HIPAA Compliance News

New HIPAA Guidance in 2017: Texting, Social Media, & Case Walkthrough

Posted February 22, 2017 by HIPAA Journal

At HIMSS17, OCR’s Deven McGraw shed some light on the HIPAA guidance OCR expects to release in 2017. OCR may be busy with assessing the findings of the HIPAA compliance desk audits of healthcare organizations and their business associates, but a swathe of new HIPAA guidance is set to be released this year.

Last year, the Joint Commission lifted the ban on the use of text messages for orders, although within weeks of the announcement the ban was back in place. Late last year, the Joint Commission partially lifted the ban, saying the use of a secure text messaging platform was acceptable for doctors when communicating with each other, although the use of text messages – regardless of whether a secure, HIPAA-compliant platform was used – remained prohibited.

OCR receives many questions from physicians and covered entities on the use of text messaging and HIPAA Rules. McGraw has confirmed that in response to the many questions, OCR will be issuing HIPAA guidance on text messaging later this year.

In an interview with Information Security Media Group, McGraw explained “There are a lot of questions whether covered entities can text with patients and whether employees within covered entities can text one another, or text covered entity to covered entity, covered entity to business associate, or covered entity to public health department.”

In the guidance, OCR will cover the use of text messages between physicians, healthcare organizations, and the sending of messages to patients, along with the circumstances under which the use of text messages is prohibited by HIPAA Rules.

Last year, there were a number of instances of healthcare professionals accidentally disclosing the protected health information of patients on social media sites and deliberately posting images and videos containing personally identifiable information.

While it is clear to most healthcare professionals what is, and what is not, allowable under HIPAA Rules, guidance on the use of social media platforms will be issued including explanations on when prior authorization from a patient is required.

McGraw also said OCR is working to address its FAQ section on its website as many posted answers are ‘horribly out of date.’

To improve transparency, OCR has been working on guidance on what covered entities can expect then OCR investigators come knocking. OCR investigates all data breaches that have impacted more than 500 individuals, yet how those investigations take place remains something of a mystery. OCR will be releasing an “Anatomy of a Case,” in which the processes that take place when OCR investigates a healthcare data breach or complaint are explained. The guidance will detail how CMPs are calculated and settlements are reached, including the criteria used by OCR when determining appropriate financial penalties.

Much of the guidance has already been written, although it must now be passed to OCR’s legal team. Once that process has been completed, and OCR has made the document readable again, the new guidance will be released.

The post New HIPAA Guidance in 2017: Texting, Social Media, & Case Walkthrough appeared first on HIPAA Journal.

Onsite HIPAA Audits Could Be Delayed by a Year

Posted February 21, 2017 by HIPAA Journal

In an interview at HIMSS17 with the Information Security Media Group, Deven McGraw, Deputy Director of Health Information Privacy at the Department of Health and Human Services’ Office for Civil Rights, explained that the Phase 2 HIPAA compliance audits are progressing, although the onsite audits of covered entities will be delayed.

It is currently unclear how much of a delay there will be. The onsite audits were to immediately follow the 211 desk audits that were conducted last year, although the decision has been taken to push back the onsite audits until the reports of the desk audits have been written and analyzed.

For the HIPAA compliance desk audits, covered entities and business associates of covered entities were sent notifications that they had been selected for audit. They were asked to supply a range of documentation on various aspects of their HIPAA compliance programs. The documentation has now been assessed and OCR is very close to issuing reports to the 166 covered entities that were audited. Those reports will be sent out in groups, with the first batch hopefully sent by the end of this week.

Covered entities will be provided with the opportunity to comment on the findings of the audits before the reports are finalized. Business associate audits are continuing, with some audit notifications only sent recently. In total, 45 business associates of covered entities were selected for audit.

The onsite audits will be conducted on a small selection of geographically representative covered entities. Last year, when OCR announced the start of the second phase of HIPAA compliance audits, the onsite audits were expected to be conducted in the first quarter of 2017. However, Deven McGraw said the onsite audits are to be delayed. It is hoped that the onsite audits will still take place this year, although they may “slip into 2018.”

