HIPAA Compliance News

HIPAA Enforcement Update Provided by OCR’s Iliana Peters

Posted by HIPAA Journal

Office for Civil Rights Senior Advisor for HIPAA Compliance and Enforcement, Iliana Peters, has given an update on OCR’s enforcement activities in a recent Health Care Compliance Association ‘Compliance Perspectives’ podcast.

OCR investigates all data breaches involving the exposure of theft of more than 500 healthcare records. OCR also investigates complaints about potential HIPAA violations. Those investigations continue to reveal similar non-compliance issues. Peters said many issues come up time and time again.

Peters confirmed that cases are chosen to move on to financial settlements when they involve particularly egregious HIPAA violations, but also when they relate to aspects of HIPAA Rules that are frequently violated. The settlements send a message to healthcare organizations about specific aspects of HIPAA Rules that must be addressed.

Peters said one of the most commonly encountered problems is the failure to conduct a comprehensive, organization-wide risk assessment and ensure any vulnerabilities identified are addressed through a HIPAA-compliant risk management process. Several recent settlements have highlighted just how frequently HIPAA covered entities get risk assessments wrong, either failing to conduct them at all, not conducting them frequently enough or conducting them to the standard demanded by HIPAA.

Peters pointed out that privacy violations are occurring frequently, with many HIPAA-covered entities still unsure of the allowable uses and disclosures of PHI. OCR recently announced two settlements have been reached with covered entities that have impermissibly disclosed patients’ health information to employers and the media.

Peters explained that the healthcare industry is not doing a good job at preventing cybersecurity incidents and that warrants attention, but it is important for OCR not to just focus on the hot topics and ‘sexy’ issues. OCR is also focussed on the lack of safeguards for paper records and the failure to secure removable media.

In the case of the latter, there have been numerous instances where ePHI has been exposed as a result of the failure to use encryption. Peters pointed out that if “[a device] can walk away from your enterprise, it will walk away.” OCR has settled cases with several organizations in recent months as a result of the lack of appropriate safeguards and policies and procedures covering removable devices.

Peters explained that OCR has been working on sharing penalties or other recoveries with individuals that have been harmed by privacy violations, although that has been a challenging process as it is difficult to determine and quantify harm. OCR is working on an advanced notice of proposed rulemaking and will be seeking advice from the public on how funds should be shared.

OCR is also working on initiatives to improve privacy protections at non-HIPAA covered entities. For instance, patients are being encouraged to share their health data with research organizations and through the “All of Us” initiative. For those programs to be as successful as they should be, patients need to be sure their data will be protected. OCR is providing advice to organizations and partners to ensure that patient data are protected, even if they are collected and stored by non-HIPAA-covered entities.

Peters also spoke of dealing with Certified EHR technology and how HIPAA applies to cloud computing, malware, and ransomware.

You can listen to the Compliance Perspectives podcast via this link.

The post HIPAA Enforcement Update Provided by OCR’s Iliana Peters appeared first on HIPAA Journal.

OCR and ONC Face Major Budget Cuts

Posted by HIPAA Journal

On Tuesday this week, the Trump administration revealed its 2018 fiscal 2018 budget which revealed the Department of Health and Suman Services’ Office for Civil Rights (OCR) and Office of the National Coordinator for Health Information Technology (ONC) face major cuts to their operational budgets.

The ONC faces the largest budget cut, with its $60 million per year cut by 36% for the coming financial year. ONC would need to lose 26 members of staff, with such a large budget cut likely to force the agency to reconsider its priorities. OCR faces a budget cut of 13%, reducing funding from $38 million to $33 million likely requiring the loss of 16 staff.

The fiscal 2018 budget is not set in stone and changes are likely to be made before the budget is passed by Congress. However, the Trump administration has previously stated the desire to shave $15.1 billion from the Department of Health and Human Services budget and cuts are therefore inevitable.

OCR has many roles, although as the main enforcer of HIPAA Rules, those budget cuts could affect the agency’s HIPAA enforcement activities. OCR has long been planning to implement a permanent HIPAA audit program, although those plans may have to be postponed again.

