HIPAA News for Small and Mid-Sized Practices

Impermissible Disclosure of HIV Status to Employer Results in $387,000 HIPAA Penalty

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced a new HIPAA settlement to resolve violations of the HIPAA Privacy Rule.

St. Luke’s-Roosevelt Hospital Center Inc., has paid OCR $387,200 to resolve potential HIPAA violations discovered during an OCR investigation of a complaint about an impermissible disclosure of PHI.

In September 2014, OCR received a complaint about a potential privacy violation involving a patient of St. Luke’s Spencer Cox Center for Health. In the complaint, it was alleged that a member of St Luke’s staff violated the privacy of a patient by faxing protected health information to the individual’s employer.

The information in the fax was highly sensitive, including the patient’s sexual orientation, HIV status, sexually transmitted diseases, mental health diagnosis, details of physical abuse suffered, medical care and medications. Instead of faxing the information, the data should have been sent to a personal post box as requested.

The investigation revealed that the incident was not the only time that the HIPAA Privacy Rule had been violation in such a fashion. A similar incident occurred nine months previously when a patient’s PHI was sent via fax to an office where he volunteered.

The Privacy Rule violations in both cases were particularly serious due to the highly sensitive nature of information that was disclosed. In the resolution agreement, OCR said the impermissible disclosures were egregious.

HIPAA Rules require covered entities to safeguard patients’ protected health information at all times. However, the investigation revealed that St Luke’s had failed to do that on two occasions, violating 45 C.F.R. § 164.530(c)(2)(i). Further, after the first impermissible disclosure, St Luke’s failed to address vulnerabilities in their compliance program to prevent further impermissible disclosures from occurring. Had those vulnerabilities been addressed, the second privacy violation may have been avoided.

In addition to paying OCR $387,200, St Luke’s is required to adopt a corrective action plan. The CAP involves reviewing and updating policies and procedures covering allowable uses and disclosures of PHI and training staff members on policy and procedural updates.

OCR issued a press release announcing the HIPAA settlement in which OCR director Roger Severino said “Individuals cannot trust in a health care system that does not appropriately safeguard their most sensitive PHI,” explaining “Covered entities and business associates have the responsibility under HIPAA to both identify and actually implement these safeguards.” OCR consideration the nature of the breach and the extent of the harm caused when deciding an appropriate settlement amount.

May is not yet over, but already there have been nine HIPAA settlements between OCR and covered entities to resolve HIPAA violations discovered during the investigation of complaints and data breaches. At the current rate of almost two settlements a month, OCR will double last year’s record breaking number of HIPAA enforcement penalties. The increase in HIPAA penalties shows that OCR is taking a much harder line on covered entities that fail to comply with HIPAA Rules.

Two of the most recent penalties have resulted from complaints involving HIPAA violations relating to one or two patients. It is no longer just large scale data breaches that merit financial penalties. Any severe violation of HIPAA Rules can result in a HIPAA fine.

The post Impermissible Disclosure of HIV Status to Employer Results in $387,000 HIPAA Penalty appeared first on HIPAA Journal.

Leading Cause of Healthcare Data Breaches in April was Hacking

Posted by HIPAA Journal

The monthly Breach Barometer Report from Protenus shows a significant reduction in the number of exposed healthcare records in April, with 232,060 records exposed compared to more than 1.5 million in March. The number of reported data breaches also fell from 39 to 34.

The report offers some further good news. The time taken by healthcare organizations to report security incidents also fell last month. 66% of breaches were reported within the 60-day time period allowed by the Health Insurance Portability and Accountability Act Breach Notification Rule. While it is good news that the trend for reporting data breaches more promptly is continuing, there is still plenty of room for improvement.

Protenus reports that in April, it took an average of 51 days from the date of the breach to discovery, and an average of 59 days from the discovery of a breach to the submission of a breach report to the HHS’ Office for Civil Rights.