The reason for the delay is it makes more sense to hold fire on the onsite audits until the results of the desk audits are assessed. No final decision has been made on the timescale, although it is possible that the final report for the public on the results of the desk audits may be issued before the onsite audits begin.

Input will also be sought from Tom Price, the new secretary for the Department of Health and Human Services. Secretary Price may have views on how the audits are conducted, which will need to be factored in before the audits commence. McGraw also explained that the desk audits have been an “enormous resource-intensive effort” and OCR does not want to “take on more than it can chew.”

However, while OCR is busy with the audit process, there will be no let up on OCR enforcement activities in 2017. The same pace of HIPAA enforcement activities will continue throughout the year.

The interview with Deven McGraw and further information on OCR’s plans for HIPAA enforcement in 2016 can be found on this link.

The post Onsite HIPAA Audits Could Be Delayed by a Year appeared first on HIPAA Journal.

Horizon BCBS of New Jersey Pays $1.1 Million for HIPAA Violation

Posted February 21, 2017 by HIPAA Journal

The New Jersey Division of Consumer Affairs recently announced that Horizon Blue Cross Blue Shield of New Jersey (Horizon BCBSNJ) has agreed to pay a $1.1 million fine for failing to protect the electronic protected health information of almost 690,000 plan members.

The Health Insurance Portability and Accountability Act (HIPAA) requires covered entities to implement administrative, technical and physical safeguard to protect the ePHI of patients and health plan members. While data encryption is not mandatory technical safeguard, it is an addressable issue. Covered entities must therefore consider the use of encryption technologies to protect ePHI at rest and in motion. If data encryption is not chosen, alternative, security measures must be implemented that offer an equivalent level of protection.

Covered entities are required to conduct a comprehensive risk analysis to identify potential risks to the confidentiality, integrity and availability of PHI. If laptop computers are used to store the ePHI of patients or plan members, a risk assessment should show that there is a risk of ePHI exposure. Appropriate security controls should therefore be put in place to prevent ePHI exposure in the event that the devices are lost or stolen. Data encryption is one method of securing data, although other controls could equally be used. However, the use of a password on its own is insufficient. Passwords do not offer an equivalent level of protection as data encryption.

In November 2013, two laptop computers were stolen from Horizon BCBSNJ offices. The laptops were password protected but ePHI on the devices was not encrypted and no other technical security controls were used to safeguard the data. The laptop computers were secured to desks with security cables, although the thieves cut through those cables and took the laptops.

Data stored on the devices included names and addresses of policy holders, along with insurance identifiers, birth dates, Some Social Security numbers, and a limited amount of clinical data.

The theft occurred over the course of a weekend when work was being conducted on Horizon BCBSNJ offices. A number of external vendors were provided with unsupervised access to the offices, including the area where the laptops were stored.

This was not the first time that an unencrypted laptop computer containing the ePHI of policyholders was stolen from Horizon BCBSNJ. A laptop computer was stolen from the vehicle of an employee in January 2008. Following that incident, Horizon BCBSNJ changed its policies and started using encryption on all laptop computers used to store ePHI. By May 2008, Horizon BCBSNJ announced that the encryption process had been completed. Training on the use of encryption was also provided to company employees to ensure they were aware of the new security controls.

However, during the course of the Division of Consumer Affairs investigation, it was discovered that more than 100 laptop computers used by Horizon BCBSNJ had no encryption, potentially placing ePHI at risk of exposure. The reason provided for the lack of encryption was the laptops computers were obtained via a non-standard procurement process. As a result, the IT department was unaware that the devices had not been encrypted. The devices were also not subjected to monitoring or servicing, as per corporate policies.

Additionally, the Division of Consumer Affairs investigators determined that the employees who had been issued the two laptop computers were not required to store ePHI, and that doing so violated corporate policies.

The investigators concluded that in addition to violations of HIPAA Privacy and Security Rules, Horizon BCBSNJ had also violated the New Jersey Consumer Fraud Act.

In addition to the $1.1 million fine, Horizon BCBSNJ is required to adopt a robust corrective action plan to ensure compliance with HIPAA/HITECH and the New Jersey Consumer Fraud Act. An external professional must be hired to conduct a comprehensive, organization-wide risk analysis covering all devices and systems used to store or transmit ePHI. That risk analysis must be conducted within 180 days of the settlement date, and annually for the next two years. Reports of the findings of the analysis must be submitted to the Division of Consumer Affairs.

