Tag Archives: ePHI

OCR Sets HIPPA Enforcement Record with Cottage Health Settlement

OCR Sets HIPPA Enforcement Record with Cottage Health Settlement

California-based Cottage Health agreed to pay $3 million and implement a corrective action plan as part of a HIPAA settlement to resolve allegations it had unintentionally disclosed electronic patient information. This settlement, in December 2018, brought the annual total of collections from OCR enforcement actions to $28.7 million, setting a new annual record.

Two Breaches

Cottage Health, which operates four hospitals in California, notified HHS’ OCR about two breaches of unsecured electronic protected health information (ePHI), one in December 2013 and another in December 2015, affecting more than 62,500 individuals.

The first incident occurred when the security configuration settings of the health system’s Windows operating system reportedly permitted access to files containing ePHI without requiring a username and password. As a result, patient information was available to anyone on the internet with access to Cottage Health’s server. Continue reading OCR Sets HIPPA Enforcement Record with Cottage Health Settlement

HIPAA Settlement Lessons: Risk Assessment and Device Control Policy

The Department of Health and Human Services Office for Civil Rights reached settlement terms with Cancer Care Group for $750,000 in HIPAA violations. The Indiana-based physician group agreed to adopt a corrective action plan to bring its HIPAA program into compliance.

Cancer Care originally reported a breach to the OCR when an unencrypted laptop was stolen from an employee’s car. The computer contained ePHI including names addresses, dates of birth, Social Security numbers, insurance information, and clinical information of around 55,000 patients.

After further investigation, the OCR found Cancer Care to be non-compliant with several HIPAA requirements including:

  • The physician group had not conducted a risk assessment of the potential vulnerabilities to the ePHI stored in its networks.
  • It did not have a written policy in place related to ePHI stored on portable devices that left the organization’s facilities.

OCR found these factors contributed to the data breach. Specifically, OCR Director Jocelyn Samuels stated, “Organizations must complete a comprehensive risk analysis and establish strong policies and procedures to protect patients’ health information.”

Director Samuels further stated that, “Proper encryption of mobile devices and electronic media reduces the likelihood of a breach of protected health information.”

Key Takeaways:

This settlement serves as a reminder to covered entities of the importance of complying with the following HIPAA requirements: Conducting a risk assessment and maintaining a device management policy.

Lost or stolen devices are common causes for security breaches in the healthcare sector. Policies should include encryption provisions and two-factor authentication for mobile devices and electronic media. Training and awareness for employees on the organization’s security policies is also important to protect ePHI.

HHS and Anchorage Community Mental Health Services Reach Settlement

The Department of Health and Human Services (HHS) announced a settlement with Anchorage Community Mental Health Services (ACMHS) for violations of the HIPAA Security Rule. According to the agreement, ACMHS is required to pay a $150,000 penalty and implement corrective policies to comply with HIPAA standards.

ACMHS notified the Office for Civil Rights (OCR) of a breach affecting the electronic protected health information (ePHI) of over 2,700 individuals. The OCR’s investigation revealed that HIPAA Security Rule policies were not followed properly and malware compromised the security of the company’s IT resources.

“Successful HIPAA compliance requires a common sense approach to assessing and addressing the risks to ePHI on a regular basis,” said OCR Director Jocelyn Samuels. “This includes reviewing systems for unpatched vulnerabilities and unsupported software that can leave patient information susceptible to malware and other risks.”

Key Takeaway:

OCR’s investigation found ACMHS to be out of HIPAA compliance in several areas, including:

  • Failing to conduct a risk assessment
  • Failing to update IT resources with available patches
  • Running outdated/unsupported software