The data for the Protenus Breach Barometer report was supplied by Databreaches.net, which uncovered one of the worst breaches of the year to date. The theft of psychotherapy notes, substance abuse histories, health histories and the personally identifiable information of 4,229 patients of Bangor Health Center in Maine. That incident was one of 16 hacking incidents reported in April.

Hacking/IT incidents were cited as the cause of 47% of data breaches reported in April, followed by insider incidents (29%), and loss and theft of devices/PHI (15%). The cause of 9% of the breaches is currently unknown.

Hacking was the cause of the largest data breach of the month. The incident, which was reported by Harrisburg Gastroenterology, affected 93,323 individuals.

Out of the 16 hacking/IT incidents reported in April, five were related to ransomware infections and three incidents were phishing attacks. There were five breaches due to insider errors and four incidents involving insider wrongdoing.

While the majority of data breaches involved electronic protected health information, healthcare organizations must ensure appropriate controls are in place to secure physical PHI. Five of the breaches reported in April involved the theft or exposure of physical PHI.

There were two business associate data breaches in April and two reported by health plans. The majority of the breaches (79.41%) were reported by healthcare providers.

Texas was the worst affected state with 4 breaches, followed by Michigan, Ohio and New York, each with three incidents.

The post Leading Cause of Healthcare Data Breaches in April was Hacking appeared first on HIPAA Journal.

Healthcare Organizations Reminded of HIPAA Rules Relating to Ransomware

Posted by HIPAA Journal

Following the recent WannaCry ransomware attacks, the Department of Health and Human Services has been issuing cybersecurity alerts and warnings to healthcare organizations on the threat of attack and steps that can be taken to reduce risk.

The email alerts were sent soon after the news of the attacks on the UK’s NHS first started to emerge on Friday May 12, and continued over the course of the week. The alerts provided timely and pertinent information for U.S. healthcare organizations allowing them to take rapid action to counter the threat.

While the Office for Civil Rights has previously sent monthly emails to healthcare organizations warning of new threats in its cybersecurity newsletters, the recent alerts were sent much more rapidly and frequently, with four email alerts and conference calls made with industry stakeholders alerting them to the imminent threat.

Whether this was a one off in response to a specific and imminent major threat or the HHS plans to issue more timely alerts remains to be seen. However, the rapid communication of the ransomware threat almost certainly helped many healthcare organizations take prompt action to reduce risk.

Fortunately, attacks on organizations in the United States appear to have been limited, with the Department of Homeland Security saying fewer than 10 U.S. companies have reported being attacked.

In the email alerts, healthcare organizations were reminded of the need to implement data security measures to reduce the risk of malware and ransomware attacks. OCR also issued guidance on HIPAA specific to the threat from WannaCry ransomware.

OCR reiterated that a ransomware attack that involved the encryption of patients ePHI is presumed to be a HIPAA breach, reminding covered entities to report attacks within 60 days, as is required by the HIPAA Breach Notification Rule.

OCR also advised healthcare organizations that breach reports– and patient notifications – are required if data have been compromised that have not been encrypted by the entity to NIST specifications.

In the event of a breach, covered entities were told to contact their local FBI filed office, submit details of the incident to the FBI’s Internet Crime Complaint Center and report the incident to US-CERT. OCR also emphasized that reporting ransomware attacks to other federal organizations or law enforcement bodies does not constitute a HIPAA-compliant breach report. OCR must be notified of the incident separately.

Threat intelligence sharing can prevent other organizations suffering similar attacks and OCR encourages the sharing of cyber threat information. However, the HIPAA Privacy Rule does not permit the sharing of PHI. When cyber threat information is shared with federal agencies, law enforcement, or an Information Sharing and Analysis Organization (ISAO), covered entities must ensure that PHI is not shared. Doing so would be a HIPAA violation and could result in action being taken against the organization in question.

OCR also reminded organizations that compliance with the HIPAA Security Rule helps covered entities prepare for ransomware attacks and respond appropriately if systems are compromised and data are encrypted.

Further information on HIPAA and ransomware attacks can be found in an OCR factsheet available on this link.