Steve Lee, Director of the Division of Consumer Affairs, said “Protecting the personal information of policyholders must be a top priority of every company. Customers deserve it and the law demands it,” He also explained that “Horizon Blue Cross Blue Shield of New Jersey’s alleged security lapses risked exposing policyholders’ most private information to the public, leaving them vulnerable to identity theft. This settlement ensures that Horizon BCBSNJ will maintain appropriate data privacy and security protocols to prevent future data breaches.”

The post Horizon BCBS of New Jersey Pays $1.1 Million for HIPAA Violation appeared first on HIPAA Journal.

Record HIPAA Settlement Announced: $5.5 Million Paid by Memorial Healthcare System

Posted February 17, 2017 by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights (OCR) has matched last year’s record HIPAA settlement with Advocate Health. Yesterday, OCR announced that a $5.5 million settlement had been reached with Florida-based Memorial Healthcare Systems to resolve potential Privacy Rule and Security Rule violations.

Memorial Healthcare Systems has paid the penalty for non-compliance with HIPAA Rules, and in addition to the $5.5 million settlement, a robust corrective action plan must be adopted to address all areas of non-compliance.

Memorial Healthcare Systems operates six hospitals in South Florida, with its flagship hospital one of the largest in the state. The healthcare system also operates a range of ancillary healthcare facilities, a nursing home, urgent care center, and is affiliated with many physician offices through an Organized Health Care Arrangement (OHCA).

In 2012, Memorial Healthcare discovered a breach of ePHI had occurred. The breach was reported to OCR on April 12, 2012. That breach related to two employees who were discovered to have inappropriately accessed patients’ ePHI including names, birth dates, and social security numbers. Federal charges were brought against the individuals for selling on stolen ePHI and filing fraudulent tax returns, although OCR investigated to determine whether there were any underlying violations of HIPAA Rules that contributed to the exposure and theft of PHI. Memorial Healthcare was investigated by OCR in the summer of 2012.

Memorial Healthcare also conducted its own investigation which revealed that those two employees were not the only individuals to have inappropriately accessed ePHI. Memorial Healthcare’s investigation determined that 12 individuals at its affiliated physician offices had also inappropriately accessed the ePHI of patients. In total, the ePHI of 115,143 individuals was impermissibly accessed by its employees.

The investigation revealed that the login credentials of a former employee of one of its affiliated physician offices had been used to access the ePHI of patients on a daily basis for a period of a year. The login credentials were discovered to have first been used to access ePHI without authorization in April 2011, and access continued until April 2012, when the improper access was detected and blocked. The ePHI of 80,000 patients had been accessed using those login credentials.

In accordance with HIPAA Rules, Memorial Healthcare system had implemented policies and procedures covering ePHI access by its workforce, but the healthcare system had failed to implement procedures to review and modify users’ access rights to ePHI when access was no longer required. Several risk analyses had previously been conducted between 2007 and 2012 which highlighted the risk to ePHI.

Inappropriate access by its employees and staff at affiliated physician offices continued for a year, yet Memorial Healthcare did not notice as reviews of information system activity were not regularly checked.

OCR investigators determined that Memorial Healthcare had violated HIPAA Rules (45 C.F.R. §§160.103 and 164.502 (a))) by providing access to PHI to a former employee of an affiliated physician practice between April 1, 2011 and April 27, 2012.

A violation of 45 C.F.R. §164.308(a)(l)(ii)(D) occurred between January 1, 2011 and June 1, 2012, as regular reviews of records of information system activity had not been performed.

45 C.F.R. § 164.308(a)(4)(ii)(C) had also been violated by failing to modify a user’s right of access to a workstation, transaction, or program allowing ePHI to be impermissibly accessed.

Each HIPAA violation carries a maximum penalty of $1.5 million, per year that each violation was allowed to persist. Had Memorial Healthcare not agreed to settle with OCR, the financial penalty would have been considerably higher.

