Tag Archives: HIPAA

New Ohio Law Creates Legal Incentive to Create Cybersecurity Program

Implementing a robust cybersecurity program is a business investment. Recently, numerous states have proposed a return on that investment in the form of statutory incentives for organizations that maintain certain technical safeguards. Incentive-based legislation can be used to convince management that investing in a cybersecurity program will create a return in the future.

For example, last year, Ohio proposed a bill that created a legal incentive for companies to create and implement a cybersecurity program. The proposed bill has now passed and will become effective November 2, 2018 (“Ohio Data Protection Act” or “Act”).

Under the Act, a company can raise an affirmative defense to data breach tort claims (such as negligence) brought under the laws or in the courts of Ohio if the company created, maintained and complied with a written cybersecurity program. To establish the defense, a company would have to show that its security program contained administrative, technical and physical safeguards designed to protect either “personal information” or “personal information and restricted information.” Continue reading New Ohio Law Creates Legal Incentive to Create Cybersecurity Program

Key Takeaways from the New and Improved HIPAA Breach Reporting Tool

Several issues were raised in the past about the Office for Civil Rights’ (OCR) website commonly referred to as the “Wall of Shame.” In response, OCR announced the updated version of their rebranded HIPAA Breach Reporting Tool (HBRT).

The old Wall of Shame and new HIPAA Breach Reporting Tool both publish information received from OCR on reported breaches affecting 500+ individuals. However, the Wall of Shame carried an undeserving negative connotation when organizations were publicly and indefinitely listed on the website.

HIPAA Breach Reporting Tool

OCR noted in their announcement, “The HBRT provides transparency to the public and organizations covered by HIPAA and helps highlight the importance of safeguards to protect the privacy and security of sensitive health care information.”

Information posted on the site includes:

  1. Name of the reporting entity
  2. Number of individuals affected by the data breach
  3. Type of data breach (e.g. hacking/IT incident, unauthorized access, etc.)
  4. Location of the breached information (e.g. laptop, paper records, etc.)

Features of the updated HBRT include:

  • Enhanced functionality that highlights breaches currently under investigation and reported within the last 24 months
  • New breach archive that includes information about how breaches were resolved
  • Improved navigation to additional breach information
  • Tips for consumers

OCR plans to continue expanding and improving the website’s features and functionality based on industry feedback.

Healthcare Breach Trends

The HIPAA Breach Reporting Tool recently recorded a new milestone: The OCR has surpassed 2,000 breaches reported affecting 500+ individuals since the HBRT’s inception in September 2009.

There has also been a recent shift in the types of breaches reported. We are seeing a departure from the issue of lost or stolen unencrypted devices containing protected health information. According to the HBRT, the last 24 months have seen a rapid increase in hacking/IT incidents.

The big takeaway: Phishing is a tried and true way to gain access to healthcare facilities.

OCR Calls for More Phishing Awareness

To address phishing, OCR placed emphasis on the importance of phishing awareness in its latest cybersecurity newsletter update.

The OCR newsletter article points to a KPMG study that documents an increase in HIPAA violations and cybersecurity attacks impacting PHI over the past two years. The call to action is training the workforce to detect and properly respond to cyber-attacks and phishing scams.

OCR states, “Training on data security for workforce members is not only essential for protecting an organization against cyber-attacks, it is also required by the HIPAA Security Rule.”

There are several key factors healthcare organizations should consider regarding their approach to data security training:

Frequency of training and updates:

    • How often to train workforce members on security issues
    • How often to send security updates to their workforce members

Relevant and emerging threats:

    • Communicate new and emerging cybersecurity threats to workforce members, such as new social engineering tricks and malware or ransomware variants

Training format:

    • What type of training to provide to workforce members on security issues
    • i.e. computer-based, classroom, monthly newsletters, posters, email alerts, etc.

Training Documentation:

    • How to document training to workforce members, including dates and types of training, training materials, and evidence of participation

Data Security Training Courses

Your organization likely has access to our collection of data security training courses as part of your cyber insurance policy.

The data security training courses provide organizations with training materials for the workforce in several key areas: Introduction to data breaches, Data security basics, Social engineering & Phishing, Safeguarding information, and HIPAA Privacy & Security Rules.