Healthcare organizations were also reminded that they can request and unauthenticated scan of their public IP addresses from the Department of Homeland Security.

US-CERT’s National Cybersecurity Assessment & Technical Services (NCATS) provides an objective third-party perspective on an organizations cybersecurity posture and can conduct a broad assessment scanning for known vulnerabilities at no cost to stakeholders. The service allows healthcare organizations to be proactive and take steps to reduce risk prior to exploitation by malicious individuals.  Requests can be made by emailing NCATS on NCATS_INFO@hq.dhs.gov

The post Healthcare Organizations Reminded of HIPAA Rules Relating to Ransomware appeared first on HIPAA Journal.

WannaCry Ransomware Encrypted Hospital Medical Devices

Posted by HIPAA Journal

The WannaCry ransomware attacks on NHS hospitals in the UK have been widely publicized, but the extent to which U.S. healthcare organizations were affected is unclear. However, news has emerged that WannaCry ransomware has been installed on hospital systems and succeeded in encrypted medical device data.

The ransomware targeted older Windows versions and more recent operating systems that had not been updated with the MS17-010 patch that addressed the exploited vulnerability in Server Message Block 1.0 (SMBv1). The attacks claimed more than 200,000 victims around the globe.

So far, two healthcare organizations in the United States have confirmed they experienced a WannaCry ransomware attack that affected Bayer MedRad devices. The devices are power injector systems used to monitor contrast agents administered to improve the quality of imaging scans, such as MRIs.

Bayer told Forbes, “If a hospital’s network is compromised, this may affect Bayer’s Windows-based devices connected to that network.” In both cases that were reported to Bayer, the issue was resolved within 24 hours and systems were brought back online.

Bayer is not the only device manufacturer that was affected by the ransomware attacks. According to HITRUST, reports were received from healthcare organisations that had Siemens devices encrypted by the ransomware. Siemens has not publicly confirmed that was the case with U.S hospitals, only that the company had been working with the NHS to help resolve the attacks.

HITRUST has been issuing updated information on the WannaCry ransomware attacks and confirmed that evidence has been uncovered suggesting other unnamed medical devices were impacted, in addition to Siemens and Bayer devices.

HITRUST also said indicators of compromise were confirmed via the HITRUST Enhanced IOC program well in advance of the attacks on Friday, pointing out that organizations that had already applied HITRUST CSF controls related to End Point protection and patch management would have appropriately addressed the threat – specifically Control References “09.j Controls Against Malicious Code” and “10.m Control of Technical Vulnerabilities.”

HITRUST also said organizations that leveraged the HITRUST CyberAid program have not been affected by the recent WannaCry ransomware attacks.

While the attacks using Friday’s WannaCry ransomware variant were halted after a researcher identified a kill switch, researcher Matt Suiche identified a second variant that referenced a different domain. He registered that domain and prevented attacks with the second variant, mostly in Russia.

Kaspersky Lab’s Costin Raiu said another version has been identified, with this one lacking the kill switch. While that version is spreading, it appears not to be capable of encrypting files as the ransomware component is corrupted.

What should be of particular concern, not just for healthcare organizations but all businesses, is a threat issued by Shadow Brokers – the group that released the ETERNALBLUE exploit used in Friday’s attacks. Shadow Brokers plans to release further exploits in a similar fashion on a monthly basis, including exploits for vulnerabilities in Windows 10.

Ransomware and other malware attacks on the same scale as WannaCry could become frequent events, highlighting the importance of updating software and applying patches promptly.

The post WannaCry Ransomware Encrypted Hospital Medical Devices appeared first on HIPAA Journal.

HIPAA Compliance Best Practices

Posted by HIPAA Journal

Questions and Answers to Improve Security and Avoid Penalties

By Bill Becker

Even after 14 years, public and private sector organizations are still routinely found out of compliance with the Health Insurance Portability and Accountability Act (HIPAA). Security management processes are among the weakest links in compliance. In this article, we’ll look at some of the basics that covered entities and their business partners need to follow to ensure that they are not hit with financial or other penalties.

