Tag Archives: OCR

OCR Announces Six-Figure HIPAA Settlement

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) announced a $125,000 settlement with Allergy Associates of Hartford, P.C., a three-physician allergy practice in Connecticut, for HIPAA Privacy Rule violations.

Alleged HIPAA Violation

According to OCR’s press release and corrective action plan, a patient of Allergy Associates contacted a reporter about a dispute between the patient and a doctor regarding the patient’s service animal. The reporter contacted the doctor for comment and the doctor was alleged to have impermissibly disclosed the patient’s protected health information to the reporter.

While the allergy practice had HIPAA policies and procedures in place, the physician did not adhere to the policies.  Further, once OCR uncovered the issue, it also found that the practice failed to sanction the physician involved in accordance with its policies. Continue reading OCR Announces Six-Figure HIPAA Settlement

OCR Releases Improved HIPAA Security Risk Assessment Tool

Under the HIPAA Security Rule, a covered entity or business associate must perform risk assessments to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information. Failing to conduct risk assessments is a common basis for significant fines.

Risk assessments, however, can be a taunting task, particularly for smaller organizations with limited resources. In an effort to help organizations perform risk assessments and comply with the HIPAA Security Rule, the Office of the National Coordinator for Health Information Technology (ONC) and the HHS Office for Civil Rights (OCR) have jointly launched an updated HIPAA Security Risk Assessment (SRA) Tool.

The SRA Tool is designed for small to medium sized health care practices (up to 10 health care providers) and business associates to help them identify ePHI risks and vulnerabilities. Continue reading OCR Releases Improved HIPAA Security Risk Assessment Tool

OCR Issues Guidance for Sharing Medical Information During Hurricane Florence

As Hurricane Florence approaches the North Carolina coastline, OCR has released guidance to ensure that medical information is shared appropriately during the hurricane.

The Secretary of HHS has declared a public health emergency in North Carolina, South Carolina, and Virginia. Under these circumstances, the Secretary has exercised the authority to waive sanctions and penalties against a covered hospital that does not comply with the following provisions of the HIPAA Privacy Rule.

  • The requirement to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care.
  • The requirement to honor a request to opt out of the facility directory.
  • The requirement to distribute a notice of privacy practices.
  • The patient’s right to request privacy restrictions.
  • The patient’s right to request confidential communications.

Continue reading OCR Issues Guidance for Sharing Medical Information During Hurricane Florence

Guidance on Disposing Sensitive Data-Storing Devices

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently released their July 2018 newsletter entitled: Guidance on Disposing of Electronic Devices and Media(Guidance) , which provides suggestions for properly disposing technology that may contain sensitive data – such as financial or protected health information (PHI). While directly applicable to the healthcare sector, this guidance is best practice for all organizations.

OCR’s Mission

Part of OCR’s mission is to provide guidance to health care providers, insurers and other stakeholders on cybersecurity issues like properly disposing equipment that contains sensitive information. This equipment includes desktops, laptops, tablets, copiers, servers, smartphones, hard drives, USB drives and other type of electronic storage devices.

Improper disposal of devices can lead to a data breach that can be costly to an organization, both financially and reputationally. Some of the financial costs include notifications, investigations, lawsuits, consultants, legal counsel, fees paid to security specialists and loss of clients. Continue reading Guidance on Disposing Sensitive Data-Storing Devices

OCR Announces Fourth Largest Penalty Ever

The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) recently announced an Administrative Law Judge (ALJ) ruled against The University of Texas MD Anderson Cancer Center (MD Anderson) after MD Anderson suffered three breaches that disclosed the health records of about 35,000 patients. The ruling requires MD Anderson to pay $4,348,000 in civil money penalties making it the fourth largest monetary penalty in OCR’s history.

The Three Breaches

MD Anderson suffered three different data breaches in 2012 and 2013. The breaches involved the theft of an unencrypted laptop and the loss of two USB thumb drives containing the unencrypted protected health information of over 33,500 patients.

Lack of Encryption

OCR’s investigation found MD Anderson had written encryption policies dating back to 2006 but those policies were not adopted until 2011 and, even then, MD Anderson did not encrypt all of its electronic devices as evidenced by the breaches in 2012 and 2013.  Furthermore, MD Anderson’s own risk analyses recognized that the lack of device-level encryption posed a high risk to the security of ePHI. Continue reading OCR Announces Fourth Largest Penalty Ever

Key Takeaways from the New and Improved HIPAA Breach Reporting Tool

Several issues were raised in the past about the Office for Civil Rights’ (OCR) website commonly referred to as the “Wall of Shame.” In response, OCR announced the updated version of their rebranded HIPAA Breach Reporting Tool (HBRT).

