HIPAA Compliance News

Physician Receives Probation for Criminal HIPAA Violation

Posted by HIPAA Journal

A physician who pleaded guilty to a criminal violation of HIPAA Rules has received 6 months’ probation rather than a jail term and fine for the wrongful disclosure of patients’ PHI to a pharmaceutical firm.

The case was prosecuted by the Department of Justice in Massachusetts in conjunction with a case against Massachusetts-based pharma firm Aegerion.

In September 2017, the Novelion Therapeutics subsidiary Aegerion agreed to plead guilty to mis-branding the prescription drug Juxtapid. The case also included deferred prosecution related to criminal liability under HIPAA for causing false claims to be submitted to federal healthcare programs for the drug.

Aegerion admitted to conspiring to obtain the individually identifiable health information of patients without authorization for financial gain, in violation of 42 U.S.C. §§ 1320d-6(a) and 1320-6(b)(3) and HIPAA Rules. Aegerion agreed to pay more than $35 million in fines to resolve criminal and civil liability.

The DOJ also charged a Georgia-based pediatric cardiologist with criminal violations of HIPAA Rules for allowing a sales representative of Aegerion to access the confidential health information of patients without first obtaining patient consent. The sales rep was allowed to view the information of patients who had not been diagnosed with a medical condition that could be treated with Juxtapid (lomitapide) in order to identify new potential candidates for the drug.

This is the second such criminal HIPAA violation case in Massachusetts in the past four months to result in probation rather than a jail term or fine. In September, Massachusetts gynecologist Rita Luthra was given 1 year of probation over payments received by a pharmaceutical firm (Warner Chilcott) for providing sales reps with access to the individually identifiable health information of patients for financial gain. While prosecutors were pushing for a fine and a jail term to act as a deterrent, Judge Mastroianni explained in his ruling, “Her loss of license and ability to practice is a substantial deterrent.”

While probation was received in both of these cases, a substantial fine, jail term, and loss of license are real possibilities for physicians found to have criminally violated HIPAA Rules. Both physicians could have received a fine of up to $50,000 for the violations and up to one year in jail.

The post Physician Receives Probation for Criminal HIPAA Violation appeared first on HIPAA Journal.

OCR Seeks Permanent Deputy Director for Health Information Privacy

Posted by HIPAA Journal

The U.S. Department of Health and Human Services’ Office for Civil Rights has advertised for a permanent Deputy Director for Health Information Privacy. The position was posted on USAJOBS on January 14, 2019.

The last permanent Deputy Director was Deven McGraw, who left OCR in October 2017 for the private sector. Iliana Peters, OCR’s Senior Advisor for Compliance and Enforcement, took on the role of acting Deputy Director for Health Information Privacy but also left the post for the private sector in February 2018. Timothy Noonan, the former regional manager for the HHS Office for Civil Rights in Atlanta, replaced Peters in February 2018.

The role involves leading OCR’s day-to-day HIPAA privacy and security program operations, development of privacy and security policies, administrative rulemaking, interpretation of current regulations, providing technical assistance to the department’s regional offices, and coordinating HIPAA Privacy and Security Rule compliance activities to ensure consistent application of policies across all regional offices.

The Deputy Director for Health Information Privacy is a key player in the development of departmental policies, legislative, and regulatory proposals, and special OCR initiatives to ensure health information is protected and remains private.

The role involves advising OCR Director Roger Severino and senior OCR officials on HIPAA policies and application of those policies. The successful applicant will be required to work closely with the OCR Director and assist with the planning, organization, and formulation of policies and procedures for OCR and health privacy and security policies across the HHS.

According to the posting, the Deputy Director represents the Director and OCR on health information privacy and security matters and coordinates work where problems and issues involve more than one component of the HHS. The Deputy Director is also required to maintain relationships concerning health information privacy and security issues at a number of senior management levels.

Applications are being accepted until February 5, 2019.

