BreachExchange mailing list archives
Lessons Learned From the 2015 OCR HIPAA Settlements
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Mon, 21 Dec 2015 18:02:34 -0700
http://healthitsecurity.com/news/lessons-learned-from-the-2015-ocr-hipaa-settlements Maintaining HIPAA compliance should always be a top priority for covered entities and their business associates, but this is not always a simple feat to accomplish. The 2015 OCR HIPAA settlements are all examples of how a seemingly simple oversight could have far-reaching consequences. Whether it is a lack of a risk assessment or inferior administrative, technical, or physical safeguards, healthcare organizations cannot afford to assume that they are compliant. Regular policy reviews are essential, along with employee training. A failure adhere to HIPAA regulations could not only result in heavy fines, but it could lead to a healthcare data breach and expose individuals’ personal information. HealthITSecurity.com decided to review the HIPAA settlements from the past year, and discuss the key takeaways from the cases. These six examples resulted in a total of $6.175 million in fines, and should show other healthcare organizations why HIPAA compliance is essential. Small facilities are not exempt from OCR oversight In April, OCR reached a settlement agreement with Cornell Prescription Pharmacy (Cornell) in Denver, Colorado. Cornell is a small, single-location pharmacy that provides in-store and prescription services to patients in the area, and was accused of improperly disposing of documents containing patient PHI. Approximately 1,600 patients’ information was found in an unlocked, open container on Cornell’s premises. OCR Director Jocelyn Samuels explained that regardless of an organization’s size, they cannot leave PHI in accessible areas or dispose of it in publicly accessible dumpsters or other containers. “Even in our increasingly electronic world, it is critical that policies and procedures be in place for secure disposal of patient information, whether that information is in electronic form or on paper,” Samuels said in a statement. It is essential that covered entities and business associates do not assume that HIPAA regulations do not apply, or are not as important, either because of their size or the types of technology used on a daily basis. The same care that is used for ensuring that technical safeguards, such as firewalls and encryption, are in place must also be used to keep paper documents secure. Timely detection and response time is essential Being able to recognize suspicious activity and then respond appropriately are also important areas for healthcare organizations to understand. OCR showed this in its HIPAA settlement with Massachusetts-based St. Elizabeth’s Medical Center (SEMC). With SEMC, a complaint was filed to OCR on November 16, 2012, stating that SEMC workforce members had used an internet-based document sharing application to store documents containing ePHI of nearly 500 individuals. The risks associated with this practice were not completed, OCR alleged. Moreover, SEMC “failed to timely identify and respond to the known security incident, mitigate the harmful effects of the security incident, and document the security incident and its outcome.” SEMC was given a $218,400 fine and required to adopt a corrective action plan to “cure gaps in the organization’s HIPAA compliance program raised by both the complaint and the breach. No risk analysis can lead to data security oversights Indiana-based Cancer Care Group, P.C. was fined $750,000 earlier this year for an incident stemming from 2012. In the Cancer Care case, a laptop bag containing a laptop computer and unencrypted backup media were stolen from an employee’s car. OCR explained that Cancer Care had not conducted an enterprise-wide risk analysis when the breach occurred, and that the organization did not have a written policy in place discussing how hardware and electronic media with ePHI should be removed from its facilities. “...an enterprise-wide risk analysis could have identified the removal of unencrypted backup media as an area of significant risk to Cancer Care’s ePHI, and a comprehensive device and media control policy could have provided employees with direction in regard to their responsibilities when removing devices containing ePHI from the facility,” OCR said. Similar findings occurred with the settlement for Lahey Clinic Hospital, Inc. (Lahey). OCR wrote that Lahey failed to implement the necessary physical safeguards for a workstation that houses ePHI after an unencrypted laptop was stolen. Moreover, Lahey had “failed to conduct an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI as part of its security management process.” OCR also underlined the importance of risk analyses in its HIPAA settlement with the University of Washington Medicine (UWM). An email containing malicious malware reportedly compromised 90,000 individuals’ ePHI, according to OCR, and UWM “did not ensure that all of its affiliated entities were properly conducting risk assessments and appropriately responding to the potential risks and vulnerabilities in their respective environments.” “All too often we see covered entities with a limited risk analysis that focuses on a specific system such as the electronic medical record or that fails to provide appropriate oversight and accountability for all parts of the enterprise,” OCR Director Jocelyn Samuels said in a statement. Samuels added that a successful risk analysis is not only comprehensive in its scope, but is also completed across the entire healthcare organization. Basic adherence to Privacy, Security rules Overall, covered entities and their business associates should review the HIPAA Privacy and Security rules to understand they are implementing necessary safeguards that are applicable to their operations. The largest monetary fine issued by the OCR was $3.5 million against Triple-S Management Corporation (TRIPLE-S). OCR explained that the numerous data breaches that took place at TRIPLE-S or its subsidiaries proves why organizations need to comply with the Privacy Rule, Security Rule, and ensure that business associate agreements are complete. Not only did OCR find a failure of administrative, physical, and technical safeguards, but also that there was a failure to conduct an accurate and thorough risk analysis. Additionally, TRIPLE-S failed to “implement security measures sufficient to reduce the risks and vulnerabilities to its ePHI to a reasonable and appropriate level” and was not adhering to the “minimum necessary” in terms of PHI disclosure. Finally, there was PHI was disclosed to an outside vendor that did not have an appropriate business associate agreement, according to OCR. Reviewing policies, regular updates to maintain compliance All covered entities and business associates must adhere to HIPAA regulations. Regularly reviewing policies and procedures, and conducting regular risk assessments are essential. As these cases show, a failure to maintain compliance could not only expose patient PHI, but could also create difficulty for the healthcare organization.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- Lessons Learned From the 2015 OCR HIPAA Settlements Audrey McNeil (Dec 22)