The second phase of compliance audits, which finally commenced last fall after numerous delays, could also be threatened. OCR has already conducted desk audits but the on-site audits that were due to take place in the first quarter of 2017 have already been pushed back to the end of the year.

Karen DeSalvo said earlier this year that the on-site audits may even be pushed back to 2018. If the budget cuts are approved by Congress, it is possible that those on-site audits of covered entities will be delayed even further or scaled back.

Other HIPAA activities are less likely to be affected. OCR is permitted to keep a proportion of the funds collected from its HIPAA enforcement activities which can be used to fund further investigations and enforcement actions. It is unlikely that major cut backs would be made to HIPAA enforcement actions that bring in much needed funds.

With less funding, some of OCR’s activities would likely need to be scaled back, with OCR’s civil rights activities likely to be adversely affected by the cut in funding.

The new director of the Department of Health and Human Services, Tom Price, issued a statement about the proposed budget saying, it “outlines a clear path toward fiscal responsibility by creating efficiencies that both improve services and save money.” He is likely to have to oversee some major changes to improve the efficiency of his department over the coming months.

The post OCR and ONC Face Major Budget Cuts appeared first on HIPAA Journal.

Impermissible Disclosure of HIV Status to Employer Results in $387,000 HIPAA Penalty

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced a new HIPAA settlement to resolve violations of the HIPAA Privacy Rule.

St. Luke’s-Roosevelt Hospital Center Inc., has paid OCR $387,200 to resolve potential HIPAA violations discovered during an OCR investigation of a complaint about an impermissible disclosure of PHI.

In September 2014, OCR received a complaint about a potential privacy violation involving a patient of St. Luke’s Spencer Cox Center for Health. In the complaint, it was alleged that a member of St Luke’s staff violated the privacy of a patient by faxing protected health information to the individual’s employer.

The information in the fax was highly sensitive, including the patient’s sexual orientation, HIV status, sexually transmitted diseases, mental health diagnosis, details of physical abuse suffered, medical care and medications. Instead of faxing the information, the data should have been sent to a personal post box as requested.

The investigation revealed that the incident was not the only time that the HIPAA Privacy Rule had been violation in such a fashion. A similar incident occurred nine months previously when a patient’s PHI was sent via fax to an office where he volunteered.

The Privacy Rule violations in both cases were particularly serious due to the highly sensitive nature of information that was disclosed. In the resolution agreement, OCR said the impermissible disclosures were egregious.

HIPAA Rules require covered entities to safeguard patients’ protected health information at all times. However, the investigation revealed that St Luke’s had failed to do that on two occasions, violating 45 C.F.R. § 164.530(c)(2)(i). Further, after the first impermissible disclosure, St Luke’s failed to address vulnerabilities in their compliance program to prevent further impermissible disclosures from occurring. Had those vulnerabilities been addressed, the second privacy violation may have been avoided.

In addition to paying OCR $387,200, St Luke’s is required to adopt a corrective action plan. The CAP involves reviewing and updating policies and procedures covering allowable uses and disclosures of PHI and training staff members on policy and procedural updates.

OCR issued a press release announcing the HIPAA settlement in which OCR director Roger Severino said “Individuals cannot trust in a health care system that does not appropriately safeguard their most sensitive PHI,” explaining “Covered entities and business associates have the responsibility under HIPAA to both identify and actually implement these safeguards.” OCR consideration the nature of the breach and the extent of the harm caused when deciding an appropriate settlement amount.

May is not yet over, but already there have been nine HIPAA settlements between OCR and covered entities to resolve HIPAA violations discovered during the investigation of complaints and data breaches. At the current rate of almost two settlements a month, OCR will double last year’s record breaking number of HIPAA enforcement penalties. The increase in HIPAA penalties shows that OCR is taking a much harder line on covered entities that fail to comply with HIPAA Rules.