One important aspect of the training courses is the documentation features. The learning management system in place allows your organization to leverage training reports once workforce members have completed the assigned training courses.

OCR notes the importance of documentation in the newsletter, “Any investigator or auditor will ask for documentation, as required by the HIPAA Rules, to ensure compliance with the requirements of the Rules.”

To learn more about how you can leverage the data security training courses in your organization, reach out to our team at cyberteam@eplaceinc.com.

HHS Releases Training Module for HIPAA’s Right of Access

The Department of Health and Human Services (HHS) recently addressed the concerns of many healthcare providers regarding patient access to health information. Their newly released training module and reportImproving the Health Records Request Process for Patients – provides clarity and guidance around the issue.

Under HIPAA, patients have the right to access their health records. However, healthcare providers are often hesitant to comply due to concerns of insecure communication and the potential for a data breach.

Patient Challenges

HHS is attempting to solve several key issues for patients trying to access their health records. Common problems noted include:

  • Slow responses from healthcare providers
  • Inconsistent information from administrative staff about obtaining records
  • Inaccessibility of complete or accurate requested records

Taking Action

According to the HHS report, healthcare providers have the opportunity to improve their process for record requests and thus reduce the burden on themselves and patients.

Creating a streamlined, transparent, and electronic records request process may include:

  • Allowing patients to easily request and receive their records from their patient portal
  • Setting up an electronic records request system outside of the patient portal
  • Creating a user-friendly, plain language online request process
  • Using e-verification to quickly confirm the record requestor’s identity
  • Including a status bar or progress tracker so consumers can see where they are in the request process – for example, indicate when the request is received, when their records are being retrieved, and when they’re ready for delivery
  • Making sure consumers know that they can request their records in different formats (i.e. PDF or CD) and different delivery options, (i.e. email or sent to a third party)
  • Encouraging use of patient portals by promoting features like online appointment scheduling, secure messaging and prescription refills

[VS1]Duplicative of one above

Mishandling HIV Information Costs Hospital $387,000

St. Luke’s hospital came under fire after faxing two patients’ sensitive medical information against their request.

The Office for Civil Rights (OCR) reached a settlement with St. Luke’s-Roosevelt Hospital Center over violations of HIPAA’s Privacy Rule related to impermissible disclosure of protected health information (PHI).

Who is St. Luke’s?

According to the OCR press release, St. Luke’s-Roosevelt Hospital Cetner Inc. (St. Luke’s) operates the Institute for Advanced Medicine, formerly Spencer Cox Center for Health, which provides comprehensive health services to persons living with HIV or AIDS and other chronic diseases. St. Luke’s is 1 of 7 hospitals that comprise the Mount Sinai Health System.

Data Breach Details

OCR received an initial complaint in 2014 regarding impermissible disclosure of patient health information by the staff at Spencer Cox Center.

OCR launched an investigation, finding the Spencer Cox Center staff faxed the patient’s PHI directly to his employer, and not his personal post office box as he requested.

Information disclosed included highly sensitive medical information: HIV status, medical care, sexually transmitted diseases, medications, sexual orientation, mental health diagnosis, and physical abuse.

Through the OCR investigation of this event, they discovered Spencer Cox Center was also responsible for a related breach of sensitive information and took no action to address the apparent issue. In the related breach nine months prior, staff faxed PHI of another patient (against their expressed instructions) to an office where the patient volunteered.

Settlement Details

The settlement includes a $387,000 penalty for St. Luke’s, along with a corrective action plan.

The corrective action plan includes several remediation steps:

  • Revise and distribute written policies and procedures concerning the uses and disclosures of PHI (mail, fax, or email), and update them annually
  • Revise and distribute training materials to include instruction on safeguarding PHI

Key Takeaways

For a case that involves the PHI of only two individual patients, this might seem like a heavy assessment by OCR. This high settlement amount conveys OCR’s focus on two areas in this case: 1) penalty proportionate to sensitivity of information and 2) penalty for avoidance of addressing compliance issues.

The settlement amount clearly reflects the sensitive nature of the patient’s information disclosed. The high penalty also addresses the avoidance of initial vulnerabilities. Had the Spencer Cox Center addressed issues within their compliance program during the initial breach, the procedures and policies would be in place to mitigate future events and prevent these types of impermissible disclosure.