For the uninitiated, HIPAA regulates the use and disclosure of certain information held by health plans, health insurers, and medical service providers that engage in many types of transactions.

Enforcement of HIPAA Privacy and Security Rules falls to the Department of Health and Human Services’ Office for Civil Rights (OCR). Enforcement of compliance began in 2005, with OCR becoming responsible for Security Rule enforcement four years later. Since April 2003, over 150,000 HIPAA Privacy Rule complaints have been investigated by OCR. 98% (or 147,826) of the complaints have been resolved.

OCR enforces HIPAA Rules by applying “corrective measures,” including ether settlement or a civil cash penalty.

Only 47 cases have resulted in a settlement, although the total monetary penalty is still an eye-opening $67,210,982.00.  Most compliance issues, OCR reports, stem from improper use or disclosure of electronic protected health information (ePHI); poor health information safeguards; inadequate patient access to their ePHI; and the absence of administrative safeguard for such information.

In other words, there is a fundamental failure in developing and maintaining appropriate security management processes. Which is ironic because one of the very first stipulations in HIPAA § 164.308 (a)(1) calls for organizations to implement policies and procedures to prevent, detect, contain, and correct security violations.

There are several required specifications to implement these management safeguards. These include the following:

Risk analysis – Accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity (or its business associate/s).

Risk management – Security measures to reduce risks and vulnerabilities to a “reasonable and appropriate level.”

Sanction policy – Workforce members who do not comply with the security policies and procedures must be sanctioned according to a standard policy applied to violations.

Information system activity review – Procedures to review records of information system activity, including audit logs, access reports, and security incident tracking reports.

Before any of that, however, organizations must use best practices to get their arms around the protected information under their control, and to apply some common sense thinking to managing access to that information.

Let’s look at some of these best practices.

Identify relevant information systems – It seems obvious, but here’s where many organizations fail. You have to be able to identify all information systems that house ePHI. Moreover, you have to be able to analyze business functions and verify the ownership and control of those information systems.

Ask yourself the following questions:

  • Does the hardware and software in your information systems include removable media and remote access devices?
  • Have you identified the types of information you manage?
  • Have you identified and evaluated the sensitivity of each type of information?

Conduct a risk assessment – You have to have an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.

To ensure accuracy and thoroughness, ask yourself the following questions:

  • Is the facility located in a region prone to any natural disasters?
  • Have you assigned responsibility to check all hardware?
  • Have you analyzed current safeguards and identifiable risks?
  • Have you considered all processes involving ePHI — including creating, receiving, maintaining, and transmitting protected information?

Acquire IT systems and services – After identifying your systems and exposure to risk, you may find that you’ll need additional hardware, software or services to adequately protect information such as:

  • Multi-Factor Authentication
  • Data-at-Rest Encryption
  • Data-in-Transit Encryption
  • Cryptographic Key Management

When planning for new systems or services, ask yourself the following questions:

  • Will new security controls work with the existing IT architecture?
  • Have you conducted a cost-benefit analysis to make sure the investment is reasonable when measured against potential security risks?

Create and deploy policies and procedures – This is the crux of any working set of management processes. You have to have policies that clearly establish roles and responsibilities and assign ultimate responsibility for the implementation of each control to particular individuals or offices. Does your formal system security and contingency plan stand up to that kind of scrutiny?

In both the public and private sectors, hospitals, clinics, and other health care providers that manage private health information today must adhere to strict policies for ensuring that data is secure at all times. The best practices presented here can help ensure that data isn’t stolen or compromised, and that your organization doesn’t face steep fines for being out of compliance.

Bill Becker is Technical Director of SafeNet Assured Technologies. He can be reached at Bill.Becker@SafeNetAT.com

The post HIPAA Compliance Best Practices appeared first on HIPAA Journal.