Two of the most recent penalties have resulted from complaints involving HIPAA violations relating to one or two patients. It is no longer just large scale data breaches that merit financial penalties. Any severe violation of HIPAA Rules can result in a HIPAA fine.

The post Impermissible Disclosure of HIV Status to Employer Results in $387,000 HIPAA Penalty appeared first on HIPAA Journal.

Healthcare Organizations Reminded of HIPAA Rules Relating to Ransomware

Posted by HIPAA Journal

Following the recent WannaCry ransomware attacks, the Department of Health and Human Services has been issuing cybersecurity alerts and warnings to healthcare organizations on the threat of attack and steps that can be taken to reduce risk.

The email alerts were sent soon after the news of the attacks on the UK’s NHS first started to emerge on Friday May 12, and continued over the course of the week. The alerts provided timely and pertinent information for U.S. healthcare organizations allowing them to take rapid action to counter the threat.

While the Office for Civil Rights has previously sent monthly emails to healthcare organizations warning of new threats in its cybersecurity newsletters, the recent alerts were sent much more rapidly and frequently, with four email alerts and conference calls made with industry stakeholders alerting them to the imminent threat.

Whether this was a one off in response to a specific and imminent major threat or the HHS plans to issue more timely alerts remains to be seen. However, the rapid communication of the ransomware threat almost certainly helped many healthcare organizations take prompt action to reduce risk.

Fortunately, attacks on organizations in the United States appear to have been limited, with the Department of Homeland Security saying fewer than 10 U.S. companies have reported being attacked.

In the email alerts, healthcare organizations were reminded of the need to implement data security measures to reduce the risk of malware and ransomware attacks. OCR also issued guidance on HIPAA specific to the threat from WannaCry ransomware.

OCR reiterated that a ransomware attack that involved the encryption of patients ePHI is presumed to be a HIPAA breach, reminding covered entities to report attacks within 60 days, as is required by the HIPAA Breach Notification Rule.

OCR also advised healthcare organizations that breach reports– and patient notifications – are required if data have been compromised that have not been encrypted by the entity to NIST specifications.

In the event of a breach, covered entities were told to contact their local FBI filed office, submit details of the incident to the FBI’s Internet Crime Complaint Center and report the incident to US-CERT. OCR also emphasized that reporting ransomware attacks to other federal organizations or law enforcement bodies does not constitute a HIPAA-compliant breach report. OCR must be notified of the incident separately.

Threat intelligence sharing can prevent other organizations suffering similar attacks and OCR encourages the sharing of cyber threat information. However, the HIPAA Privacy Rule does not permit the sharing of PHI. When cyber threat information is shared with federal agencies, law enforcement, or an Information Sharing and Analysis Organization (ISAO), covered entities must ensure that PHI is not shared. Doing so would be a HIPAA violation and could result in action being taken against the organization in question.

OCR also reminded organizations that compliance with the HIPAA Security Rule helps covered entities prepare for ransomware attacks and respond appropriately if systems are compromised and data are encrypted.

Further information on HIPAA and ransomware attacks can be found in an OCR factsheet available on this link.

Healthcare organizations were also reminded that they can request and unauthenticated scan of their public IP addresses from the Department of Homeland Security.

US-CERT’s National Cybersecurity Assessment & Technical Services (NCATS) provides an objective third-party perspective on an organizations cybersecurity posture and can conduct a broad assessment scanning for known vulnerabilities at no cost to stakeholders. The service allows healthcare organizations to be proactive and take steps to reduce risk prior to exploitation by malicious individuals.  Requests can be made by emailing NCATS on NCATS_INFO@hq.dhs.gov

The post Healthcare Organizations Reminded of HIPAA Rules Relating to Ransomware appeared first on HIPAA Journal.

HIPAA Compliance Best Practices

Posted by HIPAA Journal

Questions and Answers to Improve Security and Avoid Penalties

By Bill Becker

Even after 14 years, public and private sector organizations are still routinely found out of compliance with the Health Insurance Portability and Accountability Act (HIPAA). Security management processes are among the weakest links in compliance. In this article, we’ll look at some of the basics that covered entities and their business partners need to follow to ensure that they are not hit with financial or other penalties.

