Data Breach, HIPAA / HITECH Enforcement, News Events

An Employee Mistake Leads to a HIPAA Data Breach

Just last month, a Pennsylvania-based hospital suffered a breach of patient data caused by unauthorized access and transmission of PHI by an employee. The 551-bed Penn State Milton S. Hershey hospital discovered through an internal investigation that a lab technician accessed and transmitted protected health data outside of the hospital’s secure network. The key in this breach was that the employee was authorized to work with PHI but in this case did not access and transmit the PHI securely. He used his own USB device and sent patient data through his own personal email address to two physicians.

The important thing to note in this situation is what your organization can do to avoid a situation like this: train your workforce. Not only is workforce training required by HIPAA, it is a prudent means of improving efficiency and confidence in your workforce. Many organizations believe that their biggest threat lies outside their walls. While it is a smart business decision to implement security controls to prevent intrusions from external threats, your organization should also prioritize properly training your workforce. Below is a list of the most investigated issues as noted in the OCR Enforcement highlights.

 

From OCR Enforcement highlights:

From the compliance date to the present, the compliance issues investigated most are, compiled cumulatively, in order of frequency:

  1. Impermissible uses and disclosures of protected health information;
  2. Lack of safeguards of protected health information;
  3. Lack of patient access to their protected health information;
  4. Uses or disclosures of more than the minimum necessary protected health information; and
  5. Lack of administrative safeguards of electronic protected health information.

Security Rule Enforcement Results as of the Date of This Summary

With regard to the subset of complaints specifically pertaining to the Security Rule, since the OCR began reporting its Security Rule enforcement results in October 2009, HHS has received approximately 880 complaints alleging a violation of the Security Rule. During this period, HHS closed 644 complaints after investigation and appropriate corrective action. As of May 31, 2014, OCR had 301 open complaints and compliance reviews.

 

Penn Breach Table

Here is the direct link to the Breaches Affecting 500 or More Individuals: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

Advertisements
Data Breach, Education, HIPAA / HITECH Enforcement, OCR HIPAA Audits

Organizations must address data breaches before they occur

Read a short blog written by RISC Management and Consulting, LLC Practice Leader Chris Heuman from 2012

“Any organization that creates, collects, stores, processes, transmits, archives, or deletes sensitive information about an individual, must prepare for a Data Breach before it occurs. To address Data Breach response planning after the breach occurs is costly and potentially a game-ender for some companies.”

Follow the link: http://hipaaprivacyandsecurity.blog.com/category/news/

Data Breach, Education, HIPAA / HITECH Enforcement, News Events, OCR HIPAA Audits, Risk Analysis/Risk Management, Tip of the Week, Vulnerability Testing & Management

Data breach results in $4.8 million HIPAA settlements

In the most recent disciplinary action by the Office for Civil Rights regarding a HIPAA Data Breach, the OCR has set a new record for cost per affected individual and total fine amount. A breach affecting 6,800 individuals resulted in $4.8 Million in fines, or almost $706 per affected individual, in addition to the intense, and costly, corrective action plan.

Two health care organizations have agreed to settle charges that they potentially violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules by failing to secure thousands of patients’ electronic protected health information (ePHI) held on their network.  The monetary payments of $4,800,000 include the largest HIPAA settlement to date.

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) initiated its investigation of New York and Presbyterian Hospital (NYP) and Columbia University (CU) following their submission of a joint breach report, dated September 27, 2010, regarding the disclosure of the ePHI of 6,800 individuals, including patient status, vital signs, medications, and laboratory results.

NYP and CU are separate covered entities that participate in a joint arrangement in which CU faculty members serve as attending physicians at NYP.  The entities generally refer to their affiliation as “New York Presbyterian Hospital/Columbia University Medical Center.”  NYP and CU operate a shared data network and a shared network firewall that is administered by employees of both entities. The shared network links to NYP patient information systems containing ePHI.