This HIPAA settlement brings the annual total up to three settlements and one Civil Monetary Penalty (CMP). Earlier this month, OCR announced a $3.2 million CMP for Children’s Medical Center of Dallas. In January, a settlement of $2.2 million was agreed with MAPFRE Life Assurance Company of Puerto Rico for impermissible disclosure of ePHI, and a $475,000 settlement was agreed with Presense Health to resolve HIPAA Breach Notification Rule violations.

OCR Acting Director Robinsue Frohboese announced the latest HIPAA settlement saying “Access to ePHI must be provided only to authorized users, including affiliated physician office staff.” Frohboese also explained that “Organizations must implement audit controls and review audit logs regularly. As this case shows, a lack of access controls and regular review of audit logs helps hackers or malevolent insiders to cover their electronic tracks, making it difficult for covered entities and business associates to not only recover from breaches, but to prevent them before they happen.”

At the current rate, last year’s record breaking year for HIPAA settlements will be eclipsed in 2017. The regularity of HIPAA settlements and CMPs should send a strong message to covered entities that OCR is coming down hard on organizations discovered to have violated HIPAA Rules and exposed patients’ protected health information.

The post Record HIPAA Settlement Announced: $5.5 Million Paid by Memorial Healthcare System appeared first on HIPAA Journal.

Covered Entities Flirting with Fines for Late Data Breach Reports

Posted February 14, 2017 by HIPAA Journal

Last month, the Department of Health and Human Services’ Office for Civil Rights sent a message to covered entities regarding the late reporting of data breaches with the announcement of a settlement with Chicago-based healthcare network Presense Health.

The settlement was the first reached with a covered entity purely to resolve HIPAA Breach Notification Rule violations. Presense Health had delayed the issuing of breach notification letters to patients. Presense Health agreed to settle with OCR for $475,000 to resolve the potential HIPAA violations.

However, since the announcement was made, there have been a number of instances where covered entities have unnecessarily delayed the issuing of breach notification letters to patients and data breach reports to OCR.

The January Breach Barometer – released by Protenus yesterday – indicates 40% of data breaches reported in January 2017 had notifications sent outside of the timescale required by the Health Insurance Portability and Accountability Act’s Breach Notification Rule.

The loss, theft, or exposure of patients’ electronic protected health information potentially places them at an elevated risk of suffering identity theft and fraud. When data breaches are reported promptly, patients can take rapid action to protect their identities, secure their accounts, and mitigate risk. However, when breach notification letters are delayed unnecessarily patients face a higher risk of suffering financial losses since mitigations will not be in place.

Summary of the HIPAA Breach Notification Rule

The HIPAA Breach Notification Rule was introduced to ensure that patients are made aware of any ePHI breach promptly. Any breach of unsecured protected health information requires individual notices to be sent to all affected patients by first class mail (or email if patients have elected to receive electronic communications) “in no case later than 60 days following the discovery of a breach.” However, breach notification letters should be sent without unreasonable delay.

Notification letters should include a summary of the nature of the breach, details of the information that was exposed or stolen, information about the steps that are being taken by the covered entity/business associate to prevent future data breaches, and steps that can be taken by the individual to protect themselves from potential harm. A toll-free number should also be provided to allow affected individuals to make contact for further information. That toll-free number must remain active for 90 days from the date of the notification letters.

Additionally, a substitute breach notice must be placed on a prominent part of the covered entity’s website notifying individuals of the breach if contact information is not held for 10 or more individuals, or if that contact information is out of date and incorrect.

A media notice must be issued if a breach affects more than 500 residents of a state or jurisdiction. That breach notice must be issued to a prominent media outlet serving the state or jurisdiction. The media notice must also be issued within 60 days of the discovery of the breach.

The Secretary of the Department of Health and Human Services must be notified of a breach of more than 500 individuals’ ePHI via the Office for Civil Rights’ breach reporting tool. That notification should be provided without unreasonable delay and no later than 60 days following the discovery of the breach. Notifications about smaller breaches – those impacting fewer than 500 individuals – can be made up until 60 days following the end of the calendar year when the breach was discovered. However, notifications to affected individuals must still be issued within 60 days of the discovery of the breach.

The Breach Notification Rule and Business Associate Data Breaches

The 60-day window for issuing breach notification letters applies to both covered entities and business associates of covered entities. In the case of the latter, the covered entity may delegate responsibility for the issuing of breach notification letters to its business associate.