For the uninitiated, HIPAA regulates the use and disclosure of certain information held by health plans, health insurers, and medical service providers that engage in many types of transactions.

Enforcement of HIPAA Privacy and Security Rules falls to the Department of Health and Human Services’ Office for Civil Rights (OCR). Enforcement of compliance began in 2005, with OCR becoming responsible for Security Rule enforcement four years later. Since April 2003, over 150,000 HIPAA Privacy Rule complaints have been investigated by OCR. 98% (or 147,826) of the complaints have been resolved.

OCR enforces HIPAA Rules by applying “corrective measures,” including ether settlement or a civil cash penalty.

Only 47 cases have resulted in a settlement, although the total monetary penalty is still an eye-opening $67,210,982.00.  Most compliance issues, OCR reports, stem from improper use or disclosure of electronic protected health information (ePHI); poor health information safeguards; inadequate patient access to their ePHI; and the absence of administrative safeguard for such information.

In other words, there is a fundamental failure in developing and maintaining appropriate security management processes. Which is ironic because one of the very first stipulations in HIPAA § 164.308 (a)(1) calls for organizations to implement policies and procedures to prevent, detect, contain, and correct security violations.

There are several required specifications to implement these management safeguards. These include the following:

Risk analysis – Accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity (or its business associate/s).

Risk management – Security measures to reduce risks and vulnerabilities to a “reasonable and appropriate level.”

Sanction policy – Workforce members who do not comply with the security policies and procedures must be sanctioned according to a standard policy applied to violations.

Information system activity review – Procedures to review records of information system activity, including audit logs, access reports, and security incident tracking reports.

Before any of that, however, organizations must use best practices to get their arms around the protected information under their control, and to apply some common sense thinking to managing access to that information.

Let’s look at some of these best practices.

Identify relevant information systems – It seems obvious, but here’s where many organizations fail. You have to be able to identify all information systems that house ePHI. Moreover, you have to be able to analyze business functions and verify the ownership and control of those information systems.

Ask yourself the following questions:

  • Does the hardware and software in your information systems include removable media and remote access devices?
  • Have you identified the types of information you manage?
  • Have you identified and evaluated the sensitivity of each type of information?

Conduct a risk assessment – You have to have an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.

To ensure accuracy and thoroughness, ask yourself the following questions:

  • Is the facility located in a region prone to any natural disasters?
  • Have you assigned responsibility to check all hardware?
  • Have you analyzed current safeguards and identifiable risks?
  • Have you considered all processes involving ePHI — including creating, receiving, maintaining, and transmitting protected information?

Acquire IT systems and services – After identifying your systems and exposure to risk, you may find that you’ll need additional hardware, software or services to adequately protect information such as:

  • Multi-Factor Authentication
  • Data-at-Rest Encryption
  • Data-in-Transit Encryption
  • Cryptographic Key Management

When planning for new systems or services, ask yourself the following questions:

  • Will new security controls work with the existing IT architecture?
  • Have you conducted a cost-benefit analysis to make sure the investment is reasonable when measured against potential security risks?

Create and deploy policies and procedures – This is the crux of any working set of management processes. You have to have policies that clearly establish roles and responsibilities and assign ultimate responsibility for the implementation of each control to particular individuals or offices. Does your formal system security and contingency plan stand up to that kind of scrutiny?

In both the public and private sectors, hospitals, clinics, and other health care providers that manage private health information today must adhere to strict policies for ensuring that data is secure at all times. The best practices presented here can help ensure that data isn’t stolen or compromised, and that your organization doesn’t face steep fines for being out of compliance.

Bill Becker is Technical Director of SafeNet Assured Technologies. He can be reached at Bill.Becker@SafeNetAT.com

The post HIPAA Compliance Best Practices appeared first on HIPAA Journal.