The post OCR Seeks Permanent Deputy Director for Health Information Privacy appeared first on HIPAA Journal.

Summary of 2018 HIPAA Fines and Settlements

Posted by HIPAA Journal

This post summarizes the 2018 HIPAA fines and settlements that have resulted from the enforcement activities of the Department of Health and Human Services’ Office for Civil Rights (OCR) and state attorneys general.

Another Year of Heavy OCR HIPAA Enforcement

In 2016, there was a significant increase in HIPAA files and settlements compared to the previous year. In 2016, one civil monetary penalty was issued by OCR and 12 settlements were agreed with HIPAA covered entities and their business associates. In 2015, OCR only issued 6 financial penalties.

The high level of HIPAA enforcement continued in 2017 with 9 settlements agreed and one civil monetary penalty issued.

While there were two settlements agreed in February 2018 to resolve HIPAA violations, there were no further settlements or penalties until June. By the end of the summer it was looking like OCR had eased up on healthcare organizations that failed to comply with HIPAA Rules.

However, in September, a trio of settlements were agreed with hospitals that had allowed a film crew to record footage of patients without first gaining consent. Further settlements were agreed in October, November, and December and OCR finished the year on one civil monetary penalty and 9 settlements to resolve HIPAA violations.

Summary of 2018 HIPAA Fines and Settlements

While 2018 was not a record-breaking year in terms of the number of financial penalties for HIPAA violations, it was a record-breaker in terms of the total penalty amounts paid. OCR received $25,683,400 in financial penalties in 2018. The mean financial penalty was $2,568,340.

2018 HIPAA fines and penalties total

The median HIPAA fine in 2018 was $442,000: Much lower than 2017 median of $2,250,000. It was also the lowest median fine amount of the last 5 years, although 2018 did see the largest ever HIPAA violation penalty.

In October 2018, Anthem Inc., settled its HIPAA violation case with OCR for $16,000,000. The massive fine was due to the extent of the HIPAA violations discovered by OCR and the scale of its 2015 data breach, which saw the protected health information of around 78,800,000 plan members stolen by hackers.

2018 HIPAA Fines and Settlements

Year Covered Entity Amount Settlement/CMP Reason
February 2018 Fresenius Medical Care North America $3,500,000 Settlement Risk analysis failures, impermissible disclosure of ePHI; Lack of policies covering electronic devices; Lack of encryption; Insufficient security policies; Insufficient physical safeguards
February 2018 Filefax, Inc. $100,000 Settlement Impermissible disclosure of PHI
June 2018 University of Texas MD Anderson Cancer Center $4,348,000 Civil Monetary Penalty Impermissible disclosure of ePHI; No Encryption
September 18 Massachusetts General Hospital $515,000 Settlement Filming patients without consent
September 18 Brigham and Women’s Hospital $384,000 Settlement Filming patients without consent
September 18 Boston Medical Center $100,000 Settlement Filming patients without consent
October 2018 Anthem Inc $16,000,000 Settlement Risk Analysis failures; Insufficient reviews of system activity; Failure related to response to a detected breach; Insufficient technical controls to prevent unauthorized ePHI access
November 2018 Allergy Associates of Hartford $125,000 Settlement PHI disclosure to reporter; No sanctions against employee
December 2018 Advanced Care Hospitalists $500,000 Settlement Impermissible PHI Disclosure; No BAA; Insufficient security measures; No HIPAA compliance efforts prior to April 1, 2014
December 2018 Pagosa Springs Medical Center $111,400 Settlement Failure to terminate employee access; No BAA

State Attorneys General HIPAA Enforcement Activities

It is difficult to obtain meaningful statistics on HIPAA fines and settlements by state attorneys general. While state attorneys general can issue fines for violations of HIPAA Rules, in many cases, financial penalties instead issued for violations of state laws. That said, 2018 did see a major increase in HIPAA enforcement activity by state attorneys general.