WannaCrypt Ransomware Attacks Stopped, But Only Briefly

Posted by HIPAA Journal

The global WannaCrypt ransomware attacks that hit NHS Trusts in the UK hard on Friday have spread to the United States, affecting many U.S. organizations, including FedEx. Figures this morning indicate there were more than 200,000 successful attacks spread across 150 countries over the weekend.

Fortunately, the variant of the ransomware used in the weekend attacks has been neutralized. On Saturday afternoon, a blogger and security researcher in the UK identified a kill switch and was able to prevent the ransomware from claiming more victims.

While investigating the worm element of the ransomware campaign, the researcher ‘Malware Tech’ found a reference to a domain in the code. That domain had not been registered, so Malware Tech purchased and registered the domain. Doing so stopped the ransomware from encrypting files.

The ransomware performs a domain check prior to encrypting files. If the ransomware is able to connect with the domain in the code, the ransomware exists and does not encrypt any files. If the connection fails, the ransomware continues and starts encrypting files. The purpose of this check is believed to be an attempt to avoid analysis by security researchers.

The good news is that by registering the domain the ransomware attacks have been thwarted. The bad news is that while the version of the ransomware used in Friday’s attacks has been neutralized, a new version of the ransomware – without the kill switch – has reportedly been released already. Heimdal Security said a new version – a Uiwix strain – does not feature the kill switch.

Other security researchers have yet to confirm whether the new variant exists, but even if no new version has been released, it is only a matter of time before that happens.

WannaCrypt Ransomware Attacks Spread Like WildFire

The WannaCrypt ransomware attacks started in Europe with the NHS hit particularly hard. 61 NHS Trusts experienced ransomware infections, which spread rapidly through their networks encrypting all vulnerable devices. The attacks resulted in data being encrypted and computer and telephone systems being taken out of action. Hospitals were forced to cancel operations while IT teams worked around the clock to restore encrypted data. The NHS is still experiencing major disruptions to services.

The attacks took advantage of a vulnerability that was patched by Microsoft on March 13, 2017. Many organizations failed to install the update, even though the vulnerability was categorized as critical and an exploit for the vulnerability was released online last month.

Unfortunately for many organizations, the NHS included, the patch could not be applied to unsupported Windows versions such as Windows XP. Many hospitals still have computers running on the outdated Windows version, even though Microsoft stopped issuing patches on April 8, 2014. Many of the attacks affected older versions of Windows that could not be patched. Microsoft said in a recent blog post that the attacks were not performed on computers running Windows 10.

Microsoft Takes Unusual Step of Issuing a Patch for Unsupported Windows Versions

In response to the WannaCrypt ransomware attacks, Microsoft has taken a highly unusual step of issuing a patch for Windows XP, even though the operating system has not been supported for more than 3 years. The patch also addresses the vulnerability in Windows 8 and Windows Server 2003. Microsoft said in a blog post on the WannaCrypt ransomware attacks that “This decision was made based on an assessment of this situation, with the principle of protecting our customer ecosystem overall, firmly in mind.” Healthcare organizations should ensure the patch is applied promptly to prevent future attacks using the exploit.

Microsoft may have issued an emergency patch for unsupported Windows versions, although other vulnerabilities remain unpatched and could potentially be exploited. Any healthcare organization still using Windows XP or other unsupported software is therefore taking a big risk. Continued use of unsupported software is a recipe for disaster as well as a potential HIPAA violation.

Useful Links on the WannaCrypt Ransomware Attacks

US-CERT Ransomware Alert

FBI Indicators Associated With WannaCrypt Ransomware

HHS Update: International Cyber Threat to Healthcare Organizations

The post WannaCrypt Ransomware Attacks Stopped, But Only Briefly appeared first on HIPAA Journal.

Massive Ransomware Attack Hits NHS: Global Warning Issued as Attacks Spread

Posted by HIPAA Journal

The UK’s National Health Service (NHS) has experienced its worst ever ransomware attack, with the infection rapidly spreading to multiple NHS trusts taking computer systems out of action and forcing hospitals to cancel operations.