Memorial Hermann Health System Hit with $2.4 Million HIPAA Fine

Posted by HIPAA Journal

Memorial Hermann Health System has agreed to settle potential HIPAA Privacy Rule violations with the Department of Health and Human Services’ Office for Civil Rights (OCR) for $2.4 million. The settlement stems from an impermissible disclosure on a press release issued by MHHS in September 2015.

Memorial Hermann Health System (MHHS) is a 16-hospital health system based in Southeast Texas, serving patients in the Greater Houston area. In September, a patient visited a MHHS clinic and presented a fraudulent identification card to hospital staff.

The fraudulent ID card was identified as such by hospital staff, law enforcement was notified and the patient was arrested. The hospital disclosed the name of the patient to law enforcement, which is allowable under HIPAA Rules.

However, the following action taken by the hospital was a violation of the HIPAA Privacy Rule. MHHS issued a press release about the incident but included the patients name in the title of the press release. That press release was approved before release by MHHS senior management, even though naming the patient constituted an impermissible disclosure of PHI.

The incident was widely reported in the media and a complaint was filed with OCR, prompting an investigation. The investigation revealed that the press release had been distributed to fifteen media outlets. On three occasions following the issuing of the press release, the patient’s identity was disclosed in meetings with advocacy groups, a state senator and state representatives. A statement in which the patient was named was also published on the MHHS website.

These unauthorized disclosures, which occurred between September 15 and October 1, 2015 constituted a knowing and intentional failure to safeguard the PHI of the patient. MHHS was also discovered to have failed to document the sanctions imposed against the members of staff who violated the HIPAA Privacy Rule, as is required by HIPAA (45 C.F .R. § 164.530( e )(2)).

In addition to the sizable payment to OCR, Memorial Hermann Health System has agreed to adopt a corrective action plan that requires policies and procedures to be updated and staff trained to prevent further impermissible disclosures of PHI. All MHHS facilities must also attest that they understand the allowable disclosures and uses of PHI.

HIPAA penalties are often issued for large scale breaches of PHI stemming from violations of HIPAA Rules. While OCR has agreed settlements with HIPAA-covered entities for breaches of fewer than 500 records in the past, settlements are typically reserved for large breaches of PHI caused by HIPAA violations. This is the first settlement to be agreed with a HIPAA-covered entity for a breach of a single patient’s PHI.

OCR Director Roger Severino issued a statement about the settlement saying “Senior management should have known that disclosing a patient’s name on the title of a press release was a clear HIPAA Privacy violation that would induce a swift OCR response.” He went on to explain that “This case reminds us that organizations can readily cooperate with law enforcement without violating HIPAA, but that they must nevertheless continue to protect patient privacy when making statements to the public and elsewhere.”

This is the eighth HIPAA settlement to be announced by OCR in 2017. In 2016, a record year for HIPAA settlements, there were 12 settlements reached with covered entities to resolve HIPAA violations and one CMP issued. At this rate, 2017 looks set to be another record breaking year.

The sharp increase in HIPAA penalties should serve as a warning to covered entities that any violation of HIPAA Rules could result in a substantial financial penalty.

The post Memorial Hermann Health System Hit with $2.4 Million HIPAA Fine appeared first on HIPAA Journal.

HIMSS Privacy and Security Forum Offers Insight into Healthcare Cyber Threat Landscape

Posted by HIPAA Journal

Next week, the HIMSS Privacy and Security Forum will be taking place in San Francisco. The two-day conference provides an opportunity for CISOs, CIOs and other healthcare leaders to obtain valuable information from security experts on the latest cybersecurity threats, along with practical advice on how to mitigate risk.

More than 30 speakers will be attending the event and providing information on a broad range of healthcare cybersecurity topics, including securing IoT devices, preventing phishing and ransomware attacks, creating compliant security relationships and effective strategic communication and risk management.

The conference will include keynote speeches from George Decesare, Senior VP and Chief Technology Risk Officer at Kaiser Permanente, Jane Harper, Director of Privacy & Security Risk Management at the Henry Ford Health System, CERT’s Matt Trevors, and M.K. Palmore, FBI San Francisco’s Assistant Special Agent in Charge of the SF Cyber Branch.