There were 12 HIPAA-related financial penalties issued in 2018 by state attorneys general. The New Jersey attorney general was the most active HIPAA enforcer behind OCR with 4 HIPAA fines, followed by New York with 3, Massachusetts with 2, and 1 financial penalty issued by each of Connecticut, District of Columbia, and Washington.

The largest attorney general HIPAA fine of 2018 – Aetna’s $1,150,000 penalty – was issued by New York. Aetna was also fined a total of $640,171 in a multi-state action by Connecticut, New Jersey, Washington, and the District of Columbia. Washington has yet to agree to a settlement amount with Aetna.

EmblemHealth was fined a total of $675,000 for a 2016 data breach: $575,000 by New York and $100,000 by New Jersey.

State Covered Entity Amount State Residents Affected
Massachusetts McLean Hospital $75,000 1,500
New Jersey EmblemHealth $100,000 6,443
New Jersey Best Transcription Medical $200,000 1,650
Washington Aetna TBA* 13,160 (multi-state total)
Connecticut Aetna $99,959 13,160 (multi-state total)
New Jersey Aetna $365,211.59 13,160 (multi-state total)
District of Columbia Aetna $175,000 13,160 (multi-state total)
Massachusetts UMass Memorial Medical Group / UMass Memorial Medical Center $230,000 15,000
New York Arc of Erie County $200,000 3,751
New Jersey Virtua Medical Group $417,816 1,654
New York EmblemHealth $575,000 81,122
New York Aetna $1,150,000 13,160 (multi-state total)

*Washington yet to determine settlement amount

The post Summary of 2018 HIPAA Fines and Settlements appeared first on HIPAA Journal.

Flowers Hospital Data Breach Settlement Approved by Judge

Posted by HIPAA Journal

A class action data breach lawsuit filed against Flowers Hospital in Dothan, AL, in 2014 has finally been settled.

In 2014, an employee of Flowers Hospital stole the personal information of patients from the hospital laboratory and used the information to file fraudulent tax returns in the names of patients.

A deputy sheriff discovered patient files in the vehicle of laboratory employee, Karmarian Millender, during a traffic stop. The investigation revealed that Millender had been stealing patient records from the laboratory and had sold the information to tax fraudsters who filed fraudulent tax returns in patients’ names. Millender pleaded guilty to the theft of patient data and was sentenced to two years in prison.

Many patients incurred out-of-pocket expenses from paying for credit monitoring services, lost earnings from arranging those services and combatting identity theft, and lost interest from delayed tax refunds. A class action lawsuit was filed against the hospital to recover those costs.

The lawsuit alleged the hospital had been negligent by failing to implement adequate measures to prevent data theft. Flowers Hospital attempted to have the lawsuit dismissed for lack of standing and claimed that the plaintiffs failed to link the data breach to economic harm. A judge allowed the plaintiffs to amend the complaint and the motion to dismiss was not carried over to the updated filing.

It has taken nearly five years, but the lawsuit has finally been dismissed and Flowers Hospital has agreed to a settlement of up to $150,000. That settlement was recently approved by a judge. Up to 1,208 patients potentially had their protected health information stolen and those who filed claims will be awarded a proportion of the settlement amount.

The maximum claim per patient is $5,000, which covers loss of interest on delayed tax returns, the cost of credit monitoring services, and compensation from loss of earnings arranging those services; up to a maximum of 4 hours. The majority of breach victims are expected to be awarded up to $250 in damages.

The post Flowers Hospital Data Breach Settlement Approved by Judge appeared first on HIPAA Journal.

Largest Healthcare Data Breaches of 2018

Posted by HIPAA Journal

This post summarizes the largest healthcare data breaches of 2018: Healthcare data breaches that have resulted in the loss, theft, unauthorized accessing, impermissible disclosure, or improper disposal of 100,000 or more healthcare records.

2018 has seen 18 data breaches that have exposed 100,000 or more healthcare records. 8 of those breaches saw more than half a million healthcare records exposed, and three of those breaches exposed more than 1 million healthcare records.