The attack occurred on Friday and affected as many as 40 hospital trusts, causing chaos. The NHS has been working around the clock to bring its computer systems back online and to recover encrypted data.

The massive ransomware attack involved Wanna Decryptor 2.0 ransomware or WannaCry/WanaCryptor as it is also known. There is no known decryptor.

The attackers were threatening to delete data if the ransom was not paid within 7 days, with the ransom amount set to double in three days if payment was not made. The ransom demand was reportedly $300 (£230) per infected machine. NHS Trusts saw the ransomware infection rapidly spread to all computers connected to their networks.

While the NHS was one of the early victims, the attack has spread globally with the Spanish telecoms company Telefonica also hit, along with FedEx, Universities in China, the German Rail operator and the Russian Interior Ministry. Infections are still spreading globally at an alarming pace.

Avast has reported there have been at least 57,000 worldwide infections in 100 countries. Infections are expected to grow over the next few days. This is already the largest ransomware attack in history, according to Mikki Hypponen of F-Secure.

The Department of Health and Human Services and the Department of Homeland Security have issued alerts about the threat, with the HHS saying yesterday there is evidence of the attack affecting U.S organizations.

Laura Wolf, Critical Infrastructure Lead at the HHS advised all healthcare organizations to “exercise cyber security best practices – particularly with respect to email.”

While the ransomware variant has been spread via spam email, the massive global attack is believed to have involved an exploit called ETERNALBLUE. The exploit was released by Shadow Brokers last month, after allegedly being stolen from the NSA. The exploit has been combined with a self-replicating payload that spreads without any user action required.

The exploit is for a vulnerability in Server Message Block 1.0 (SMBv1), which was patched by Microsoft in March, 2017 (MS17-010).

Any organization that has not yet installed the patch is advised to do IMMEDIATELY.

The post Massive Ransomware Attack Hits NHS: Global Warning Issued as Attacks Spread appeared first on HIPAA Journal.

Security Breach Highlights Need for Patient Portals to be Pen Tested

Posted by HIPAA Journal

A range of safeguards must be implemented to ensure networks and EHRs are protected. Encryption should be considered to prevent the loss or theft of devices from exposing the ePHI of patients. However, it is important for healthcare organizations also check their patient portals for potential vulnerabilities and implement safeguards to prevent unauthorized disclosures of sensitive information.

The failure to implement appropriate safeguards on web-based applications can easily result in unauthorized disclosures of patients PHI, as was recently demonstrated at True Health Diagnostics.

The Frisco, TX-based healthcare services company offers testing for a wide range of diseases and genetic abnormalities, with test information available to patient via a web portal. The web portal allows patients to obtain their test results quickly. Patients are required to register and can only access their records if they first log in to the portal.

However, a flaw on the web portal allowed patients to access not only their own test results, but the test results and PHI of other patients. The website flaw was discovered by a Las Vegas IT consultant called Troy Mursch, who alerted Brian Krebs to the vulnerability last week.

Mursch discovered that after logging into the patient porta, he was able to access health records and medical test results of other patients. Mursch accessed his own test results, which were uploaded to the portal in PDF form but, by changing a digit in the URL, was able to view the medical information of other patients.

True Health Diagnostics used sequential numbers on their PDF files, which makes it easy for the URL to be altered and for other patients records to be viewed via a web browser. While the portal required users to be logged in to view test results, there appear to have been no controls in place to prevent a logged in user from accessing the records of other patients.

Krebs alerted True Health Diagnostics to the flaw and the web portal was immediately taken offline while the issue was resolved. The issue has now been fixed and the portal is now back online. An investigation has now been launched to determine whether any patient health information was accessed by unauthorized individuals. Should that be the case, patients will be notified.

In this case, the incident was identified and reported quickly, allowing rapid action to be taken to secure the records. However, Mursch noted that his test results from two years ago also appeared to have been numbered in the same manner, suggesting patient records could have been exposed for a number of years.