The investigation revealed that the breach was caused when a physician employed by CU who developed applications for both NYP and CU attempted to deactivate a personally-owned computer server on the network containing NYP patient ePHI.  Because of a lack of technical safeguards, deactivation of the server resulted in ePHI being accessible on internet search engines.  The entities learned of the breach after receiving a complaint by an individual who found the ePHI of the individual’s deceased partner, a former patient of NYP, on the internet.

In addition to the impermissible disclosure of ePHI on the internet, OCR’s investigation found that neither NYP nor CU made efforts prior to the breach to assure that the server was secure and that it contained appropriate software protections.  Moreover, OCR determined that neither entity had conducted an accurate and thorough risk analysis that identified all systems that access NYP ePHI.  As a result, neither entity had developed an adequate risk management plan that addressed the potential threats and hazards to the security of ePHI.  Lastly, NYP failed to implement appropriate policies and procedures for authorizing access to its databases and failed to comply with its own policies on information access management.

NYP has paid OCR a monetary settlement of $3,300,000 and CU $1,500,000, with both entities agreeing to a substantive corrective action plan, which includes undertaking a risk analysis, developing a risk management plan, revising policies and procedures, training staff, and providing progress reports.

RA

 

For information about the basics of HIPAA Security Risk Analysis and Risk Management, as well as other compliance tips, visit: http://www.hhs.gov/ocr/privacy/hipaa/understanding/training

The New York and Presbyterian Hospital Resolution Agreement may be found at: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/ny-and-presbyterian-hospital-settlement-agreement.pdf

The Columbia University Resolution Agreement may be found at: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/columbia-university-resolution-agreement.pdf

Business Continuity, Data Breach, Disaster Recovery, Education, HIPAA / HITECH Enforcement, Meaningful Use, News Events, OCR HIPAA Audits, Tip of the Week, Vulnerability Testing & Management

Omnibus Rule Compliance today!

Today September 23, 2013 marks the start of the Omnibus Rule enforcement date. 

It is important for providers to start working on compliance with the new requirements as soon as possible.  According to a statement from the Office for Civil Rights (OCR) of the Department of Health and Human Services, certain CLIA -exempt laboratories to revise their Notices of Privacy Practices until further notice. Here is the entire statement issued by OCR:

“The Office for Civil Rights (OCR) of the Department of Health and Human Services announces a delay in its enforcement of the requirement that certain HIPAA–covered laboratories revise their notices of privacy practices (NPPs) to comply with the modifications made to the HIPAA Rules published in the Federal Register on January 25, 2013 (78 FR 5566), commonly known as the “Omnibus Rule,” until further notice. This Enforcement Delay applies to HIPAA-covered laboratories that are subject to CLIA (i.e., CLIA-certified) or exempt from CLIA (i.e., CLIA-exempt) and that are not required to provide an individual with access to his or her laboratory test reports under § 164.524 of the HIPAA Privacy Rule because the information is subject to the exceptions to the right of access at § 164.524(a)(1)(iii)(A) or (B).  The Enforcement Delay does not apply to laboratories that operate as part of a larger legal entity, such as a hospital, and by virtue of that relationship, do not have their own, laboratory-specific, NPPs.”

This is one reprieve for a small part of the Omnibus Rule compliance. One tip for those struggling to comply is to modify existing Business Associate Agreements (BAA). This does not apply to existing BAAs entered into agreement on or before January 25, 2013 and  have been modified after March 26, 2013. For this group, the compliance date is extended until September 23, 2014. 

RISC Management & Consulting , is an organization specializing in data privacy and information security regulations and frameworks, focused on healthcare and financial sectors. RISC assists its clients in understanding the requirements of federal and state regulations and industry frameworks as they apply to sensitive information. RISC Consultants are experts in legal requirements, industry standards, and frameworks including HIPAA – HITECH Act – ISO 27001 & 27002, PCI-DSS, GLBA, FFIEC, State Level information security laws. All of our services are focused on getting you compliant with Privacy & Security requirements, quickly, completely, and affordably.