A Bad Year for Healthcare Data Breaches

As of December 27, 2018, the Department of Health and Human Services’ Office for Civil Rights (OCR) has received notifications of 351 data breaches of 500 or more healthcare records. Those breaches have resulted in the exposure of 13,020,821 healthcare records.

It is likely that the year will finish on a par with 2017 in terms of the number of reported healthcare data breaches; however, more than twice as many healthcare records have been exposed in 2018 than in 2017.

In 2017, there were 359 data breaches of 500 or more records reported to OCR. Those breaches resulted in the exposure of 5,138,179 healthcare records.

The Largest Healthcare Data Breaches of 2018

Listed below is a summary of the largest healthcare data breaches of 2018. A brief description of those breaches has been listed below.

At the time of writing, OCR is still investigating all but one of the breaches listed below. Only the LifeBridge Health breach investigation has been closed.

Rank

 

 Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach
1 AccuDoc Solutions, Inc. Business Associate 2,652,537 Hacking/IT Incident
2 UnityPoint Health Business Associate 1,421,107 Hacking/IT Incident
3 Employees Retirement System of Texas Health Plan 1,248,263 Unauthorized Access/Disclosure
4 CA Department of Developmental Services Health Plan 582,174 Theft
5 MSK Group Healthcare Provider 566,236 Hacking/IT Incident
6 CNO Financial Group, Inc. Health Plan 566,217 Unauthorized Access/Disclosure
7 LifeBridge Health, Inc Healthcare Provider 538,127 Hacking/IT Incident
8 Health Management Concepts, Inc. Business Associate 502,416 Hacking/IT Incident
9 AU Medical Center, INC Healthcare Provider 417,000 Hacking/IT Incident
10 SSM Health St. Mary’s Hospital – Jefferson City Healthcare Provider 301,000 Improper Disposal
11 Oklahoma State University Center for Health Sciences Healthcare Provider 279,865 Hacking/IT Incident
12 Med Associates, Inc. Business Associate 276,057 Hacking/IT Incident
13 Adams County Healthcare Provider 258,120 Unauthorized Access/Disclosure
14 MedEvolve Business Associate 205,434 Unauthorized Access/Disclosure
15 HealthEquity, Inc. Business Associate 165,800 Hacking/IT Incident
16 St. Peter’s Surgery & Endoscopy Center Healthcare Provider 134,512 Hacking/IT Incident
17 New York Oncology Hematology, P.C. Healthcare Provider 128,400 Hacking/IT Incident
18 Boys Town National Research Hospital Healthcare Provider 105,309 Hacking/IT Incident

 

Causes of the Largest Healthcare Data Breaches of 2018

Further information on the causes of the largest healthcare breaches of 2018.

AccuDoc Solutions, Inc.

Morrisville, NC-based AccuDoc Solutions, a billing company that operates the online payment system used by Atrium Health’s network of 44 hospitals in North Carolina, South Carolina and Georgia, discovered that some of its databases had been compromised between September 22 and September 29, 2018. The databases contained the records of 2,652,537 patients. While data could have been viewed, AccuDoc reports that the databases could not be downloaded. Not only was this the largest healthcare data breach of 2018, it was the largest healthcare data breach to be reported since September 2016.

UnityPoint Health

A UnityPoint Health phishing attack was detected on May 31, 2018. The forensic investigation revealed multiple email accounts had been compromised between March 14 and April 3, 2018 as a result of employees being fooled in a business email compromise attack. A trusted executive’s email account was spoofed, and several employees responded to the messages and disclosed their email credentials. The compromised email accounts contained the PHI of 1,421,107 individuals.

Employees Retirement System of Texas

The Employees Retirement System of Texas discovered a flaw in its ERS OnLine portal that allowed certain individuals to view the protected health information of other members after logging into the portal. The breach was attributed to a coding error. Up to 1,248,263 individuals’ PHI was potentially viewed by other health plan members.

