August 23, 2013 and November 1, 2013.
OCR determined that Advocate must modify its existing risk analysis, develop and implement a risk management plan, implement a process for evaluating environmental and operational changes, and develop an encryption report.
University of Mississippi Medical Center
After multiple reports of alleged HIPAA violations that led to a healthcare data breach, the University of Mississippi Medical Center (UMMC) agreed to a $2.75 million HIPAA settlement with OCR.
UMMC had a reported health data breach that reportedly affected 10,000 individuals. OCR determined that UMMC did not take adequate risk management security measures, even after it was aware of certain risks and vulnerabilities to its system.
“In addition to identifying risks and vulnerabilities to their ePHI, entities must also implement reasonable and appropriate safeguards to address them within an appropriate time frame,” OCR Director Jocelyn Samuels said at the time. “We at OCR remain particularly concerned with unaddressed risks that may lead to impermissible access to ePHI.”
A UMMC privacy officer learned that a password-protected laptop was missing from the Medical Intensive Care Unit (MICU) and that it was likely stolen by a MICU visitor.
OCR determined that “ePHI stored on a UMMC network drive was vulnerable to unauthorized access via UMMC’s wireless network because users could access an active directory containing 67,000 files after entering a generic username and password.”
Furthermore, UMMC had not implemented physical safeguards for all workstations with ePHI access and did not implement its policies and procedures to prevent, detect, contain, and correct security violations, according to OCR.
Oregon Health and Science University
Oregon Health and Science University (OHSU) agreed to a $2.7 million OCR HIPAA settlement in the summer of 2016, following two health data breaches it suffered in 2013.
OHSU submitted multiple breach reports that affected thousands of individuals, according to OCR. This including two reports with unencrypted laptops and a stolen unencrypted thumb drive.
OCR found that OHSU had used Google Mail and Google Drive, which do have have security features in place, including password protection. With Google not being an official business associate, there was also no contractual agreement in place to use or store OHSU patient health information, according to OCR.
“From well-publicized large scale breaches and findings in their own risk analyses, OHSU had every opportunity to address security management processes that were insufficient. Furthermore, OHSU should have addressed the lack of a business associate agreement before allowing a vendor to store ePHI,” OCR Director Jocelyn Samuels said in a statement. “This settlement underscores the importance of leadership engagement and why it is so critical for the C-suite to take HIPAA compliance seriously.”