OCR Settlement Agreements – RISC Management and Consulting

In the most recent disciplinary action by the Office for Civil Rights regarding a HIPAA Data Breach, the OCR has set a new record for cost per affected individual and total fine amount. A breach affecting 6,800 individuals resulted in $4.8 Million in fines, or almost $706 per affected individual, in addition to the intense, and costly, corrective action plan.

Two health care organizations have agreed to settle charges that they potentially violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules by failing to secure thousands of patients’ electronic protected health information (ePHI) held on their network. The monetary payments of $4,800,000 include the largest HIPAA settlement to date.

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) initiated its investigation of New York and Presbyterian Hospital (NYP) and Columbia University (CU) following their submission of a joint breach report, dated September 27, 2010, regarding the disclosure of the ePHI of 6,800 individuals, including patient status, vital signs, medications, and laboratory results.

NYP and CU are separate covered entities that participate in a joint arrangement in which CU faculty members serve as attending physicians at NYP. The entities generally refer to their affiliation as “New York Presbyterian Hospital/Columbia University Medical Center.” NYP and CU operate a shared data network and a shared network firewall that is administered by employees of both entities. The shared network links to NYP patient information systems containing ePHI.

The investigation revealed that the breach was caused when a physician employed by CU who developed applications for both NYP and CU attempted to deactivate a personally-owned computer server on the network containing NYP patient ePHI. Because of a lack of technical safeguards, deactivation of the server resulted in ePHI being accessible on internet search engines. The entities learned of the breach after receiving a complaint by an individual who found the ePHI of the individual’s deceased partner, a former patient of NYP, on the internet.

In addition to the impermissible disclosure of ePHI on the internet, OCR’s investigation found that neither NYP nor CU made efforts prior to the breach to assure that the server was secure and that it contained appropriate software protections. Moreover, OCR determined that neither entity had conducted an accurate and thorough risk analysis that identified all systems that access NYP ePHI. As a result, neither entity had developed an adequate risk management plan that addressed the potential threats and hazards to the security of ePHI. Lastly, NYP failed to implement appropriate policies and procedures for authorizing access to its databases and failed to comply with its own policies on information access management.

NYP has paid OCR a monetary settlement of $3,300,000 and CU $1,500,000, with both entities agreeing to a substantive corrective action plan, which includes undertaking a risk analysis, developing a risk management plan, revising policies and procedures, training staff, and providing progress reports.

For information about the basics of HIPAA Security Risk Analysis and Risk Management, as well as other compliance tips, visit: http://www.hhs.gov/ocr/privacy/hipaa/understanding/training

The New York and Presbyterian Hospital Resolution Agreement may be found at: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/ny-and-presbyterian-hospital-settlement-agreement.pdf

The Columbia University Resolution Agreement may be found at: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/columbia-university-resolution-agreement.pdf

The HIMSS Annual conference is an amazing event. It brings together many thought leaders in the healthcare industry and regulatory bodies once per year in a forum of knowledge transfer and demonstration that is totally unequaled.

RISC Management attended presentations by Leon Rodriguez, Director of the Office for Civil Rights of the Department of Health and Human Services, Susa

n McAndrew, deputy director for health information privacy, and David Holtzman, OCR’s health information privacy and enforcement specialist. The presentations included a significant amount of information related to the recently-released HIPAA Omnibus Rule, even though HIMSS presentations were submitted six months ago, long before the Omnibus Rule was published.

Susan McAndrew and David Holtzman at HIMSS13

Chris Heuman from RISC Management discusses HIPAA enforcement with David Holtzman of OCR

David Holtzman of the Office for Civil Rights discussed a number of the recent settlement agreements and enforcement actions against organizations, and the reasoning behind some of the significant fines and terms of the agreements. Some quotes worth noting for Covered Entities, Business Associates, and for “conduits” that have traditionally felt that they were not Business Associates are among the following. There were many more of great relevance during Holtzman’s engaging presentation:

Regarding the settlement agreement with Alaska’s DHSS, Holtzman said that the penalty resulted from, “…a systemic failure to implement a coordinated program.” In further detail regarding the Alaska DHSS settlement, the previous day Director Rodriguez indicated that the fine was such a significant amount because of the continued activities of the organization even after the breach was noticed, and that behavior was not modified immediately upon noticing that the breach had occurred. This clearly indicates the expectation of the OCR that an organization modify the behavior or condition that caused a breach as soon as possible after the breach has been identified, not months later when OCR is investigating.

Regarding the settlement with The Hospice of Northern Idaho, Holtzman stated that, “When OCR contacted The Hospice of Northern Idaho, there were no activities put into place regarding policies, procedures, or actions to address the Security Rule, and in 2011 and 2012 we could just not walk away from that.” This was a clear statement to the fact that OCR has an expectation from the industry at this point. That remaining ignorant of the requirements, or choosing to ignore them, is no longer acceptable. Further, Holtzman said, regarding the evident lack of Risk Analysis being performed across the industry, [that there is] “an expectation that every Covered Entity will have engaged in a Risk Analysis process.” The OCR simply will not accept the lack of a formal risk analysis at this point, as the presentation returned to again and again. Blue Cross Blue Shield (BCBS) of Tennessee was also commented on by Holtzman for failing to conduct a Risk Analysis after a change in their environment. This tells us that the expectation is there, as the original law indicated, that a Risk Analysis be conducted both periodically and whenever the environment and technology changes.

Please make sure your organization understands where it falls today with regards to legal standing, for example all of those “Conduit” organizations that have denied being Business Associates for years now, as well as where it’s risks and vulnerabilities are to PHI and ePHI. OCR’s recent job postings that both replace promoted members of the enforcement team, as well as increase the size of the enforcement team provide a clear indication of increased vigilance.

This information provided by RISC Management and Consulting, http://www.RISCsecurity.com