It is no surprise to see OCR targeting a case with minimal individuals impacted. OCR noted last year they would start focusing more on smaller breaches. With this example, we see that OCR has been true to their word. We also reported on a $2.4 million penalty earlier in May for an incident involving only one patient’s information.

$2.4 Million HIPAA Penalty for Disclosing One Patient’s Name

The Office for Civil Rights (OCR) announced a curious settlement with Memorial Hermann Health Systems (MHHS) last week after an OCR compliance review. The review found impermissible disclosure of a single patient’s PHI… leading to a $2.4 million whooper of a fine.

Who is MHHS?

Memorial Hermann Health Systems is a Houston-based, non-profit healthcare system. Their services include 16 hospitals and specialty service centers.

Breach Details

In September 2015, office staff at an MHHS clinic were presented a patient’s allegedly fraudulent identification card.

The staff immediately contacted law enforcement and the patient was arrested.

This disclosure of information was allowed under HIPAA’s Privacy Rule. Covered entities are permitted to disclose information to law enforcement for the purpose of aiding in an investigation.

However, a media response by MHHS subsequently disclosed the same PHI. Senior management approved this impermissible disclosure and even added the patient’s name to the headline of the press release.

Despite the previous law enforcement exception, this new impermissible disclosure qualified as a violation under HIPAA’s Privacy Rule.

OCR’s new Director Roger Severino commented, “This case reminds us that organizations can readily cooperate with law enforcement without violating HIPAA, but that they must nevertheless continue to protect patient privacy when making statements to the public and elsewhere.”

OCR also notes in their findings from the compliance review that MHHS failed to document the sanctioning of its workforce members for the press release incident.

Settlement Details

The focal point of the OCR / MHHS settlement is the hefty $2.4 million penalty. Some industry experts are surprised to see such a large fine here, given the disclosure was a single piece of PHI.

A few factors might have contributed to the size of the penalty:

  • The nonchalant attitude from management regarding patient privacy and PHI disclosures
  • The failure to apply sanctions to staff in the aftermath of the disclosure
  • The larger size of the healthcare system

The settlement also included a corrective action plan. The compliance measures on MHHS’ to-do list include:

  • Updating policies and procedures on safeguarding PHI from impermissible disclosures
  • Training workforce members on the policies and procedures
  • Confirming their understanding of permissible disclosures of PHI, including to the media

Key Takeaway

OCR is sending the message loud and clear: Covered entities need to use proper discretion according to the Privacy Rule when disclosing patient information.

If your organization is questioning whether a use or disclosure of patient information is permissible under HIPAA, reach out and validate with our Cybersecurity team.

If you’d like assistance, send us a note and brief explanation to cyberteam@eplaceinc.com and we’ll help guide you in the right direction.

Additional Notes

If you’re following along with us and keeping tally, this marks the 8th HIPAA enforcement action in 2017. Those enforcement actions have netted the OCR a grand total of $17 million in penalties.

This particular data breach reminds us of a case we reported on last year. New York Presbyterian Hospital found themselves in a similar conundrum when mixing media and patient privacy. You can read that article here.

HIPAA Settlement: $2.5 Million for Neglecting to Address Cyber Risks

The latest HIPAA enforcement action involves the classic theft of an unencrypted laptop, but with an added twist.

The Office for Civil Rights (OCR) agreed to terms with CardioNet to settle violations of the HIPAA Security Rule. The settlement includes a hefty $2.5 million penalty along with a corrective action plan.

Who is CardioNet?

CardioNet is a technology company operating in Pennsylvania. They provide remote mobile heart-monitoring services for patients, and rapid response for those at risk of cardiac arrhythmias.

This represents OCR’s first HIPAA settlement with a wireless health services provider.

Data Breach

CardioNet first reported the incident to OCR’s office at the beginning of 2012. An employee’s laptop was stolen from their car while it was parked outside their house.

As we’ve seen in various cases before, the laptop was unencrypted and contained ePHI of 1,391 individuals.

OCR Investigation

OCR’s investigation revealed a couple shortcomings in CardioNet’s HIPAA compliance efforts.

First and foremost, the company failed to conduct a sufficient risk analysis or have adequate risk management processes in place. Additionally, their policies and procedures related to the HIPAA Security Rule’s requirements were still in draft form at the time of the theft.

