HIPAA Compliance News

No HIPAA Violation Fine for Virginia State Senator

Posted by HIPAA Journal

While campaigning to become Republican state senator for Virginia in 2015, Henrico County physician Siobhan Dunnavant, M.D., used patients’ contact information – classed as protected health information under HIPAA Rules – to solicit donations from patients to help fund her campaign.

Contact information – names and addresses – was shared with her campaign team and was used to communicate with patients. The same information was also disclosed to a direct mail company: A violation of the HIPAA Privacy Rule. At least two complaints were received by the Department of Health and Human Services’ Office for Civil Rights about the privacy violation last year.

An OCR regional office contacted Dunnavant after being alerted to the privacy violation and informed her that her actions constituted an impermissible use and disclosure of PHI – violations of the HIPAA Privacy Rule.  Such violations can result in financial penalties being issued.

Dunnavant, who was later elect to the state senate, could have been fined up to $250,000 for the HIPAA violation and could potentially have been imprisoned for up to 10 years. However, OCR has chosen not to take further action.

No financial penalty was deemed appropriate as Dunnavant took immediate action to minimize damage. The investigation into the HIPAA violations has now been closed.

HIPAA violations are not always punishable with civil monetary penalties and do not always require resolution agreements. OCR prefers to resolve HIPAA violations through voluntary compliance and by issuing technical assistance. Civil monetary penalties and resolution agreements are typically reserved for the most serious violations of HIPAA Rules.

While Dunnavant’s use of patient contact information to solicit contributions did violate HIPAA Rules, the privacy violation was relatively minor and no patients came to harm as a result. Dunnavan believed her actions were permitted under HIPAA Rules as she had obtained a business associate agreement prior to disclosing the information.

Senator Dunnavant told the Richmond-Times Dispatch that the mailings were intended to advise patients of her political activity and reassure them that it would not have an impact on the provision of medical services. Dunnavant said she sought advice from her lawyers and medical practice board before sending the letter and no HIPAA issues were raised.  She also said she regretted adding an appeal for political support to the letters.

The post No HIPAA Violation Fine for Virginia State Senator appeared first on HIPAA Journal.

OCR Reminds CEs of HIPAA Audit Control Requirements to Identify Inappropriate ePHI Access

Posted by HIPAA Journal

In the past few weeks, a number of HIPAA-covered entities have announced that employees have been discovered to have inappropriately accessed the medical records/protected health information of patients.

Two of the recent cases were discovered when covered entities performed routine audits of access logs. In both instances, the employees were discovered to have inappropriately accessed the electronic protected health information (ePHI) of patients over a period of more than 12 months. Once case involved the viewing of a celebrity’s medical records by multiple staff members.

Late last week, OCR released its January Cyber Awareness Newsletter which covered the importance of implementing audit controls and periodically reviewing application, user, and system-level audit trails. NIST defines audit logs as records of events based on applications, system or users, while audit trails are audit logs of applications, system or users.

Most information systems include options for logging user activity, including access and failed access attempts, the devices that have been used to log on, and the duration of login periods, and whether data have been viewed.

Audit trails are particularly useful when security incidents occur as they can be used to determine whether ePHI access has occurred and which individuals have been affected. Logs can be used to track unauthorized disclosures, potential intrusions, attempted intrusions, and in forensic analyses of data breaches and cyberattacks. Covered entities can also use logs and trails to review the performance of applications and to help identify potential flaws.

OCR confirmed that recording data such as these, and reviewing audit logs and audit trails is a requirement of the HIPAA Security Rule. (45 C.F.R. § 164.312(b)).

The HIPAA Security Rule requires covered entities to record audit logs and audit trails for review, although the types of data that should be collected are not specified by the legislation. The greater the range of information collected, the more thoroughly security incidents can be investigated. However, covered entities should carefully assess and decide on which data elements are stored in logs. It will be quicker and easier to review audit logs and trails if they only contain relevant information.

The HIPAA Security Rule does not specify how often covered entities should conduct reviews of user activities, instead this is left to the discretion of the covered entity. Information gathered from audit logs and trails should be reviewed ‘regularly’.

A covered entity should determine the frequency of reviews based on the results of their risk analyses. Organizations should also consider organizational factors such as their technical infrastructure and hardware/software capabilities when determining the review period.