CA Department of Developmental Services

The California Department of Developmental Services experienced a break in at its offices. During the time the thieves were in the offices they potentially accessed the sensitive information of approximately 15,000 employees, contractors, job applicants, and parents of minors who receive DDS services, in addition to the PHI of 582,174 patients.

MSK Group

Tennessee-based MSK Group, P.C, a network of orthopedic medical practices, discovered in May 2018 that hackers had gained access to its network. Certain parts of the network had been accessed by the hackers over a period of several months. The records of 566,236 patients, which included personal, health and insurance information, may have been viewed or copied by the hackers.

CNO Financial Group, Inc.

Chicago-based health insurer Bankers Life, a division of CNO Financial Group Inc., discovered hackers gained access to its systems between May 30 and September 13, 2018 and potentially stole the personal information of 566,217 individuals.

LifeBridge Health, Inc

The Baltimore-based healthcare provider LifeBridge Health discovered malware had been installed on a server that hosted the electronic medical record system used by LifeBridge Potomac Professionals and LifeBridge Health’s patient registration and billing systems. Those systems contained the PHI of 538,127 patients.

Health Management Concepts, Inc.

Health Management Concepts discovered hackers gained access to a server used for sharing files and installed ransomware. The ransom demand was paid to unlock the encrypted files; however, HMC reported that the hackers were ‘inadvertently provided’ with a file that contained the PHI of 502,416 individuals. It is suspected that the file was unwittingly sent to the attackers to prove they could decrypt files.

AU Medical Center, INC

An Augusta University Medical Center phishing attack resulted in an unauthorized individual gaining access to the email accounts of two employees. The compromised email accounts contained the PHI of 417,000 patients.

SSM Health St. Mary’s Hospital – Jefferson City

St. Mary’s Hospital moved to new premises and all patients’ medical records were transferred to the new facility; however, on June 1, 2018, the hospital discovered administrative documents containing the protected health information of 301,000 patients had been left behind. In the most part, the breach was limited to names and medical record numbers.

Oklahoma State University Center for Health Sciences

Oklahoma State University Center for Health Sciences discovered an unauthorized individual gained access to parts of its computer network and potentially accessed files containing billing information of Medicaid patients. The breach affected 279,865 patients, although only a limited amount of PHI was accessible.

Med Associates, Inc.

The Latham, NY-based health billing company Med Associates, which provides claims services to more than 70 healthcare providers, discovered an employee’s computer has been accessed by an unauthorized individual. It is possible that the attacker gained access to the PHI of up to 276,057 patients.

Adams County

Adams County, WI, discovered hackers gained access to its network and potentially accessed the PHI and PII of 258,102 individuals. The compromised systems were used by the departments of Health and Human Services, Child Support, Veteran Service Office, Extension Office, Adams County Employees, Solid Waste, and the Sheriff’s Office.

MedEvolve

MedEvolve, a provider of electronic billing and record services to healthcare providers, discovered an FTP server had been left unsecured between March 29, 2018 and May 4, 2018. A file on the FTP server contained the PHI of 205,434 patients of Premier Immediate Medical Care.

HealthEquity, Inc.

HealthEquity, a Utah-based company that provides services to help individuals gain tax advantages to offset the cost of healthcare, experienced a phishing attack that resulted in hackers gaining access to the email accounts of two employees. Those accounts contained the PHI of 165,800 individuals.

St. Peter’s Surgery & Endoscopy Center

St. Peter’s Surgery & Endoscopy Center in New York discovered malware had been installed on one of its servers which potentially allowed hackers to view the PHI of 134,512 patients. The malware was discovered the same day it was installed. The fast detection potentially prevented patients’ data from being viewed or copied.

New York Oncology Hematology, P.C.

A phishing attack on New York Oncology Hematology in Albany, NY, resulted in hackers gaining access to the email accounts of 15 employees. Those accounts contained the PHI of 128,400 current and former patients and employees.