During the investigation, CardioNet was unable to produce any final policies or procedures for safeguarding ePHI. The assumption is they were never implemented.

OCR chose not to place their focus on the unsecured, stolen device. Rather, their findings emphasized the company’s overall failure to implement required areas of compliance under HIPAA’s Security Rule.

After initially reporting the breach, OCR gave CardioNet the opportunity to shore up these issues on a voluntary basis. However, they noticed the company’s progress moving too slow, resulting in the formal enforcement action.

Settlement Terms

The parties agreed on a $2.5 million fine and corrective action plan as part of the settlement. The corrective action plan requires CardioNet to take the following compliance efforts:

  • Conduct a risk analysis and develop a risk management plan based on the findings
  • Implement revised policies and procedures with respect to safeguarding mobile devices
  • Review and revise their workforce training program to comply with the Security Rule

Key Takeaways

The hefty fine is notable for a couple reasons:

The organization lacked the fundamental elements of HIPAA compliance – risk analysis and mitigation efforts. One common trend in OCR’s heavier penalties is the failure to conduct a risk analysis. All other risk management practices stem from the findings of an organization’s risk analysis. OCR has made it clear they will drop the hammer on healthcare organizations that neglect the compliance basics.

The other factor in this case was the company’s continued disregard for overall compliance. From the time of the incident to the investigation, CardioNet had plenty of time to implement the policies and procedures required under the Security Rule. The fact they had yet to finalize those policies and procedures demonstrated their lack or priority for compliance.

Other healthcare organizations should take note and ensure they have the basics covered. Contact our team at cyberteam@eplaceinc.com to access our wealth of HIPAA compliance materials included in your cyber insurance policy.

Small Healthcare Practice Gets Slapped with HIPAA Penalty

The Office for Civil Rights (OCR) settled with the Center for Children’s Digestive Health (CCDH) for $31,000 over HIPAA violations related to business associate agreements.

CCDH is a small, for-profit healthcare provider operating a pediatric practice with seven locations throughout Illinois.

HIPAA Settlement

OCR began investigating FileFax Inc., a business associate of CCDH that stored records with protected health information on behalf of the healthcare provider. This led to a compliance review of CCDH in August 2015.

OCR’s investigation revealed CCDH started disclosing PHI to FileFax back in 2003. However, neither company could produce documentation of a business associate agreement prior to October 2015.

The conclusion was CCDH impermissibly disclosed PHI of at least 10,728 individuals to FileFax in violation of the HIPAA Privacy Rule.

CCDH agreed to the settlement terms including a $31,000 penalty and corrective action plan.

FileFax Background

The rumor is the compliance investigation for CCDH stems from an incident involving FileFax in 2015. Mass amounts of medical records were found in a dumpster outside FileFax’s building. Those paper records were from another Illinois-based healthcare provider, leading to the investigation.

When regulators took a deeper look into FileFax’s privacy and security practices, it’s likely they discovered the lack of a business associate agreement and moved from there.

The attorney general in Illinois filed a lawsuit against FileFax for allegedly violating the state’s Personal Information Protection Act. That lawsuit was settled, including a penalty of $30,000 and a corrective action plan.

Apparently, the company is now out of business.

Corrective Action Plan

CCDH agreed to shore up their HIPAA compliance through revising their policies and procedures surrounding business associates.

The corrective action plan notably requires CCDH:

  • Designate someone to ensure business associate agreements are in place
  • Create a template business associate agreement
  • Report an inventory of business associates to OCR including copies of the agreements
  • Provide training to the workforce regarding the revised policies and procedures

Key Takeaways

Business associate agreements represent an area of low hanging fruit for HIPAA non-compliance. OCR has made it clear during prior settlements and the latest round of audits that business associate compliance is an area of focus.

This smaller settlement shows no healthcare provider can slip past HIPAA compliance. Healthcare providers will take note of OCR’s reminder here that smaller practices are held accountable for the same privacy and security standards.

Our cyber risk management tools include a template business associate agreement for organizations to leverage. If you need assistance accessing that template, or other vendor management resources, reach out to us at cyberteam@eplaceinc.com.

Phishing Attack Results in $400,000 OCR Settlement

Phishing incidents continue to be a top cause of data breaches. A phishing incident at Metro Community Provider Network (MCPN) led to the most recent OCR settlement for $400,000.