Covered entities should consider whether the business associate is in the best position to issue breach notification letters before the responsibility is delegated.

Recently, a breach at a business associate of a covered entity saw the business entity issue breach notification letters to affected individuals. However, since the affected individuals were unaware that the business associate was contracted to their insurance provider, the letters caused some confusion. The letters provided the necessary information to allow patients to take steps to protect their identities, but with no mention of the covered entity, some patients thought the letters were some sort of scam.

While not stated in the Breach Notification Rule, it would be of benefit in such situations to include the name of the covered entity in the letters or for the covered entity – and not the business associate – to issue notifications to patients.

Penalties for Late Breach Notifications

Office for Civil Rights has shown that breach notification delays do warrant the issuing of financial penalties in certain situations, and the penalties can be severe. While Presense Health was only fined $475,000 for delaying the issuing of breach notification letters for one month, considerably higher fines are possible.

OCR is permitted to fine covered entities, or their business associates, a maximum of $1,500,000 for each violation of HIPAA Rules. The HIPAA violation penalties are determined based four categories of violations, with the penalties ranging from $100 per violation up to a maximum of $50,000 per violation.

Given the willingness of OCR to penalize covered entities for HIPAA Breach Notification Rule violations, covered entities should make sure that their data breach policies and procedures include the timescales for issuing breach notifications to patients/OCR, and to ensure that those notifications are issued within the allowed timeframe.

The post Covered Entities Flirting with Fines for Late Data Breach Reports appeared first on HIPAA Journal.

Will HHS Secretary Tom Price Ease HIPAA Regulations?

Posted February 13, 2017 by HIPAA Journal

Tom Price was appointed as secretary of the Department of Health and Human Services on February 10, 2017, replacing Sylvia Matthews Burwell. The change in leadership could see a major change in focus at the HHS, which may extend to the HIPAA enforcement activities of the Office for Civil Rights.

The appointment of a new director for the Office for Civil Rights may not be first on Price’s to do list, although the new HHS secretary is expected to appoint a new OCR director soon. Price’s leadership and choice of OCR director could have a major impact on how OCR enforces HIPAA Rules and how rigorous those enforcement activities are.

Since taking up the position of OCR Director in July 2014, Jocelyn Samuels oversaw a major increase in HIPAA enforcement activity. Last year, Jocelyn Samuels announced 12 settlements (and one CMP) with covered entities who were discovered to have violated HIPAA Rules during investigations into data breaches – a record year of enforcement for OCR.

Jocelyn Samuels also oversaw the second phase of the much delayed second phase of HIPAA compliance audits. Last year, the audits finally commenced with approximately 200 covered entities and HIPAA business associates subjected to a HIPAA compliance desk audit. Full compliance audits have been scheduled for early 2017 as part of the second phase. Samuels was keen to increase financial penalties for HIPAA violators and ensure non-compliance was identified and corrected, but the leadership changes place future HIPAA enforcement in doubt.

However, given the number of data breaches experienced by the healthcare industry in the past 12 months, it seems unlikely that OCR enforcement efforts will be scaled back.

“As 2016 has seen an acceleration in the number of breaches to patient data, we expect healthcare cybersecurity and privacy protection will be a central focus of the incoming administration. We hope to see a much-needed focus on keeping patient data protected and out of the hands of criminals and malicious insiders,” says Robert Lord, ICIT Fellow and CEO of Protenus.

Could HIPAA Rules be Amended by Price?

HIPAA Rules are viewed by many physicians to be overly restrictive. Tom Price is a physician, and as such, he will be well aware of the burden on doctors to comply with HIPAA regulations. While it is not clear where Price stands on the Privacy, Security, and Breach Notification Rules, he has previously advocated the easing of Meaningful Use burdens by extending the timeline for compliance with the financial incentive program. How his past role as a physician will affect his decisions as HHS secretary remains to be seen.

An update to the HIPAA Security Rule is certainly due, although President Trump has made it quite clear that his administration is against excessive regulation. For each new regulation issued by an agency, two regulations need to be eliminated. The increase in healthcare cybersecurity breaches may warrant an update to the Security Rule and increased regulation, but for the foreseeable future, increased HIPAA regulations are perhaps not to be expected.