Boys Town National Research Hospital

Boys Town National Research Hospital, an Omaha, NE hospital specializing in pediatric deafness, visual and communication disorders, experienced a phishing attack that allowed hackers to gain access to a single email account. The email account contained the PHI of 105,309 patients.

The post Largest Healthcare Data Breaches of 2018 appeared first on HIPAA Journal.

Massachusetts Attorney General Issues $75,000 HIPAA Violation Fine to McLean Hospital

Posted by HIPAA Journal

Massachusetts Attorney General Maura Healey has issued a $75,000 HIPAA violation fine to McLean Hospital over a 2015 data breach that exposed the protected health information (PHI) of approximately 1,500 patients.

McLean Hospital, a psychiatric hospital in Belmont, MA, allowed an employee to regularly take 8 backup tapes home. When the employee was terminated in May 2015, McLean Hospital was only able to recover four of the backup tapes. The backup tapes were unencrypted and contained the PHI of approximately 1,500 patients, employees, and deceased donors of the Harvard Brain Tissue Resource Center.

The lost backup tapes included clinical and demographic information such as names, Social Security numbers, medical diagnoses, and family histories. In addition to the exposure of PHI, the state AG’s investigation revealed there had been employee training failures and McLean Hospital had not identified, assessed, and planned for security risks. The loss of the tapes was also not reported in a timely manner and the hospital had failed to encrypt PHI stored on portable devices or use an alternative, equivalent measure to safeguard PHI.

“Hospitals must take measures to protect the private information of their patients,” said AG Maura Healey. “This settlement requires McLean Hospital to implement a new information security program and train its staff on how to properly handle the private information of those they serve.”

Backups of sensitive data should be made regularly to ensure that, in the event of disaster, patients’ PHI can be recovered. If physical copies of PHI are backed up and taken offsite by employees, appropriate security controls should be put in place to prevent those individuals from accessing the data and to ensure that in the event of loss or theft of devices, PHI will not be exposed. While HIPAA falls short of demanding the use of encryption for PHI, if the decision is taken not to encrypt PHI, an alternative safeguard must be implemented that offers an equivalent level of protection.

In addition to the financial penalty, McLean Hospital has agreed to enhance its privacy and security practices. A written information security program will be implemented and maintained, training will be provided to new and existing employees on privacy and security of personal health information, an inventory will be created and maintained of all portable devices containing ePHI, and all electronic PHI will be encrypted within 60 days.

McLean has also agreed to a third-party audit of the Harvard Brain Tissue Resource Center to assess how it handles portable devices containing personal and health information.

“McLean has continued to enhance its privacy and security practices and procedures within the Brain Bank and throughout the research operation. The agreement with the Attorney General represents a continuation of those efforts,” explained McLean Hospital in statement issued to the media.

This is the second HIPAA violation penalty to be issued by Massachusetts in 2018. UMass Memorial Medical Group / UMass Memorial Medical Center settled a HIPAA violation case with Massachusetts for $230,000 in September. The fine related to the failure to secure the ePHI of 15,000 state residents.

The post Massachusetts Attorney General Issues $75,000 HIPAA Violation Fine to McLean Hospital appeared first on HIPAA Journal.

OCR Issues Request for Information on Potential Updates to HIPAA Rules to Improve Data Sharing

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights (OCR) has issued a request for information (RFI) seeking comments from the public on potential modifications to Health Insurance Portability and Accountability Act (HIPAA) Rules to promote coordinated, value-based healthcare.

OCR is seeking suggestions about changes to aspects of the HIPAA Privacy and Security Rules that are impeding the transformation to value-based healthcare and provisions of HIPAA Rules that are discouraging coordinated care between individuals and their healthcare providers.

HIPAA was first enacted 22 years ago at a time when few healthcare providers were using digital health records. While there have been updates to HIPAA over the years, many industry stakeholders believe further updates are necessary now that the majority of healthcare organizations have transitioned to digital health records.