Who is Metro Community Provider Network?

MCPN is a federally-qualified health center providing healthcare services to the greater Denver area. Services include primary medical care, dental care, pharmacies, social work, and behavior health care services. Most of their 43,000 annual patients are at or below the poverty level.

Phishing Incident

In January 2012, MCPN reported a data breach to the OCR stemming from a phishing incident.

A phishing scam allowed hackers to access MCPN employees’ email accounts and obtain ePHI of 3,200 individuals. OCR’s investigation found the provider took proper steps following the incident to mitigate the damage.

However, the investigation also revealed MCPN failed to conduct a risk assessment until February 2012 – one month after discovering the breach.

As prior OCR settlements have taught us, risk assessments are foundational to HIPAA compliance efforts. Without conducting a risk assessment, MCPN didn’t implement any risk management practices to address identified risks and vulnerabilities.

OCF also commented that once MCPN did finalize their risk assessment, it didn’t meet the requirements of HIPAA’s Security Rule.

Settlement & Corrective Action Plan

OCR agreed to settle with MCPN for a penalty of $400,000. In the press release, OCR noted the settlement amount took into consideration MCPN’s status as a federally-qualified health center and their financial situation to be able to continue providing patient care.

The corrective action plan includes a several tasks for MCPN to strengthen their security posture:

  • Conduct a comprehensive risk analysis of security risks and vulnerabilities to include all current facilities and equipment
  • Develop an organization-wide risk management plan to address and mitigate any security risks and vulnerabilities identified in the risk analysis
  • Review and revise current Security Rule policies and procedures based on findings from the risk analysis and implementation of the risk management plan
  • Provide updated training materials to MCPN workforce based on findings from the risk analysis and implementation of the risk management plan

Key Takeaways

There’s no reason to believe OCR is changing its mind about risk assessments anytime soon. They are foundational to HIPAA compliance efforts. The advice for healthcare organizations is simple: do your risk assessment, and do it right.

If you’re looking for recommendations during the risk assessment process, reach out to our team for advice at cyberteam@eplaceinc.com.

HIPAA Settlement: Memorial Healthcare Systems

The Office for Civil Rights (OCR) isn’t slowing down with its heavy fines. In the largest settlement of the year thus far, OCR settled with Memorial Healthcare Systems for a $5.5 million penalty along with a robust corrective action plan.

Memorial is a nonprofit operating six hospitals, an urgent care center, a nursing home, and other ancillary healthcare facilities throughout South Florida. They are also affiliated with physician offices through Organized Health Care Arrangement.

Data Breach

Memorial filed a breach report with OCR due to inappropriate access to electronic protected health information (ePHI) of 115,143 individuals. The ePHI was impermissibly accessed by Memorial employees, and impermissibly disclosed to an affiliated physician office’s staff.

The investigation found that login credentials of a former employee at the affiliated physician’s office was used to access ePHI on a daily basis without detection from April 2011 to April 2012. Information accessed included patient names, dates of birth, and Social Security numbers.

Access to the ePHI was linked to federal charges of selling ePHI and filing fraudulent tax returns.

HIPAA Violations

OCR found Memorial in violation of several HIPAA Security Rule requirements:

  • Failure to implement procedures for reviewing, modifying, and terminating users’ right of access
  • Failure to regularly review records of information system activity on applications with ePHI by the workforce

It’s noted that Memorial previously identified these specific risks on several risk analyses from 2007 to 2012.

Importance of Audit Controls

OCR released a related guidance document in their January newsletter, touching on the topic of audit controls. The guidance – Understanding the Importance of Audit Controls – highlights several relevant areas that audit controls assist Covered Entities:

  • Reviewing inappropriate access
  • Tracking unauthorized disclosures of ePHI
  • Detecting performance problems in applications
  • Detecting potential intrusions
  • Providing forensic evidence during investigations of security incidents

OCR Acting Director Robinsue Frohboese also commented on audit controls, “Access to ePHI must be provided only to authorized users, including affiliated physician office staff. Further, organizations must implement audit controls and review audit logs regularly. As this case shows, a lack of access controls and regular review of audit logs helps hackers or malevolent insiders to cover their electronic tracks, making it difficult for covered entities and business associates to not only recover from breaches, but to prevent them before they happen.”