Any easing of HIPAA Rules is likely to have a negative effect on data security. Since many healthcare organizations focus their cybersecurity programs toward achieving compliance with HIPAA, any easing of HIPAA restrictions could see cybersecurity efforts scaled back. If covered entities are required to do less to keep data secure, this would likely lead to an increase in healthcare data breaches. HIPAA Rules may therefore remain unchanged for the foreseeable future.

The post Will HHS Secretary Tom Price Ease HIPAA Regulations? appeared first on HIPAA Journal.

High Costs are Preventing Many Patients from Accessing their Medical Records

Posted February 2, 2017 by HIPAA Journal

The HIPAA Privacy Rule permits patients to obtain a copy of their medical records from their healthcare providers on request. By obtaining copies of medical records, patients are able to take a more active role in their healthcare and treatment. Obtaining copies of medical records also makes it much easier for patients to share their medical records with other healthcare providers and make smarter choices about their healthcare.

The Department of Health and Human Services’ Office for Civil Rights (OCR) recently explained patients’ right to obtain copies of their medical records and created a series of videos explaining how the HIPAA Privacy Rule applies to patients. OCR also issued guidance for HIPAA-covered entities on allowable charges for labor, printing, and postage last year.

A flat fee of $6.50 has been recommended for providing electronic copies of medical records – should HIPAA-covered entities opt for a single charge for providing designated record sets to patients. While not all covered entities choose this model, the costs associated with obtaining copies of electronic copies of medical records are usually relatively low. However, not all patients have easy access to the technology that will allow them to view those records.

In such cases, paper copies are the only option, yet the cost of obtaining printouts of medical records is often considerably higher. In many cases, obtaining paper copies of medical records can be prohibitively expensive, especially for patients who have extensive medical histories spanning several pages. If the costs of obtaining medical records are too high, patients will be discouraged from accessing their medical records. That can make it harder for patients to choose their healthcare providers and share their ePHI.

Many physicians are concerned that the amounts being charged by some healthcare providers prevents many patients from exercising their rights under HIPAA to obtain copies of their medical records.

A recent article published in JAMA Internal Medicine highlights just how expensive it can be for patients to obtain their medical records if they choose paper over electronic copies.

The researchers indicate the cost of obtaining paper copies of medical records in Texas, for example, can be as high as $3.57 per page, not including the cost of postage or providing images. For a medical file of 15 pages, the cost would be $53.60. A full copy of medical records spanning 100 or more pages would see the price jump to several hundred dollars. For many Americans, the cost would prevent them from obtaining a copy of their records.

The high cost not only prevents patients from sharing their data with healthcare providers, it also has potential to prevent patients from providing their medical data for use in research. Patients would also not have the opportunity to check their medical records for errors, which could have a major negative impact on future care.

Currently, only one state – Kentucky – has laws in place that require healthcare providers to provide copies of medical records free of charge in the first instance. Researchers for the article suggest that the laws in Kentucky should serve as a model that all states should follow.

The post High Costs are Preventing Many Patients from Accessing their Medical Records appeared first on HIPAA Journal.

$3.2 Million HIPAA Civil Monetary Penalty for Children’s Medical Center of Dallas

Posted February 2, 2017 by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced that Children’s Medical Center of Dallas has paid a civil monetary penalty of $3.2 million to resolve multiple HIPAA violations spanning several years.

It is relatively rare for OCR a HIPAA Civil Monetary Penalty to be paid by a HIPAA-covered entity to resolve HIPAA violations discovered during OCR data breach investigations. In the vast majority of cases when serious violations of the Health Insurance Portability and Accountability Act are discovered by OCR investigators, the covered entity in question enters into a voluntary settlement with OCR.

Typically, this sees the covered entity pay a lower amount to OCR to resolve the HIPAA violations. OCR attempted to resolve the matter via informal means between November 6, 2015, to August 30,2016, before issuing a Notice of Proposed Determination on September 30, 2016. In the Notice of Proposed Determination, OCR explained that Children’s Medical Center of Dallas could file a request for a hearing, although no request was received. Consequently, Children’s Medical Center of Dallas was required to pay the full civil monetary penalty of $3,217,000, making this the biggest HIPAA violation penalty of 2017, eclipsing the payments made by Presense Health ($475,000) and MAPFRE Life Insurance Company of Puerto Rico ($2.2 million).