Recently, the American Medical Informatics Association (AMIA) and American Health Information Management Association (AHIMA) explained to Congress that changes to HIPAA are required to improve patients’ access to their health data and to make it easier for that information to be shared with other healthcare providers and research organizations. Currently, aspects of the HIPAA Privacy Rule are discouraging providers from sharing data and patients are still have difficulty accessing their health information in a format that allows them to easily use and reuse their data.

OCR is encouraging the public to submit their comments to help OCR identify problem areas and remove regulatory obstacles that are hampering the transformation to value-based healthcare as well as aspects of HIPAA Rules that place an unnecessary burden on covered entities and their business associates which impede their ability to conduct care coordination and case management. However, changes can only be made to HIPAA Rules if they do not jeopardize the privacy and security of protected health information.

Specifically, OCR is seeking feedback on the following aspects of HIPAA Rules:

  • Changes to the HIPAA Privacy Rule to promote information sharing for treatment, care coordination, and/or case management which encourages, incentivizes, or requires HIPAA-covered entities to disclose PHI to other covered entities.
  • Changes to the HIPAA Privacy Rule to encourage healthcare providers and other covered entities to share treatment information with patients, their loved ones, and caregivers of adults in health emergencies, especially related to opioid misuse.
  • Implementing the HITECH Act requirement to include, in an accounting of disclosures, disclosures for treatment, payment, and health care operations (TPO) from an electronic health record (EHR) in a manner that provides helpful information to individuals, while minimizing regulatory burdens and disincentives to the adoption and use of interoperable EHRs.
  • Changes to the requirement for healthcare providers to make a good faith effort to obtain individuals’ written acknowledgment of receipt of providers’ Notice of Privacy Practices.

Comments are also being sought from healthcare providers, business associates, and other covered entities along with answers to 54 questions detailed in the RFI.

The RFI will be published on December 14, 2018 and comments will be accepted for 60 days after the publication date. The RFI can be downloaded on this link.

The post OCR Issues Request for Information on Potential Updates to HIPAA Rules to Improve Data Sharing appeared first on HIPAA Journal.

Failure to Terminate Former Employee’s PHI Access Costs Colorado Hospital $111,400

Posted by HIPAA Journal

OCR has fined a Colorado hospital $111,400 for the failure to terminate a former employee’s access to a web-based scheduling calendar, which resulted in an impermissible disclosure of 557 patients’ ePHI.

Pagosa Springs Medical Center (PSMC) is a critical access hospital, part of the Upper San Juan Health Service District, which provides more than 17,000 hospital and clinic visits a year. As a HIPAA-covered entity, PSMC is required to comply with the HIPAA Privacy, Security, and Breach Notification Rules.

One of the provisions of the HIPAA Privacy Rule is to limit access to protected health information to authorized individuals. When an employee is terminated, leaves the organization, or changes job role and is no longer required to have access to PHI, access rights must be terminated. The failure to terminate remote access is a violation of HIPAA Rules and could potentially result in an impermissible disclosure of ePHI.

On June 7, 2013, OCR received a complaint about a former employee of PSMC who continued to have remote access to a web-based scheduling calendar after leaving PSMC. OCR investigated and confirmed remote access to the calendar had continued and that the former employee had accessed the calendar on two occasions on July 8 and September 10, 2013 as a direct result of the failure to de-activate the former employee’s username and password. The calendar contained the electronic protected health information of 557 patients.

Further, the web-based calendar used by PSMC had been provided by a company (Google) that had not signed a business associate agreement with PSMC. Consequently, the use of the calendar in connection with ePHI constituted an impermissible disclosure. Without a BAA in place, PSMC had not received satisfactory assurances that Google would safeguard the ePHI contained in the calendar.

It should be noted that Google Calendar is now a “HIPAA compliant” calendar service, as it is included in Google’s BAA. However, unless a signed BAA is obtained by a covered entity prior to using the service in connection with any ePHI, it constitutes a HIPAA violation.