George Decesare leads Kaiser Permanente’s cybersecurity, technology risk and compliance programs and identity and access management initiatives and ensures Kaiser Permanente continues to protect the ePHi of its 10.2 million members. Decesare will be explain the current healthcare threat landscape and will be offering invaluable advice to attendees on how they can secure their own networks from attack. He will also be offering an overview of how Kaiser Permanente operates its cybersecurity programs and manages risk.

While patients were previously tied to a healthcare organization, now they are able to easily change providers. Many do following a cybersecurity breach that exposes their health information. Jane Harper will be explaining the importance of including consumerism in risk management probability models and will cover techniques for risk management and how changes in healthcare have affected the risk environment.

Matt Trevors will be explaining how healthcare organizations can develop security controls that meet the requirements of the HIPAA Security Rule. In his speech, Trevors will explain whether simply meeting HIPAA Security Rule requirements will be sufficient to prevent data breaches. Trevors will also explain how healthcare organizations can use the Center for Internet Security’s Critical Security Controls (CIS CSC) to help them meet HIPAA Security Rule requirements and will offer advice on the Cyber Resilience Review (CRR) – A free tool that can be used by healthcare organizations to assess their security programs.

M.K. Palmore will be providing an invaluable insight into the current healthcare cybersecurity threat landscape, including an up-to-the-minute overview of the latest threats, including phishing attacks, insider threats, and business email compromise scams. Palmore will be covering some of the recent FBI investigations and will explain how breaches occurred and how they could have been prevented.  Palmore will also explain how healthcare organizations can access the FBI’s considerable resources and use its data to prevent data breaches.

The HIMSS Privacy and Security Forum will be taking place at the Grand Hyatt Union Square, on May 11-12, 2017. Further information can be found on this link.

The post HIMSS Privacy and Security Forum Offers Insight into Healthcare Cyber Threat Landscape appeared first on HIPAA Journal.

MDLive Faces Class Action Lawsuit Over Alleged Patient Privacy Violations

Posted by HIPAA Journal

A class action lawsuit has been filed against the telemedicine company MDLive claiming the company violated the privacy of patients by disclosing sensitive medical information to a third party without informing or obtaining consent from patients.

Patients are required to enter in a range of sensitive information into the MDLive app; however, during the first 15 minutes of use, the app takes screenshots of the data entered by users. According to the lawsuit, an average of 60 screenshots are taken during the first 15 minutes – the time it typically takes a user to register for an account. Those screenshots are then sent to an Israeli company called Test Fairy, which conducts quality control tests.

The lawsuit alleges patients are not informed that their information is disclosed to a third-party company. All data entered into the app can also be viewed by MDLive employees, even though there is no reason for those employees to be able to view the data.

Users of the app enter their medical information during setup in order to find local healthcare providers. The types of information entered by users includes sensitive data such as health conditions, recent medical procedures, behavioral health histories, family medical histories and details of allergies. According to the lawsuit, the screenshots are “covertly” sent to Test Fairy “in near real time.”

The lawsuit suggests patients using the app are likely to assume their data will be kept confidential and that reasonable security measures will be employed to prevent disclosures. However, the lawsuit states that “Contrary to those expectations, MDLive fails to adequately restrict access to patients’ medical information and instead grants unnecessary and broad permissions to its employees, agents, and third parties.”

The lawsuit was filed by the Illinois law firm Edelson PC with app user Joan Richards named as the plaintiff. Typically, for a lawsuit to succeed, an unauthorized disclosure of medical information must result in harm being caused.

Edelson PC attorney Chris Dore said, “Our complaint alleges that the harm is complete at the point that this information is collected without permission.”

MDLive says the lawsuit is “baseless,” that no data breach has occurred, HIPAA Rules have not been violated, and any data entered into the app is safe. While data are disclosed to authorized third parties, those third parties are “bound by contractual obligations and applicable laws.” MDLive also claims any information disclosed is only used for the purpose for which that disclosure is made.