OCR also points out that a review of audit logs and trails should take place after any security incident, such as a suspected breach, although reviews should also be conducted during real-time operations. Due to the potential for audit log tampering, OCR reminds covered entities that “Access to audit trails should be strictly restricted, and should be provided only to authorized personnel.”

The post OCR Reminds CEs of HIPAA Audit Control Requirements to Identify Inappropriate ePHI Access appeared first on HIPAA Journal.

OCR HIPAA Enforcement: Summary of 2016 HIPAA Settlements

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights has stepped up its enforcement activities in recent years, and 2016 HIPAA settlements were at record levels. In total, payments of $22,855,300 were made to OCR in 2016 to resolve alleged HIPAA violations. Seven settlements were in excess of $1,500,000.

In 2016, OCR settled alleged HIPAA violations with 12 healthcare organizations. Last year also saw an Administrative Law Judge rule that civil monetary penalties previously imposed on a covered entity – Lincare Inc. – by OCR were lawful, bringing the total to thirteen for 2016. Lincare was only the second healthcare organization required to pay a civil monetary penalty for violations of the Health Insurance Portability and Accountability Act. All other organizations opted to settle with OCR voluntarily.

Financial penalties are not always appropriate. OCR prefers to settle potential HIPAA violations using non-punitive measures. Financial penalties are reserved for the most severe violations of HIPAA Rules, when widespread non-compliance is discovered, or in cases where healthcare organizations have blatantly disregarded HIPAA Rules.

While largescale breaches of PHI may warrant financial penalties and will have an impact on the final settlement amount, OCR has resorted to financial penalties when relatively few individuals have been impacted by healthcare data breaches. This year has seen two settlements with organizations for breaches that have impacted fewer than 500 individuals – New York Presbyterian Hospital and Catholic Health Care Services of the Archdiocese of Philadelphia – and one civil monetary penalty – Lincare Inc.

A summary of 2016 HIPAA settlements with the Office for Civil Rights is detailed in the table below:

 

Summary of 2016 HIPAA Settlements

 

Covered Entity Date Amount Breach that triggered OCR investigation Individuals impacted
University of Massachusetts Amherst (UMass) November, 2016 $650,000 Malware infection 1,670
St. Joseph Health October, 2016 $2,140,500 PHI made available through search engines 31,800
Care New England Health System September, 2016 $400,000 Loss of two unencrypted backup tapes 14,000
Advocate Health Care Network August, 2016 $5,550,000 Theft of desktop computers, loss of laptop, improper access of data at business associate 3,994,175 (combined total of three separate breaches)
University of Mississippi Medical Center July, 2016 $2,750,000 Unprotected network drive 10.,000
Oregon Health & Science University July, 2016 $2,700,000 Loss of unencrypted laptop / Storage on cloud server without BAA 4,361 (combined total of two breaches)
Catholic Health Care Services of the Archdiocese of Philadelphia June, 2016 $650,000

 

 Theft of mobile device 412 (Combined total)
New York Presbyterian Hospital

 

 April, 2016 $2,200,000 Filming of patients by TV crew Unconfirmed
Raleigh Orthopaedic Clinic, P.A. of North Carolina April, 2016 $750,000 Improper disclosure to business associate 17,300
Feinstein Institute for Medical Research March, 2016 $3,900,000 Improper disclosure of research participants’ PHI 13,000
North Memorial Health Care of Minnesota March, 2016 $1,550,000 Theft of laptop computer / Improper disclosure to business associate (discovered during investigation) 299,401
Complete P.T., Pool & Land Physical Therapy, Inc. February, 2016 $25,000 Improper disclosure of PHI (website testimonials) Unconfirmed
Lincare, Inc.

 

 February, 2016* $239,800 Improper disclosure (unprotected documents) 278

*Civil monetary penalty confirmed as lawful by an administrative law judge

 

The largest HIPAA settlement of 2016 –  and the largest HIPAA settlement ever agreed with a single covered entity – was announced in August. OCR agreed to settle potential HIPAA violations with Advocate Health Care Network for $5.5 million.