In addition to the financial penalty, PSMC has agreed to adopt a substantial corrective action plan to address all HIPAA compliance failures, including updating its security management and business associate agreement policies and procedures. Staff must also be trained on those new policies and procedures. The corrective action plan last for two years, during which time PSMC will have to submit annual reports to the HHS on whether it has met its compliance obligations.

“It’s common sense that former employees should immediately lose access to protected patient information upon their separation from employment,” said OCR Director Roger Severino.  “This case underscores the need for covered entities to always be aware of who has access to their ePHI and who doesn’t.”

The settlement sends a message to all HIPAA covered entities of the importance of ensuring access to ePHI is promptly terminated when it is no longer required and serves as yet another reminder of the importance of making sure that a BAA is entered into with all vendors prior to any disclosure of ePHI.

This is the second OCR financial penalty for a HIPAA violation to be announced this month and the tenth OCR HIPAA penalty of 2018.

The post Failure to Terminate Former Employee’s PHI Access Costs Colorado Hospital $111,400 appeared first on HIPAA Journal.

EmblemHealth Pays $100,000 HIPAA Violation Penalty to New Jersey for 2016 Data Breach

Posted by HIPAA Journal

The health insurance provider EmblemHealth has been fined $100,000 by New Jersey for a 2016 data breach that exposed the protected health information (PHI) of more than 6,000 New Jersey plan members.

On October 3, 2016, EmblemHealth sent Medicare Part D Prescription Drug Plan Evidence of Coverage documents to its members.

The mailing labels included beneficiary identification codes and Medicare Health Insurance Claim Numbers (HCIN), which mirror Social Security numbers. The documents were sent to more than 81,000 policy members, 6,443 of whom were New Jersey residents.

The New Jersey Division of Consumer Affairs investigated the breach and identified policy, procedural, and training failures. Previous mailings of Evidence of Coverage documents were handled by a trained employee, but when that individual left EmblemHealth, mailing duties were handed to a team manager who had only been given minimal task-specific training and worked unsupervised.

That individual sent a data file to EmblemHealth’s mailing vendor without first removing HCINs, which resulted in the HCINs being printed on mailing labels: A violation of HIPAA, the New Jersey Identity Theft Prevention Act, and the New Jersey Consumer Fraud Act.

“Health insurers entrusted with their customers’ sensitive personal information have a duty to avoid improper disclosures,” said New Jersey Attorney General Gurbir S. Grewal. “EmblemHealth fell short of its obligations to its customers in this case, and I am pleased that our settlement includes measures designed to prevent similar breaches at this company in the future.”

In addition to the financial penalty, EmblemHealth has agreed to make changes to its policies and procedures to prevent further breaches of plan members’ PHI. Those measures include the use of unique patient identifiers for mailings rather than HCINs or Medicare Beneficiary Identifiers.

EmblemHealth will also ensure that a formal transfer process takes place when the responsibilities of outgoing staff are passed on to other EmblemHealth employees or third parties, and that all necessary training will be provided.

All incoming employees will also be required to complete additional privacy and security training modules and refresher training sessions will be conducted annually. The New Jersey Division of Consumer Affairs will be monitoring EmblemHealth over the next three years and must be informed of any further breaches of the PHI of New Jersey customers.

“This settlement should serve as a reminder that we are committed to safeguarding consumer privacy, and will hold accountable any businesses that are careless in the handling of such personal data,” said Paul R. Rodríguez, Acting Director of the Division of Consumer Affairs.

New Jersey has been highly active as an enforcer of HIPAA Rules and has agreed four settlements in 2018 to resolve violations of HIPAA Rules. In addition to the EmblemHealth HIPAA fine, New Jersey has settled HIPAA violations with Best Transcription Medical ($200,000), Aetna ($365,211.59), and Virtua Medical Group ($417,816) in 2018.

The post EmblemHealth Pays $100,000 HIPAA Violation Penalty to New Jersey for 2016 Data Breach appeared first on HIPAA Journal.