The old Wall of Shame and new HIPAA Breach Reporting Tool both publish information received from OCR on reported breaches affecting 500+ individuals. However, the Wall of Shame carried an undeserving negative connotation when organizations were publicly and indefinitely listed on the website.

HIPAA Breach Reporting Tool

OCR noted in their announcement, “The HBRT provides transparency to the public and organizations covered by HIPAA and helps highlight the importance of safeguards to protect the privacy and security of sensitive health care information.”

Information posted on the site includes:

  1. Name of the reporting entity
  2. Number of individuals affected by the data breach
  3. Type of data breach (e.g. hacking/IT incident, unauthorized access, etc.)
  4. Location of the breached information (e.g. laptop, paper records, etc.)

Features of the updated HBRT include:

  • Enhanced functionality that highlights breaches currently under investigation and reported within the last 24 months
  • New breach archive that includes information about how breaches were resolved
  • Improved navigation to additional breach information
  • Tips for consumers

OCR plans to continue expanding and improving the website’s features and functionality based on industry feedback.

Healthcare Breach Trends

The HIPAA Breach Reporting Tool recently recorded a new milestone: The OCR has surpassed 2,000 breaches reported affecting 500+ individuals since the HBRT’s inception in September 2009.

There has also been a recent shift in the types of breaches reported. We are seeing a departure from the issue of lost or stolen unencrypted devices containing protected health information. According to the HBRT, the last 24 months have seen a rapid increase in hacking/IT incidents.

The big takeaway: Phishing is a tried and true way to gain access to healthcare facilities.

OCR Calls for More Phishing Awareness

To address phishing, OCR placed emphasis on the importance of phishing awareness in its latest cybersecurity newsletter update.

The OCR newsletter article points to a KPMG study that documents an increase in HIPAA violations and cybersecurity attacks impacting PHI over the past two years. The call to action is training the workforce to detect and properly respond to cyber-attacks and phishing scams.

OCR states, “Training on data security for workforce members is not only essential for protecting an organization against cyber-attacks, it is also required by the HIPAA Security Rule.”

There are several key factors healthcare organizations should consider regarding their approach to data security training:

Frequency of training and updates:

    • How often to train workforce members on security issues
    • How often to send security updates to their workforce members

Relevant and emerging threats:

    • Communicate new and emerging cybersecurity threats to workforce members, such as new social engineering tricks and malware or ransomware variants

Training format:

    • What type of training to provide to workforce members on security issues
    • i.e. computer-based, classroom, monthly newsletters, posters, email alerts, etc.

Training Documentation:

    • How to document training to workforce members, including dates and types of training, training materials, and evidence of participation

Data Security Training Courses

Your organization likely has access to our collection of data security training courses as part of your cyber insurance policy.

The data security training courses provide organizations with training materials for the workforce in several key areas: Introduction to data breaches, Data security basics, Social engineering & Phishing, Safeguarding information, and HIPAA Privacy & Security Rules.

One important aspect of the training courses is the documentation features. The learning management system in place allows your organization to leverage training reports once workforce members have completed the assigned training courses.

OCR notes the importance of documentation in the newsletter, “Any investigator or auditor will ask for documentation, as required by the HIPAA Rules, to ensure compliance with the requirements of the Rules.”

To learn more about how you can leverage the data security training courses in your organization, reach out to our team at cyberteam@eplaceinc.com.

OCR Publishes New Cybersecurity Materials & Guidance

The Office for Civil Rights (OCR) released new guidance materials that should prove helpful for smaller organizations working on a limited budget. The purpose of the new guidance is to help Covered Entities and Business Associates understand the steps involved with responding to a security incident.

Response Checklist

OCR’s checklist is titled ‘My entity just experienced a cyber-attack! What do we do now?’ and briefly touches on several quick-response steps:

  • Execute the response and mitigation procedures and contingency plans
  • Report the crime to applicable law enforcement agencies
  • Report all cyber threat indicators to federal and information-sharing and analysis organizations
  • Report the breach to OCR as soon as possible (but no later than 60 days after discovery of a breach affecting 500 or more individuals)

The accompanying infographic helps to illustrate these steps.

