In the last few months, the Department of Health and Human Services Office of Civil Rights (“OCR”) announced several enforcement actions based on alleged violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). Below is a summary of the recent enforcement actions:
- Untimely Reporting of a Breach. On January 9, 2017, OCR announced the first ever HIPAA settlement based on the untimely reporting of a breach of unsecured personal health information (“PHI”). Presence Health agreed to implement a corrective action plan and pay $475,000 for failing to notify the affected patients, prominent media outlets and OCR within 60 days of discovering the breach. In this case, Presence Health discovered on October 22, 2013 that the paper-based operating room schedules, that contained PHI of 836 patients, were missing. Presence Health did not submit a breach notification report until January 31, 2014.
- Impermissible Disclosure of Unsecured OCR announced on January 18, 2017 a resolution agreement with MAPFRE Life Insurance Company of Puerto Rico (“MAPFRE“) for its failure to protect electronic protected health information (“ePHI”) when a USB data storage device was stolen from its IT department where it was left overnight. The USB data storage device included complete names, dates of birth and Social Security numbers and affected 2,209 individuals. OCR’s investigation uncovered that MAPFRE failed to conduct its risk analysis and implement risk management plans, contrary to its prior representations, and failed to deploy encryption (or an equivalent alternative measure) on its laptops and removable storage media until September 1, 2014. OCR also determined that MAPFRE failed to implement or delayed implementing other corrective measures it informed OCR it would undertake. In the resolution agreement, MAPFRE agreed to implement a corrective action plan and pay $2.2 million.
- Failure to Encrypt Laptops, Workstations, Mobile and Removable Devices. OCR announced on February 1, 2007 a $3.2 million HIPAA civil money penalty against Children’s Medical Center of Dallas (“Children’s”) for failing to comply with HIPAA on multiple occasions. Children’s had filed two separate breach notification reports to OCR. The first report was filed after an unencrypted, non-password protected Blackberry device containing information on over 3,800 patients was lost. In the second breach report, Children’s stated that an unencrypted laptop containing ePHI of over 2,400 patients was stolen from its premises. OCR’s investigation revealed that Children’s failed to implement risk management plans, contrary to prior external recommendations to do so. OCR also determined that Children’s failed to deploy encryption (or an equivalent alternative measure) on all of its laptops, work stations, mobile devices and removable storage media until April 9, 2013. While Children’s knew of the risk of maintaining unencrypted ePHI on devices, Children’s issued unencrypted BlackBerry devices to nurses and allowed its workforce to continue using unencrypted laptops and other mobile devices until 2013.
- Impermissible Access and Disclosure of PHI. On February 16, 2017, Memorial Healthcare Systems (“MHS”) paid a settlement in the amount of $5.5 million and agreed to adopt a comprehensive action plan for alleged violations of the HIPAA Privacy and Security Rules. MHS reported a breach when employees impermissibly accessed the PHI of over 115,00 individuals and impermissibly disclosed the PHI to other employees at affiliated physician offices. In OCR’s investigation, it revealed that MHS failed to implement procedures with respect to reviewing, modifying and/or terminating employees’ right of access despite having workforce access policies and procedures in place.
Based on these recent enforcement actions, healthcare organizations (i.e., covered entities and business associates) should ensure the following:
- Establish policies and procedures. Policies and procedures should outline the internal process for investigating a potential breach, including compliance with HIPAA’s Breach Notification Rule’s timeliness requirements. The policy should state who will be responsible for conducting and overseeing the investigation, including notifying all appropriate parties.
- Utilize audit controls, audit logs and audit trails. Audit controls assist organizations in recording and examining activities of systems/applications that contain or use ePHI. Audit logs and audit trails work in conjunction with audit controls by safeguarding ePHI (i.e., preventing hackers and malevolent insiders from covering their electronic tracks and creating data breaches). Audit trails and logs assist in reducing risks associated with
- decreasing inappropriate access;
- tracking unauthorized disclosures of ePHI;
- detecting performance problems and flaws in applications;
- detecting potential intrusions and other malicious activity; and
- providing forensic evidence during investigation of security incidents and breaches.
For more information regarding the importance of audit controls, see OCR’s January Cyber Awareness Security Newsletter.
- Conduct risk analyses and implement risk management plans. Organizations should periodically conduct a risk analysis to determine its security vulnerability as well as overall compliance with HIPAA. Upon completion of the risk analysis, prioritize identified vulnerabilities and develop a mitigation plan to address each vulnerability. The risk management plan must state how the organization will mitigate each vulnerability, assign a point of contact for each vulnerability who will either perform or oversee the mitigation, and a timeframe. The Board and/or executive management should provide oversight to ensure the organization is complying with the risk mitigation plan. Lastly, the organization must document its mitigation activities.
- Implement safeguards. Protecting PHI/ePHI is critical to healthcare organizations. Organizations must determine what safeguards are appropriate to their organization, but should include the following:
- Establish policies and procedures to protect PHI/ePHI
- Conduct risk assessment/effectiveness of the Privacy program
- Conduct a security risk analysis, including a vulnerability scan or penetration test
- Monitor user activities in system/applications, including access to PHI/ePHI, restriction and termination of access, log-on and log-off attempts, and editing/deleting ePHI
- Encryption and password protection of work stations, laptops, and mobile and portable devices
- Install and enable a firewall