Children’s Medical Center of Dallas is run by Children’s Health, a Dallas-based healthcare system comprising three hospitals and numerous clinics in North Texas. On January 18, 2010, OCR was notified by Children’s Medical Center that a breach of patients’ electronic protected health information (ePHI) had occurred. The breach involved the loss of a Blackberry device containing the ePHI of 3,800 patients. The device had not been encrypted and was not protected with a password, allowing any individual who found the device to access the ePHI of patients.

An investigation into the breach was launched on or around June 14, 2010. As part of the investigation, Children’s Medical Center provided OCR with a Security Gap Analysis conducted by Strategic Management Systems, Inc., (SMS) between December 2006 and February 2007. That analysis revealed a lack of risk management at Children’s Medical Center. In the report, SMS recommended that Children’s Medical Center implement encryption on portable devices such as laptop computers to prevent the exposure of ePHI in the event that a device be lost or stolen. Children’s Medical Center failed to act on that recommendation.

PricewaterhouseCoopers (PwC) conducted an analysis of threats and vulnerabilities to ePHI in August 2008. In the PwC report, it was also recommended that Children’s Medical Center implement encryption on laptop computers, workstations, mobile devices, and portable storage devices such as USB thumb drives. PwC determined that the use of encryption was “necessary and appropriate.” Children’s Medical Center failed to act on PwC’s recommendations, even though encryption was rated as a “high priority” item.

To OCR it was clear that Children’s Medical Center was aware of the risks to the confidentiality, integrity, and availability of ePHI and that were was a lack of appropriate safeguards for ePHI at rest. Children’s Medical Center was aware of the risks as early as March 2007, more than a year before the security incident occurred and ePHI was exposed. Had Children’s Medical Center acted on the recommendations of SMS or PwC the breach could have been avoided.

In addition to the lost Blackberry in 2010, Children’s Medical Center reported the loss of an unencrypted iPod containing the ePHI of 22 patients. The loss occurred in December 2010. On July 5, 2013, Children’s Medical Center notified OCR of another breach involving an unencrypted device. In this case, the laptop theft resulted in the exposure of 2,462 individuals’ ePHI.

Even after the data breaches were experienced, Children’s Medical Center failed to act; only implementing encryption on portable devices in April, 2013. From 2007 to April 9, 2013, nurses were using unprotected Blackberry devices that contained ePHI, while other workers were using unencrypted laptop computers and mobile devices until April 9, 2013.

Encryption of ePHI is not mandatory for HIPAA-covered entities. The use of encryption to safeguard the confidentiality, integrity, and availability of ePHI is an ‘addressable’ issue.

HIPAA-covered entities are required to conduct a comprehensive, organization-wide risk assessment to determine vulnerabilities that could potentially result in the exposure of ePHI. If, after performing the risk assessment, the covered entity determines that encryption is not ‘reasonable and appropriate’, the reasons why encryption is not deemed necessary must be documented and an equivalent measure must still be implemented to ensure ePHI is appropriately secured. Children’s Medical Center failed to document why encryption had not been used and also failed to implement an equivalent security measure.

Furthermore, OCR determined that prior to November 9, 2012, Children’s Medical Center did not have sufficient policies and procedures governing the removal of hardware and electronic equipment from its facilities or movement of the devices within its facilities. Until November 9, 2012, Children’s Medical Center could not tell how many devices those policies and procedures should apply to: A full inventory was only completed on November 9, 2012. While devices had been inventoried prior to November 9, 2012, devices managed by the Biomedical department were not included in that inventory, breaching the HIPAA Security Rule (45 C.P.R. § 164.310(d)(l)).

While efforts were made to resolve the HIPAA violations informally, Children’s Medical Center was unable to ‘provide written evidence of mitigating factors or affirmative defenses and/or its written evidence in support of a waiver of a CMP.’