MDLive is seeking to have the lawsuit dismissed.

The post MDLive Faces Class Action Lawsuit Over Alleged Patient Privacy Violations appeared first on HIPAA Journal.

Wireless Health Services Provider Settles HIPAA Violations with OCR for $2.5 Million

Posted by HIPAA Journal

2016 was a record year for HIPAA settlements, but 2017 is looking like it will see last year’s record smashed. There have already been six HIPAA settlements announced so far this year, and hot on the heels of the $31,000 settlement announced last week comes another major HIPAA fine.

A $2.5 million settlement has been agreed with CardioNet to resolve HIPAA violations. CardioNet is a Pennsylvania-based provider of remote mobile monitoring and rapid response services to patients at risk for cardiac arrhythmias.

Settlement have previously been agreed with healthcare providers, health plans, and business associates of covered entities, but this is the first-time OCR has settled potential HIPAA violations with a wireless health services provider.

While OCR has not previously fined a wireless health services provider for violating HIPAA Rules, the same cannot be said of the violations discovered. Numerous settlements have previously been agreed with covered entities after OCR discovered risk analysis and risk management failures.

In this case, the settlement relates to a data breach reported to OCR in January 2012. In 2011, an employee of CardioNet left a laptop computer in a vehicle that was left outside that individual’s home. The laptop computer was stolen, resulting in the impermissible disclosure of 1,391 patients’ electronic protected health information (ePHI).

As is customary following all breaches involving the theft or exposure of more than 500 individuals’ PHI, OCR conducted an investigation to determine whether the breach was a direct result of violations of HIPAA Rules.

In this case, a risk analysis has been performed, but OCR investigators determined that the risk analysis was not comprehensive – a violation of 45 C.F.R. § 164.308(a)(1). Also, at the time of the breach, there were inadequacies in CardioNet’s risk management process.

By 2011, all HIPAA-covered entities were required to comply with the HIPAA Security Rule, yet CardioNet’s HIPAA policies and procedures were still only in draft form and had not yet been implemented. OCR requested final copies of policies and procedures covering the safeguarding of ePHI stored on mobile devices, yet CardioNet was unable to produce any HIPAA-compliant documentation regarding the implementation of ePHI safeguards for mobile devices.

CardioNet was also determined to have violated 45 C.F.R. § 164.310(d)(1) by failing to implement policies and procedures covering the receipt and removal of hardware containing ePHI and for the failure to implement encryption – or another equivalent safeguard – to prevent the exposure of ePHI stored on mobile devices.

Any laptop computer or other mobile device that is used to store the ePHI of patients is vulnerable to theft or loss. When those devices are removed from the premises of a HIPAA-covered entity, the risk of theft or loss increases considerably. Covered entities must therefore implement appropriate safeguards to ensure that in the event of loss or theft of those devices, ePHI remains protected.

OCR Director, Roger Severino, said the “failure to implement mobile device security by Covered Entities and Business Associates puts individuals’ sensitive health information at risk. This disregard for security can result in a serious breach, which affects each individual whose information is left unprotected.”

The latest HIPAA settlement should send a strong message to covered entities that the failure to comply with HIPAA Rules can prove very costly. Also, that it is not only hospitals and health plans that run the risk of a significant financial penalty for failing to comply with HIPAA Rules.

2017 HIPAA Settlements

The other HIPAA settlements agreed between OCR and covered entities in 2017 are:

  • The Center for Children’s Digestive Health- $31,000
  • Metro Community Provider Network – $400,000
  • Memorial Healthcare System – $5.5 million
  • Children’s Medical Center of Dallas- $3.2 million
  • MAPFRE Life Insurance Company of Puerto Rico – $2.2 million
  • Presense Health – $475,000

The post Wireless Health Services Provider Settles HIPAA Violations with OCR for $2.5 Million appeared first on HIPAA Journal.