Enforcement Highlights of the HIPAA Privacy Rule 

HHS / OCR has investigated and resolved over 21,271 cases by requiring changes in privacy practices and other corrective actions by the covered entities as of August 31, 2013.

From the compliance date to the present, the compliance issues investigated most are, compiled cumulatively, in order of frequency:

  1. Impermissible uses and disclosures of protected health information;
  2. Lack of safeguards of protected health information;
  3. Lack of patient access to their protected health information;
  4. Uses or disclosures of more than the minimum necessary protected health information; and
  5. Lack of administrative safeguards of electronic protected health information.

The most common types of covered entities that have been required to take corrective action to achieve voluntary compliance are, in order of frequency:

  1. Private Practices;
  2. General Hospitals;
  3. Outpatient Facilities;
  4. Health Plans (group health plans and health insurance issuers); and,
  5. Pharmacies.

With regard to the subset of complaints specifically pertaining to the Security Rule, since OCR began reporting its Security Rule enforcement results in October 2009, HHS has received approximately 738 complaints alleging a violation of the Security Rule.  During this period, we closed 543 complaints after investigation and appropriate corrective action.  As of August 31, 2013, OCR had 260 open complaints and compliance reviews.

For more information please contact RISC Management and Consulting, www.RISCsecurity.com

Data Breach, Education, HIPAA / HITECH Enforcement, OCR HIPAA Audits, Social Media

Small healthcare provider pays huge security fine after the theft of an unencrypted laptop

If you think your organization is too small to attract the attention of the U.S. Department of Health and Human Services, think twice.
The department recently settled a security dispute with a hospice in Idaho for $50,000. The potential violation of the Security Rule of the Health Insurance Portability and Accountability Act of 1996 involved a data breach of health information affecting 441 patients.

Mobile devices collage
The Hospice of North Idaho agreed to pay $50,000 to settle potential violations after an unencrypted laptop computer containing the electronic protected health information of the patients had been stolen in June 2010.
Field workers for the hospice use laptops containing patient information as a regular component of their workflow. In an investigation by the Department of Human Services’ Office for Civil Rights, it was revealed the hospice had not conducted a risk analysis to safeguard the electronic patient information and didn’t have policies or procedures to address mobile device security. The lack of a risk analysis has become a regular theme in the publicly available settlement agreements published by the OCR.
The HIPAA Security Rule and HITECH Act Data Breach requirements mandate the existence policies and the reporting of inappropriate or unauthorized access to PHI or ePHI called breaches. The Health Information Technology for Economic and Clinical Health Breach Notification Rule requires covered entities to report an impermissible use or disclosure of protected health information of 500 individuals or more to the government and the media within 60 days after the discovery of the breach, or when the breach should have been discovered. Smaller breaches affecting less than 500 individuals must be reported to the secretary of Health and Human Services on an annual basis.
“This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information,” Office for Civil Rights Director Leon Rodriguez said in a press release from the Department of Health and Human Services. “Encryption is an easy method for making lost information unusable, unreadable and undecipherable.” RISC Management’s stance on encryption is that implementation has become easy enough, and cost has been reduced enough, that choosing not to implement encryption is difficult to justify. With the exception of “legacy systems” that were developed long before data encryption was readily available, there are few relational database platforms or operating systems that don’t support encryption today. And even for those systems, there are third party applications and technology that can implement encryption in such a manner that it both provides safe harbor, and, does not require the rewriting of legacy applications.
The Idaho hospice has taken steps to remedy its compliance since the 2010 theft.
The Department of Health and Human Services provides tips to physicians, health care providers and other healthcare professionals who use smartphones, laptops and tablets in their work here (visit http://www.HealthIT.gov/mobiledevices).
RISC Management and Consulting can help assess your encryption capabilities, identify supported encryption options, and assist you in implementing standards-based encryption that may provide safe harbor under the HITECH rules.