OCR determined that the violations were due to reasonable cause and not willful neglect of HIPAA Rules. Had that not been the case, the penalty would have been considerably higher. OCR considered the fact that there had been no apparent harm caused to patients as a result of the lost devices, and chose the minimum penalty amount of $1,000 per day that the violations were allowed to persist.

OCR’s Final Notice of Determination can be viewed on this link.

According to OCR Acting Director Robinsue Frohboese, “Ensuring adequate security precautions to protect health information, including identifying any security risks and immediately correcting them, is essential.” Frohboese also explained that the lack of risk management can be costly for covered entities, “Although OCR prefers to settle cases and assist entities in implementing corrective action plans, a lack of risk management not only costs individuals the security of their data, but it can also cost covered entities a sizable fine.”

The post $3.2 Million HIPAA Civil Monetary Penalty for Children’s Medical Center of Dallas appeared first on HIPAA Journal.

$2.2 Million Settlement for Impermissible Disclosure of ePHI

Posted January 19, 2017 by HIPAA Journal

The U.S. Department of Health and Human Services’ Office for Civil Rights has agreed to a $2.2 million settlement with MAPFRE Life Assurance Company of Puerto Rico – A subsidiary of MAPFRE S.A., of Spain – to resolve potential noncompliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

The settlement relates to the impermissible disclosure of the electronic protected health information of 2,209 patients in 2011. On September 29, 2011, a portable USB storage device (pen drive) was left overnight in the IT Department from where it was stolen. The device contained a range of patients’ ePHI, including full names, Social Security numbers and dates of birth. The device was not protected by a password and data on the device were not encrypted.

MAPFRE reported the device theft to OCR, which launched an investigation to determine whether HIPAA Rules had been violated, as is customary with all breaches of ePHI that impact more than 500 individuals.

Multiple Areas of Noncompliance with HIPAA Rules Discovered

During the course of the investigation, OCR discovered numerous HIPAA noncompliance issues:

45 C.F.R. 164.502(a) – Impermissible disclosure of the ePHI of 2,209 individuals.

5 C.F.R. 164.308(a)(1)(i) – A failure to conduct a comprehensive risk assessment to evaluate risks and vulnerabilities to the confidentiality, integrity and availability of ePHI and a failure to implement measures to reduce risks to an appropriate level.

45 C.F.R. 164.308(a)(5)(i) – A failure to implement a security awareness training program for all members of the workforce.

45 C.F.R. 164.312(a)(2)(iv) – A failure to implement data encryption or an equivalent measure to safeguard the ePHI stored on portable storage devices.

45 C.F.R. 164.316 (a) – A failure to implement reasonable and appropriate policies and procedures to safeguard ePHI to comply with HIPAA standards implementation specifications.

Additionally, the corrective measures MAPFRE said it would undertake following the submission of a breach report to OCR on August 5, 2011 were delayed. MAPFRE did not start encrypting data on laptop computers and portable storage devices until September 1, 2014.

OCR considered the financial position of MAPFRE along with the number and severity of HIPAA violations when determining the resolution amount. In addition to paying OCR $2,204,182, MAPFRE is required to adopt a corrective action plan to address all areas of noncompliance.

HIPAA and Data Encryption

HIPAA does not require covered entities to implement encryption on portable devices used to store ePHI. Data encryption is only an addressable issue. However, covered entities must conduct a thorough risk assessment to identify potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. If, after assessing risks, covered entities determine that other controls are in place to safeguard ePHI and data encryption is not appropriate, the reasons for not implementing encryption must be documented.

Recent HIPAA Settlements

OCR has stepped up its enforcement of HIPAA Rules in recent years, with more settlements agreed in 2016 than in any other year to date. Last year, 12 healthcare organizations settled potential HIPAA violations with OCR, and one civil monetary penalty (CMP) was imposed.

MAPFRE is the second HIPAA-covered entity to settle potential HIPAA violations with OCR in 2017. Last week, OCR announced a settlement of $475,000 had been agreed with Presense Health for violations of the HIPAA Breach Notification Rule.

The post $2.2 Million Settlement for Impermissible Disclosure of ePHI appeared first on HIPAA Journal.

Daily HIPAA News, HIPAA RSS Feeds, HIPAA Information