The previous largest HIPAA settlements were agreed with New York-Presbyterian Hospital and Columbia University after PHI was accidentally indexed by search engines. The two entities were required to pay OCR a total of $4.8 million, with $3.3 million covered by New York-Presbyterian Hospital and the remainder by Columbia University. The previous largest HIPAA settlement for a single entity was agreed with Cignet Health ($4.3 million) for denying 41 patients access to their health records.

2017 has started with an early settlement with Presence Health. The $475,000 settlement was solely based on delayed breach notifications – The first time that a settlement has been agreed solely for a HIPAA Breach Notification Rule violation.

Looking forward into 2017 and beyond, the future of HIPAA enforcement activities is unclear. The new administration may cut funding for OCR which would likely have an impact on HIPAA enforcement.

This year will see the completion of the long-delayed second round of HIPAA compliance audits, although it is unlikely that a permanent audit program will commence this year.

Last year, Jocelyn Samuels said OCR will remain “laser-focused on breaches occurring at health care entities,” and that OCR is committed to “maintain an effective enforcement program that addresses industry-wide noncompliance and provides corrective action to protect the greatest number of individuals.”

However, Jocelyn Samuels will be standing down as head of OCR and it is currently unclear who will take her place. While there are a number of suitable candidates for the position, incoming president Trump has a lot on his hands and the appointment of an OCR director is likely to be relatively low down the to do list. When a new OCR director is appointed, we may find that he/she has different priorities for the OCR’s budget.

What we can expect to see in 2017 is a continuation of enforcement actions that have already commenced. HIPAA breach investigations take time to conduct and settlements even longer. The 2016 HIPAA settlements are the result of data breach investigations that were conducted in 2012-2013. The dramatic increase in data breaches in 2014 – and HIPAA violations that caused those breaches – may well see 2017 become another record-breaking year for HIPAA settlements.

The post OCR HIPAA Enforcement: Summary of 2016 HIPAA Settlements appeared first on HIPAA Journal.

$475,000 Settlement for Delayed HIPAA Breach Notification

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced the first HIPAA settlement of 2017. This is also the first settlement to date solely based on an unnecessary delay to breach notification after the exposure of patients’ protected health information. Presence Health, one of the largest healthcare networks serving residents of Illinois, has agreed to pay OCR $475,000 to settle potential HIPAA Breach Notification Rule violations.

Following a breach of PHI, the HIPAA Breach Notification Rule requires covered entities to issue breach notification letters to all affected individuals advising them of the breach. Those letters need to be issued within 60 days of the discovery of the breach, although covered entities should not delay the issuing of breach notifications to patients or health plan members unnecessarily.

Additionally, if the breach affects more than 500 individuals, a breach report must be submitted to Office for Civil Rights within 60 days and the Breach Notification Rule also requires covered entities to issue a breach notice to prominent media outlets. Covered entities should also place a substitute breach notice in a prominent place the company website to alert patients or plan members to the breach.

Smaller breaches impacting fewer than 500 individuals must also be reported to OCR, although covered entities can report these smaller breaches annually within 60 days of the end of the calendar year. Covered entities should note that state data breach laws may not permit such delays and that regardless of the number of individuals impacted by a breach, HIPAA requires patients to always be notified within 60 days of a PHI breach.

Presence Health experienced a breach of physical protected health information (PHI) in late 2013. Operating room schedules had been removed from the Presense Surgery Center at the Presence St. Joseph Medical Center in Joliet, Illinois, and could not be located. The documents contained sensitive data on 836 patients, including names, birth dates, medical record numbers, details of procedures performed, treatment dates, the types of anaesthesia provided, and names of the surgeons that performed operations.

Presence Health became aware that the documents were missing on October 22, 2013, yet OCR was not notified of the breach until January 31, 2014, more than a month after the 60-day HIPAA Breach Notification Rule deadline.

OCR investigates all breaches of more than 500 records – and selected branches of fewer than 500 records. The OCR investigation revealed notification to OCR was issued 104 days after the breach was discovered – 34 days after the deadline for reporting the incident had passed. A media notice was issued, although not until 106 days after the breach was discovered – 36 days after the HIPAA Breach Notification Rule deadline. Patients were notified of the breach 101 days after discovery – 31 days after the HIPAA Breach Notification Rule deadline had passed.