Key Takeaways

Being prepared for a cybersecurity incident and having the response process thought out is a key focus area for our clients. For organizations in the healthcare industry, we have provided foundational templates for building incident response programs. Whether your organization is starting from scratch or just wanted to supplement existing incident response plans, these templates are key resources.

Each of these steps mentioned by the OCR is an important component of an effective incident response plan. You can view our incident response materials through the website in our newsletter. Submit any incident response questions to cyberteam@eplaceinc.com.

Mishandling HIV Information Costs Hospital $387,000

St. Luke’s hospital came under fire after faxing two patients’ sensitive medical information against their request.

The Office for Civil Rights (OCR) reached a settlement with St. Luke’s-Roosevelt Hospital Center over violations of HIPAA’s Privacy Rule related to impermissible disclosure of protected health information (PHI).

Who is St. Luke’s?

According to the OCR press release, St. Luke’s-Roosevelt Hospital Cetner Inc. (St. Luke’s) operates the Institute for Advanced Medicine, formerly Spencer Cox Center for Health, which provides comprehensive health services to persons living with HIV or AIDS and other chronic diseases. St. Luke’s is 1 of 7 hospitals that comprise the Mount Sinai Health System.

Data Breach Details

OCR received an initial complaint in 2014 regarding impermissible disclosure of patient health information by the staff at Spencer Cox Center.

OCR launched an investigation, finding the Spencer Cox Center staff faxed the patient’s PHI directly to his employer, and not his personal post office box as he requested.

Information disclosed included highly sensitive medical information: HIV status, medical care, sexually transmitted diseases, medications, sexual orientation, mental health diagnosis, and physical abuse.

Through the OCR investigation of this event, they discovered Spencer Cox Center was also responsible for a related breach of sensitive information and took no action to address the apparent issue. In the related breach nine months prior, staff faxed PHI of another patient (against their expressed instructions) to an office where the patient volunteered.

Settlement Details

The settlement includes a $387,000 penalty for St. Luke’s, along with a corrective action plan.

The corrective action plan includes several remediation steps:

  • Revise and distribute written policies and procedures concerning the uses and disclosures of PHI (mail, fax, or email), and update them annually
  • Revise and distribute training materials to include instruction on safeguarding PHI

Key Takeaways

For a case that involves the PHI of only two individual patients, this might seem like a heavy assessment by OCR. This high settlement amount conveys OCR’s focus on two areas in this case: 1) penalty proportionate to sensitivity of information and 2) penalty for avoidance of addressing compliance issues.

The settlement amount clearly reflects the sensitive nature of the patient’s information disclosed. The high penalty also addresses the avoidance of initial vulnerabilities. Had the Spencer Cox Center addressed issues within their compliance program during the initial breach, the procedures and policies would be in place to mitigate future events and prevent these types of impermissible disclosure.

It is no surprise to see OCR targeting a case with minimal individuals impacted. OCR noted last year they would start focusing more on smaller breaches. With this example, we see that OCR has been true to their word. We also reported on a $2.4 million penalty earlier in May for an incident involving only one patient’s information.

$2.4 Million HIPAA Penalty for Disclosing One Patient’s Name

The Office for Civil Rights (OCR) announced a curious settlement with Memorial Hermann Health Systems (MHHS) last week after an OCR compliance review. The review found impermissible disclosure of a single patient’s PHI… leading to a $2.4 million whooper of a fine.

Who is MHHS?

Memorial Hermann Health Systems is a Houston-based, non-profit healthcare system. Their services include 16 hospitals and specialty service centers.

Breach Details

In September 2015, office staff at an MHHS clinic were presented a patient’s allegedly fraudulent identification card.

The staff immediately contacted law enforcement and the patient was arrested.

This disclosure of information was allowed under HIPAA’s Privacy Rule. Covered entities are permitted to disclose information to law enforcement for the purpose of aiding in an investigation.

However, a media response by MHHS subsequently disclosed the same PHI. Senior management approved this impermissible disclosure and even added the patient’s name to the headline of the press release.

Despite the previous law enforcement exception, this new impermissible disclosure qualified as a violation under HIPAA’s Privacy Rule.

OCR’s new Director Roger Severino commented, “This case reminds us that organizations can readily cooperate with law enforcement without violating HIPAA, but that they must nevertheless continue to protect patient privacy when making statements to the public and elsewhere.”

