Lessons Learned From the 2015 OCR HIPAA Settlements

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://healthitsecurity.com/news/lessons-learned-from-the-2015-ocr-hipaa-settlements

Maintaining HIPAA compliance should always be a top priority for covered
entities and their business associates, but this is not always a simple
feat to accomplish.

The 2015 OCR HIPAA settlements are all examples of how a seemingly simple
oversight could have far-reaching consequences. Whether it is a lack of a
risk assessment or inferior administrative, technical, or physical
safeguards, healthcare organizations cannot afford to assume that they are
compliant.

Regular policy reviews are essential, along with employee training. A
failure adhere to HIPAA regulations could not only result in heavy fines,
but it could lead to a healthcare data breach and expose individuals’
personal information.

HealthITSecurity.com decided to review the HIPAA settlements from the past
year, and discuss the key takeaways from the cases. These six examples
resulted in a total of $6.175 million in fines, and should show other
healthcare organizations why HIPAA compliance is essential.

Small facilities are not exempt from OCR oversight

In April, OCR reached a settlement agreement with Cornell Prescription
Pharmacy (Cornell) in Denver, Colorado.

Cornell is a small, single-location pharmacy that provides in-store and
prescription services to patients in the area, and was accused of
improperly disposing of documents containing patient PHI. Approximately
1,600 patients’ information was found in an unlocked, open container on
Cornell’s premises.

OCR Director Jocelyn Samuels explained that regardless of an organization’s
size, they cannot leave PHI in accessible areas or dispose of it in
publicly accessible dumpsters or other containers.

“Even in our increasingly electronic world, it is critical that policies
and procedures be in place for secure disposal of patient information,
whether that information is in electronic form or on paper,” Samuels said
in a statement.

It is essential that covered entities and business associates do not assume
that HIPAA regulations do not apply, or are not as important, either
because of their size or the types of technology used on a daily basis. The
same care that is used for ensuring that technical safeguards, such as
firewalls and encryption, are in place must also be used to keep paper
documents secure.

Timely detection and response time is essential

Being able to recognize suspicious activity and then respond appropriately
are also important areas for healthcare organizations to understand. OCR
showed this in its HIPAA settlement with Massachusetts-based St.
Elizabeth’s Medical Center (SEMC).

With SEMC, a complaint was filed to OCR on November 16, 2012, stating that
SEMC workforce members had used an internet-based document sharing
application to store documents containing ePHI of nearly 500 individuals.
The risks associated with this practice were not completed, OCR alleged.

Moreover, SEMC “failed to timely identify and respond to the known security
incident, mitigate the harmful effects of the security incident, and
document the security incident and its outcome.”

SEMC was given a $218,400 fine and required to adopt a corrective action
plan to “cure gaps in the organization’s HIPAA compliance program raised by
both the complaint and the breach.

No risk analysis can lead to data security oversights

Indiana-based Cancer Care Group, P.C. was fined $750,000 earlier this year
for an incident stemming from 2012.

In the Cancer Care case, a laptop bag containing a laptop computer and
unencrypted backup media were stolen from an employee’s car.

OCR explained that Cancer Care had not conducted an enterprise-wide risk
analysis when the breach occurred, and that the organization did not have a
written policy in place discussing how hardware and electronic media with
ePHI should be removed from its facilities.

“...an enterprise-wide risk analysis could have identified the removal of
unencrypted backup media as an area of significant risk to Cancer Care’s
ePHI, and a comprehensive device and media control policy could have
provided employees with direction in regard to their responsibilities when
removing devices containing ePHI from the facility,” OCR said.

Similar findings occurred with the settlement for Lahey Clinic Hospital,
Inc. (Lahey). OCR wrote that Lahey failed to implement the necessary
physical safeguards for a workstation that houses ePHI after an unencrypted
laptop was stolen.

Moreover, Lahey had “failed to conduct an accurate and thorough analysis of
the potential risks and vulnerabilities to the confidentiality, integrity,
and availability of its ePHI as part of its security management process.”

OCR also underlined the importance of risk analyses in its HIPAA settlement
with the University of Washington Medicine (UWM).

An email containing malicious malware reportedly compromised 90,000
individuals’ ePHI, according to OCR, and UWM  “did not ensure that all of
its affiliated entities were properly conducting risk assessments and
appropriately responding to the potential risks and vulnerabilities in
their respective environments.”

“All too often we see covered entities with a limited risk analysis that
focuses on a specific system such as the electronic medical record or that
fails to provide appropriate oversight and accountability for all parts of
the enterprise,” OCR Director Jocelyn Samuels said in a statement.

Samuels added that a successful risk analysis is not only comprehensive in
its scope, but is also completed across the entire healthcare organization.

Basic adherence to Privacy, Security rules

Overall, covered entities and their business associates should review the
HIPAA Privacy and Security rules to understand they are implementing
necessary safeguards that are applicable to their operations.

The largest monetary fine issued by the OCR was $3.5 million against
Triple-S Management Corporation (TRIPLE-S). OCR explained that the numerous
data breaches that took place at TRIPLE-S or its subsidiaries proves why
organizations need to comply with the Privacy Rule, Security Rule, and
ensure that business associate agreements are complete.

Not only did OCR find a failure of administrative, physical, and technical
safeguards, but also that there was a failure to conduct an accurate and
thorough risk analysis. Additionally, TRIPLE-S failed to “implement
security measures sufficient to reduce the risks and vulnerabilities to its
ePHI to a reasonable and appropriate level” and was not adhering to the
“minimum necessary” in terms of PHI disclosure.

Finally, there was PHI was disclosed to an outside vendor that did not have
an appropriate business associate agreement, according to OCR.

Reviewing policies, regular updates to maintain compliance

All covered entities and business associates must adhere to HIPAA
regulations. Regularly reviewing policies and procedures, and conducting
regular risk assessments are essential. As these cases show, a failure to
maintain compliance could not only expose patient PHI, but could also
create difficulty for the healthcare organization.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!