Investigators determined that this was not the only instance where breach notifications to patients had been delayed. Presense Health had experienced a number of smaller PHI breaches in 2015 and 2016, yet for several of those breaches, Presense Health did not provide affected individuals with timely breach notifications.

Announcing the resolution agreement and settlement, OCR Director Jocelyn Samuels said “Covered entities need to have a clear policy and procedures in place to respond to the Breach Notification Rule’s timeliness requirements.” She went on to explain the reason why individuals need to be notified of PHI breaches promptly, saying “Individuals need prompt notice of a breach of their unsecured PHI so they can take action that could help mitigate any potential harm caused by the breach.”

The settlement should serve as a warning to HIPAA covered entities that unnecessary breach notification delays can have serious financial repercussions. 60-days is the maximum time frame for reporting (and announcing) PHI breaches, not a recommendation.

The post $475,000 Settlement for Delayed HIPAA Breach Notification appeared first on HIPAA Journal.

UMass to Pay OCR $650K to Resolve HIPAA Violations

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights (OCR) has agreed to a $650,000 settlement with University of Massachusetts Amherst (UMass). The settlement resolves HIPAA violations that contributed to the university experiencing a malware infection in 2013.

In early 2013, malware was installed on a workstation in the Center for Language, Speech, and Hearing. The infection resulted in the impermissible disclosure of the electronic protected health information of 1,670 individuals. Those individuals had their names, addresses, social security numbers, birth dates, health insurance information, diagnoses, and procedure codes disclosed to the actors behind the malware attack.

Following the discovery of the infection in 2013, UMass conducted a detailed analysis of the infected workstation. The malware was a generic remote access Trojan and infection occurred because the workstation was not protected by a firewall. UMass ascertained that access to ePHI had been gained.

OCR investigates all data breaches that impact more than 500 individuals to determine whether breached entities have complied with the HIPAA Privacy, Security, and Breach Notification Rules and whether breaches have occurred as a result of HIPAA violations. According to the resolution agreement, OCR was notified of the breach by UMass on June 4, 2013 and an investigation was launched on August 27, 2013.

OCR investigators discovered a number of areas of non-compliance with HIPAA Rules that directly contributed to the UMass data breach.

As a hybrid entity, UMass is only required to comply with HIPAA Rules for some of its components – Those that meet the definition of a covered entity or business associate under HIPAA definitions. UMass had implemented appropriate safeguards to protect the confidentiality, integrity, and availability of ePHI for its University Health Services component; but those same controls were not used for the Center for Language, Speech, and Hearing as UMass did not designate it as a healthcare component.

According to OCR, “To successfully “hybridize,” the entity must designate in writing the health care components that perform functions covered by HIPAA and assure HIPAA compliance for its covered health care components.”

This error meant that UMass did not conduct a HIPAA-compliant risk analysis at the Center. A risk analysis was eventually performed, but not until September 2015. UMass also failed to implement technical security measures to protect the Center’s network and prevent unauthorized ePHI access.

The HIPAA violations could have resulted in a much higher financial penalty but OCR took the University’s finances into account. OCR said the settlement “is reflective of the fact that the University operated at a financial loss in 2015.”

OCR Director Jocelyn Samuels announced the settlement and explained that “HIPAA’s security requirements are an important tool for protecting both patient data and business operations against threats such as malware,” Samuels went on to say “Entities that elect hybrid status must properly designate their health care components and ensure that those components are in compliance with HIPAA’s privacy and security requirements.”

UMass agreed to the settlement with no admission of liability. UMass will pay a $650,000 penalty and will adopt a corrective action plan (CAP) to ensure policies and procedures are brought in line with the minimum standards required under the Health Insurance Portability and Accountability Act.

The CAP requires UMass to conduct a comprehensive risk analysis of all equipment, systems and applications that are used to access or store ePHI to ensure all risks to the confidentiality, integrity, and availability of ePHI are identified.

An enterprise-wide risk management plan must also be developed to address all risks to ePHI that are identified by the risk analysis. A full review of policies and procedures must also take place to ensure they comply with Federal standards, and all staff members must be provided with training on those policies and procedures after they have been approved by OCR.

The post UMass to Pay OCR $650K to Resolve HIPAA Violations appeared first on HIPAA Journal.