Corrective Action Plan

The corrective action plan calls for Memorial to shore up its Security Rule violations by:

  • Completing a risk analysis and implement risk management plan to mitigate risks and vulnerabilities identified;
  • Revising policies and procedures regarding information system activity to require regular review of audit logs, access reports, and security incident tracking;
  • Revising policies and procedures regarding user access establishment, modification, and termination including protocols for access by affiliated physicians and their employees; and
  • Distributing OCR-approved revised policies and procedures to all workforce members as well as all affiliated physician practices.

Key Takeaway

If you’ve been tracking OCR’s enforcement actions from last year and into 2017, you’ve probably noticed the penalties steadily growing. One common trend in the investigations is the willful neglect of issues related to non-compliance.

In this case, it appears that Memorial was aware of the security issues faced by their user access controls, but failed to implement measures to mitigate the risk. OCR has pointed to this issue in prior settlements this year: If you find issues and threats during your risk assessment, the next step is to fix the problem!

If your organization needs any advice on mitigating risks identified in your risk assessment, send our team a note at cyberteam@eplaceinc.com.

If you’d like more insight on the cyber risks faced by healthcare entities, and common trends from OCR’s enforcement actions, join our webinar – Healthcare Privacy State of the Union – Tuesday February 28, 10:30 am PT / 1:30 pm ET:

  • Event ID: 2017
  • Event Password: 9870

OCR Penalty: Unencrypted Laptops Result in Steep Fines for Small Breaches

The Office for Civil Rights (OCR) sent a strong message to the healthcare community with their third civil monetary penalty totaling $3.2 million.

Children’s Medical Center of Dallas – part of the seventh-largest pediatric health care provider in the nation – was on the wrong end of two data breaches caused by a lack of encryption. The hefty fine stems from the OCR’s investigation uncovering longstanding failures to comply with HIPAA’s rules.

Data Breaches

Children’s first filed a breach report with OCR in January 2010. An employee lost an unencrypted, non-password protected BlackBerry device at the Dallas airport in November 2009. The device contained the electronic protected health information (ePHI) of 3,800 individuals.

Children’s filed a separate breach report with OCR in July 2013. This time it was due to the theft of an unencrypted laptop from the premises in April 2013. The device contained ePHI of about 2,500 individuals.

In this case, it was determined several physical safeguards were in place to protect the laptop storage area – i.e. badge access and a security camera at one entrance. However, access to the area was given to members of the workforce who weren’t authorized to access ePHI.

HIPAA Violations

The OCR levied the civil monetary penalty, rather than coming to terms on a settlement, due to widespread failures related to HIPAA compliance. Specifically, OCR noted two crucial HIPAA failures:

  • Failure to implement risk management plans, contrary to external recommendations
  • Failure to deploy encryption or equivalent alternative measures of safeguard on laptops, work stations, mobile devices, and removable media until 2013

The key issue leading to the penalty was the medical provider’s failure to fix known problems for an extended period of time. Children’s had an independent firm conduct a gap analysis in 2006 and again in 2007, highlighting the risks to unencrypted ePHI by March 2007 at the latest. A separate analysis was performed in 2008 to address threats and vulnerabilities of certain ePHI.

Children’s was aware of the potential risks posed by their unencrypted devices, and failed to act until 2013.

Acting OCR Director Robinsue Frohboese noted, “Ensuring adequate security precautions to protect health information, including identifying any security risks and immediately correcting them, is essential. Although OCR prefers to settle cases and assist entities in implementing corrective action plans, a lack of risk management not only costs individuals the security of their data, but it can also cost covered entities a sizable fine.”

Key Takeaway

OCR hasn’t slowed down in their HIPAA enforcement so far in 2017. But this case is unique for a few reasons: The total number of affected individuals was less than 6,000, but the case involved multiple breaches of unencrypted devices, and focused on Children’s failure to mitigate known security issues.

OCR demonstrates once again they aren’t afraid of heavy fines for widespread non-compliance in safeguarding ePHI. Healthcare organizations can take this enforcement as a warning: Fix the problems you’ve identified! When your risk assessments identify gaps and vulnerabilities, address and prioritize those areas during risk mitigation efforts.