This incident should serve as a warning to covered entities that have implemented patient portals to ensure appropriate safeguards have been implemented to prevent unauthorized disclosures of PHI. Any web-based interface should be thoroughly checked, using penetration tests, to determine whether vulnerabilities exist. If a solution is purchased from a third party firm, a covered entity should determine the extent to which the system has been tested and should also consider verifying no vulnerabilities exist by conducting penetration tests.

OCR has taken action against covered entities in the past for the failure to secure PHI accessible via web-based interfaces, including a $1.7 million settlement with WellPoint and a $100,000 settlement with Phoenix Cardiac Surgery.

The post Security Breach Highlights Need for Patient Portals to be Pen Tested appeared first on HIPAA Journal.

Memorial Hermann Health System Hit with $2.4 Million HIPAA Fine

Posted by HIPAA Journal

Memorial Hermann Health System has agreed to settle potential HIPAA Privacy Rule violations with the Department of Health and Human Services’ Office for Civil Rights (OCR) for $2.4 million. The settlement stems from an impermissible disclosure on a press release issued by MHHS in September 2015.

Memorial Hermann Health System (MHHS) is a 16-hospital health system based in Southeast Texas, serving patients in the Greater Houston area. In September, a patient visited a MHHS clinic and presented a fraudulent identification card to hospital staff.

The fraudulent ID card was identified as such by hospital staff, law enforcement was notified and the patient was arrested. The hospital disclosed the name of the patient to law enforcement, which is allowable under HIPAA Rules.

However, the following action taken by the hospital was a violation of the HIPAA Privacy Rule. MHHS issued a press release about the incident but included the patients name in the title of the press release. That press release was approved before release by MHHS senior management, even though naming the patient constituted an impermissible disclosure of PHI.

The incident was widely reported in the media and a complaint was filed with OCR, prompting an investigation. The investigation revealed that the press release had been distributed to fifteen media outlets. On three occasions following the issuing of the press release, the patient’s identity was disclosed in meetings with advocacy groups, a state senator and state representatives. A statement in which the patient was named was also published on the MHHS website.

These unauthorized disclosures, which occurred between September 15 and October 1, 2015 constituted a knowing and intentional failure to safeguard the PHI of the patient. MHHS was also discovered to have failed to document the sanctions imposed against the members of staff who violated the HIPAA Privacy Rule, as is required by HIPAA (45 C.F .R. § 164.530( e )(2)).

In addition to the sizable payment to OCR, Memorial Hermann Health System has agreed to adopt a corrective action plan that requires policies and procedures to be updated and staff trained to prevent further impermissible disclosures of PHI. All MHHS facilities must also attest that they understand the allowable disclosures and uses of PHI.

HIPAA penalties are often issued for large scale breaches of PHI stemming from violations of HIPAA Rules. While OCR has agreed settlements with HIPAA-covered entities for breaches of fewer than 500 records in the past, settlements are typically reserved for large breaches of PHI caused by HIPAA violations. This is the first settlement to be agreed with a HIPAA-covered entity for a breach of a single patient’s PHI.

OCR Director Roger Severino issued a statement about the settlement saying “Senior management should have known that disclosing a patient’s name on the title of a press release was a clear HIPAA Privacy violation that would induce a swift OCR response.” He went on to explain that “This case reminds us that organizations can readily cooperate with law enforcement without violating HIPAA, but that they must nevertheless continue to protect patient privacy when making statements to the public and elsewhere.”

This is the eighth HIPAA settlement to be announced by OCR in 2017. In 2016, a record year for HIPAA settlements, there were 12 settlements reached with covered entities to resolve HIPAA violations and one CMP issued. At this rate, 2017 looks set to be another record breaking year.

The sharp increase in HIPAA penalties should serve as a warning to covered entities that any violation of HIPAA Rules could result in a substantial financial penalty.

The post Memorial Hermann Health System Hit with $2.4 Million HIPAA Fine appeared first on HIPAA Journal.