OCR also notes in their findings from the compliance review that MHHS failed to document the sanctioning of its workforce members for the press release incident.

Settlement Details

The focal point of the OCR / MHHS settlement is the hefty $2.4 million penalty. Some industry experts are surprised to see such a large fine here, given the disclosure was a single piece of PHI.

A few factors might have contributed to the size of the penalty:

  • The nonchalant attitude from management regarding patient privacy and PHI disclosures
  • The failure to apply sanctions to staff in the aftermath of the disclosure
  • The larger size of the healthcare system

The settlement also included a corrective action plan. The compliance measures on MHHS’ to-do list include:

  • Updating policies and procedures on safeguarding PHI from impermissible disclosures
  • Training workforce members on the policies and procedures
  • Confirming their understanding of permissible disclosures of PHI, including to the media

Key Takeaway

OCR is sending the message loud and clear: Covered entities need to use proper discretion according to the Privacy Rule when disclosing patient information.

If your organization is questioning whether a use or disclosure of patient information is permissible under HIPAA, reach out and validate with our Cybersecurity team.

If you’d like assistance, send us a note and brief explanation to cyberteam@eplaceinc.com and we’ll help guide you in the right direction.

Additional Notes

If you’re following along with us and keeping tally, this marks the 8th HIPAA enforcement action in 2017. Those enforcement actions have netted the OCR a grand total of $17 million in penalties.

This particular data breach reminds us of a case we reported on last year. New York Presbyterian Hospital found themselves in a similar conundrum when mixing media and patient privacy. You can read that article here.

HIPAA Settlement: $2.5 Million for Neglecting to Address Cyber Risks

The latest HIPAA enforcement action involves the classic theft of an unencrypted laptop, but with an added twist.

The Office for Civil Rights (OCR) agreed to terms with CardioNet to settle violations of the HIPAA Security Rule. The settlement includes a hefty $2.5 million penalty along with a corrective action plan.

Who is CardioNet?

CardioNet is a technology company operating in Pennsylvania. They provide remote mobile heart-monitoring services for patients, and rapid response for those at risk of cardiac arrhythmias.

This represents OCR’s first HIPAA settlement with a wireless health services provider.

Data Breach

CardioNet first reported the incident to OCR’s office at the beginning of 2012. An employee’s laptop was stolen from their car while it was parked outside their house.

As we’ve seen in various cases before, the laptop was unencrypted and contained ePHI of 1,391 individuals.

OCR Investigation

OCR’s investigation revealed a couple shortcomings in CardioNet’s HIPAA compliance efforts.

First and foremost, the company failed to conduct a sufficient risk analysis or have adequate risk management processes in place. Additionally, their policies and procedures related to the HIPAA Security Rule’s requirements were still in draft form at the time of the theft.

During the investigation, CardioNet was unable to produce any final policies or procedures for safeguarding ePHI. The assumption is they were never implemented.

OCR chose not to place their focus on the unsecured, stolen device. Rather, their findings emphasized the company’s overall failure to implement required areas of compliance under HIPAA’s Security Rule.

After initially reporting the breach, OCR gave CardioNet the opportunity to shore up these issues on a voluntary basis. However, they noticed the company’s progress moving too slow, resulting in the formal enforcement action.

Settlement Terms

The parties agreed on a $2.5 million fine and corrective action plan as part of the settlement. The corrective action plan requires CardioNet to take the following compliance efforts:

  • Conduct a risk analysis and develop a risk management plan based on the findings
  • Implement revised policies and procedures with respect to safeguarding mobile devices
  • Review and revise their workforce training program to comply with the Security Rule

Key Takeaways

The hefty fine is notable for a couple reasons:

The organization lacked the fundamental elements of HIPAA compliance – risk analysis and mitigation efforts. One common trend in OCR’s heavier penalties is the failure to conduct a risk analysis. All other risk management practices stem from the findings of an organization’s risk analysis. OCR has made it clear they will drop the hammer on healthcare organizations that neglect the compliance basics.

The other factor in this case was the company’s continued disregard for overall compliance. From the time of the incident to the investigation, CardioNet had plenty of time to implement the policies and procedures required under the Security Rule. The fact they had yet to finalize those policies and procedures demonstrated their lack or priority for compliance.

Other healthcare organizations should take note and ensure they have the basics covered. Contact our team at cyberteam@eplaceinc.com to access our wealth of HIPAA compliance materials included in your cyber insurance policy.