March 2016 – RISC Management and Consulting

Readers, please make sure you read all the way to the end because this article points out a significant part of the Corrective Action Plan in this settlement, and the previous one.

March 17, 2016

From the HHS Press Office media@hhs.gov

Improper Disclosure of Research Participants’ Protected Health Information Results in $3.9 million HIPAA Settlement

Feinstein Institute for Medical Research agreed to pay the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) $3.9 million to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules and will undertake a substantial corrective action plan to bring its operations into compliance. This case demonstrates OCR’s commitment to promoting the privacy and security protections so critical to build and maintain trust in health research. Feinstein is a biomedical research institute that is organized as a New York not-for-profit corporation and is sponsored by Northwell Health, Inc., formerly known as North Shore Long Island Jewish Health System, a large health system headquartered in Manhasset, New York that is comprised of twenty one hospitals and over 450 patient facilities and physician practices.

OCR’s investigation began after Feinstein filed a breach report indicating that on September 2, 2012, a laptop computer containing the electronic protected health information (ePHI) of approximately 13,000 patients and research participants was stolen from an employee’s car. The ePHI stored in the laptop included the names of research participants, dates of birth, addresses, social security numbers, diagnoses, laboratory results, medications, and medical information relating to potential participation in a research study.

OCR’s investigation discovered that Feinstein’s security management process was limited in scope, incomplete, and insufficient to address potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the entity. Further, Feinstein lacked policies and procedures for authorizing access to ePHI by its workforce members, failed to implement safeguards to restrict access to unauthorized users, and lacked policies and procedures to govern the receipt and removal of laptops that contained ePHI into and out of its facilities. For electronic equipment procured outside of Feinstein’s standard acquisition process, Feinstein failed to implement proper mechanisms for safeguarding ePHI as required by the Security Rule.

“Research institutions subject to HIPAA must be held to the same compliance standards as all other HIPAA-covered entities,” said OCR Director Jocelyn Samuels. “For individuals to trust in the research process and for patients to trust in those institutions, they must have some assurance that their information is kept private and secure.”

The resolution agreement may be found on the OCR website at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/Feinstein/index.html

A notable and consistent theme present in the Corrective Action Plan (Appendix A) of both of the recent settlement agreements is the following section, “As a part of this process, [ENTITY] shall develop a complete inventory of all electronic equipment, data systems, and applications that contain or store [ENTITY] ePHI, including personally owned devices, if any, which will then be incorporated in its risk analysis.” This is of significant note for two reasons:

As consultants in the performance of risk analysis activities, we have seen that accurate inventory of data, systems, and applications is a Unicorn. It is both a beautiful thing, and non-existent.
The requirement of the CAP includes personally owned devices which will then be incorporated into its risk analysis. Wow! This is a huge scope change for a risk analysis, and requires Physicians, APNs, Therapists, Executives, and others to allow their devices’ security to be assessed.

Hopefully the OCR will offer some clarification on this point either in presentations or through other methods as this small phrase in one sentence has huge implications!

Sponsored by: RISC Management and Consulting, LLC http://www.riscsecurity.com/

Appendix A

Corrective Action Plan Between The Department Of Health And Human Services And The Feinstein Institute For Medical Research may be found on the OCR website at http://www.hhs.gov/sites/default/files/FIMR%20Resolution%20Agreement%20and%20Corrective%20Action%20Plan.pdf

From the HHS Press Office
media@hhs.gov

$1.55 Million Settlement Underscores the Importance of Executing HIPAA Business Associate Agreements

North Memorial Health Care of Minnesota has agreed to pay $1,550,000 to settle charges that it potentially violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules by failing to enter into a business associate agreement with a major contractor and failing to institute an organization-wide risk analysis to address the risks and vulnerabilities to its patient information. North Memorial is a comprehensive, not-for-profit health care system in Minnesota that serves the Twin Cities and surrounding communities.

“Two major cornerstones of the HIPAA Rules were overlooked by this entity,” said Jocelyn Samuels, Director of the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). “Organizations must have in place compliant business associate agreements as well as an accurate and thorough risk analysis that addresses their enterprise-wide IT infrastructure.”

OCR initiated its investigation of North Memorial following receipt of a breach report on September 27, 2011, which indicated that an unencrypted, password-protected laptop was stolen from a business associate’s workforce member’s locked vehicle, impacting the electronic protected health information (ePHI) of 9,497 individuals.

OCR’s investigation indicated that North Memorial failed to have in place a business associate agreement, as required under the HIPAA Privacy and Security Rules, so that its business associate could perform certain payment and health care operations activities on its behalf. North Memorial gave its business associate, Accretive Health, Inc., access to North Memorial’s hospital database, which stored the ePHI of 289,904 patients. Accretive also received access to non-electronic protected health information as it performed services on-site at North Memorial.

The investigation further determined that North Memorial failed to complete a risk analysis to address all of the potential risks and vulnerabilities to the ePHI that it maintained, accessed, or transmitted across its entire IT infrastructure — including but not limited to all applications, software, databases, servers, workstations, mobile devices and electronic media, network administration and security devices, and associated business processes.

In addition to the $1,550,000 payment, North Memorial is required to develop an organization-wide risk analysis and risk management plan, as required under the Security Rule. North Memorial will also train appropriate workforce members on all policies and procedures newly developed or revised pursuant to this corrective action plan.

The Resolution Agreement and Corrective Action Plan can be found on the HHS website at:http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/north-memorial-health-care/index.html.

Risk Management

Risk Management is the practice of identifying potential risks in advance, analyzing them and taking precautionary steps to reduce or curb the risk.

What Is A Risk Analysis? A Risk Analysis is an assessment of the risks and vulnerabilities to any sensitive information that your organization may collect, store, process, transmit, or share with others.

After an organization has identified all of the risks to the confidential information that it collects, stores, processes, or transmits, a determination of “What to do with those risk elements?” must be made.

Risk Analysis is the First Step

Document and Analyze

An organization has only four choices to address all risks that are identified

Accepting Risk

An organization has the choice to accept identified risk. However, that decision must be made with thorough and comprehensive knowledge of the potential damage or liability that acceptance implies. The acceptance of risk must be made by executive management, and be based upon all of the available information. Executive Management must make this determination clear, and security policies should be updated to reflect the determination.

Transferring Risk

An organization has the choice to transfer the risky behavior or the risk liability to another party. An example of transferring risk might be obtaining data breach insurance so as to reduce the liability in the event a risk is exploited. Another option is to transfer the risky activity to another party. An example of this might be outsourcing all credit card transactions to a third party that accepts the payment for a percentage of the charged amount.

Eliminating Risk

Another option includes the complete elimination of a risky activity. If risk cannot be reduced sufficiently so that it is acceptable to executive management, and it is not reasonable to transfer that risk to a third party, then an organization may decide to eliminate the risk entirely. In these cases an organization makes an executive decision that the revenue opportunity is not sufficient to justify the residual risk after mitigation strategies are applied.

Reducing Risk

By far the most popular option is risk reduction. Risk reduction is accomplished by many methods. An organization predominantly employs multiple strategies including those above and implementation of reduction strategies and controls.

Organizations might deploy techniques and controls to reduce risk. Controls typically fall into categories such as:

Administrative
Physical
Technical

Controls typically include policies, procedures, practices, processes, technology, logs, checklists, and the like. RISC Management employ experts with extensive experience in these techniques.

RISC Management and Consulting, LLC can assist your organization in identifying, documenting, addressing, and eliminating risk to all your sensitive information. Contact us today to find out how!