- Healthcare organizations cannot afford to skip out on conducting regular risk assessments, according to several recent OCR HIPAA settlements. Failing to identify potential risks and vulnerabilities in ePHI security could lead to healthcare data breaches.
Risk assessments help covered entities and business associates remain HIPAA compliant with physical, technical, and administrative safeguards. It also assists in showing potential areas where an organization might be putting PHI at risk.
Several recent settlements highlight not only the importance of regular risk analysis, but also demonstrate that basic safeguards cannot be overlooked. Furthermore, business associate agreements are also essential for keeping patient data protected even if it is not always at a covered entity.
Risk management security measures key for data security
An OCR HIPAA settlement was reached with the University of Mississippi Medical Center in July 2016, following allegations of multiple HIPAA violations.
After an investigation due to a reported breach that affected 10,000 individuals, OCR determined that UMMC did not take adequate risk management security measures, even after UMMC was aware of certain risks and vulnerabilities to its system.
“In addition to identifying risks and vulnerabilities to their ePHI, entities must also implement reasonable and appropriate safeguards to address them within an appropriate time frame,” OCR Director Jocelyn Samuels explained in a statement. “We at OCR remain particularly concerned with unaddressed risks that may lead to impermissible access to ePHI.”
OCR said it also found that a UMMC drive that held ePHI “was vulnerable to unauthorized access via UMMC’s wireless network because users could access an active directory containing 67,000 files after entering a generic username and password.”
Along with a $2.75 million settlement fine, the resolution agreement also required UMMC to adjust its security management process and create a risk analysis and risk management plan that has the necessary security measures to reduce any ePHI risks and vulnerabilities.
Largest HIPAA settlement stems from multiple allegations
llinois-based healthcare system Advocate Health Care (Advocate) agreed to a $5.5 million OCR HIPAA settlement in August 2016, after it was accused of multiple HIPAA violations and cases of noncompliance.
Advocate submitted three data breach notification reports to HHS between August 23, 2013 and November 1, 2013. OCR found that failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to all of its ePHI and did not implement necessary policies and procedures for facility access controls.
Furthermore, Advocate failed to “obtain satisfactory assurances in the form of a written business associate contract” ensuring that its business associate would properly protect ePHI. An unencrypted laptop was also left in an unlocked vehicle overnight, OCR found.
“We hope this settlement sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals’ ePHI is secure,” Samuels said. “This includes implementing physical, technical, and administrative security measures sufficient to reduce the risks to ePHI in all physical locations and on all portable devices to a reasonable and appropriate level.”
Business associates are not immune from HIPAA violations
Another key takeaway from recent OCR HIPAA settlements is that covered entities are not the only organizations that can face heavy financial fines.
Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) agreed to pay $650,000 as part of its settlement. CHCS provided management and information technology services as a business associate to six skilled nursing facilities.
CHCS had not conducted “an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality integrity, and availability of e-PHI held by CHCS” since the HIPAA Security Rule was implemented, according to OCR.
It also did not “implement appropriate security measures sufficient to reduce the risks and vulnerabilities to a reasonable and appropriate level to comply” with the HIPAA Security Rule.
“In determining the resolution amount, OCR considered that CHCS provides unique and much-needed services in the Philadelphia region to the elderly, developmentally disabled individuals, young adults aging out of foster care, and individuals living with HIV/AIDS,” OCR said. “OCR will monitor CHCS for two years as part of this settlement agreement, helping ensure that CHCS will remain compliant with its HIPAA obligations while it continues to act as a Business Associate.”
Similarly, Oregon Health and Science University (OHSU) agreed to a settlement in July 2016 that was due in part to using certain storage options that had no contractual agreement in place to use or store OHSU patient health information.
One of two alleged data breaches that OCR investigated happened when the university notified 3,044 patients that it had stored their data using a non-business associate in internet-based service provider Google.
OHSU used Google Mail and Google Drive, which do have have security features in place. Google was also not an official business associate, so there was also no contractual agreement in place to use or store OHSU patient health information.
“We made significant data security enhancements at the time of the incidents and now are investing at an unprecedented level in proactive measures to further safeguard patient information,” OHSU Chief Information Officer Bridget Barnes said in a statement.