OCR released a simple checklist and infographic last week to assist Covered Entities and Business Associates with responding to potential cyber attacks. As cybersecurity remains a pressing concern for health care entities, these guidance documents are a useful reminder of best practices that health care entities should have in place in case of a cybersecurity incident.
On February 16, 2017, the HHS Office for Civil Rights (OCR) disclosed a $5.5 million settlement with Memorial Healthcare Systems (MHS) for HIPAA violations affecting the protected health information (PHI) of 115,143 individuals. The Resolution Agreement, which can be found here, also contains a detailed corrective action plan (CAP).
The Florida-based health system reported to OCR that the PHI had been impermissibly accessed by MHS employees and impermissibly disclosed to affiliated physician office staff. The PHI consisted of names, dates of birth, and social security numbers.
The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) recently announced the first ever settlement related to a Covered Entity’s untimely breach notification in violation of HIPAA. Presence Health, a health care network in Illinois, discovered a breach of unsecured personal health information (PHI) on October 22, 2013. After reporting the breach to OCR over three months later on January 31, 2014, OCR determined that Presence Health failed to notify OCR, each of the affected individuals, and prominent media outlets of the breach without unreasonable delay and within 60 days of learning of the breach, as required of Covered Entities under HIPAA. The violation resulted in a $475,000 settlement between OCR and Presence Health.
In non-election news, the Office for Civil Rights (OCR) at the Department of Health and Human Services recently released its November Cyber Awareness Newsletter. This month’s newsletter focuses on the topic of authentication. OCR encouraged health care companies to review and strengthen their authentication methods and other safeguards to avoid breaches of electronic protected health information (ePHI).
Although National Cyber Security Month isn’t until October, September has brought plenty of privacy and security updates that health care companies need to be aware of. In this post, we review guidance from the Office for Civil Rights (OCR) on cyberattacks, describe new state breach notification laws, and highlight the upcoming NIST/OCR security conference. Continue Reading September Privacy and Security Updates
HHS Office for Civil Rights will cast a wider net and increase its investigations into smaller HIPAA privacy breaches starting this month. OCR announced a new initiative to increase its efforts examining breaches that affect fewer than 500 individuals. OCR Regional Offices already investigate every reported breach affecting 500 or more individuals, and will continue to do so, but now they will intensify efforts to scrutinize smaller breaches.
Investigations into the root cause of even a small breach can discover system- and enterprise-wide noncompliance and security and privacy shortcomings. An investigation into a single stolen laptop that held PHI of 80 individuals may uncover an entity’s failure to encrypt any of the data it stores and uses. And just as easily as a larger breach, a small breach can reveal that a covered entity has not completed a full risk assessment of its organization and its PHI protections. Continue Reading OCR to Increase Investigations of Smaller HIPAA Breaches
Capping off a busy month of HIPAA settlements, on August 4, the Office for Civil Rights (“OCR”) announced a $5.55 million settlement with Advocate Health Care Network (“Advocate”), the largest fully-integrated healthcare system in Illinois. The settlement is the largest HIPAA settlement ever by a single entity. The settlement comes on the heels of two July settlement announcements with Oregon Heath & Sciences University (“OHSU”) ($2.7 million) and the University of Mississippi Medical Center ($2.75 million). In total, OCR has reached nine HIPAA settlements in 2016, in addition to the imposition of civil monetary penalties against Lincare, Inc. (which we covered here). In contrast, the office entered into only six settlements in all of 2015. As Jocelyn Samuels, the Director of OCR, indicated in a press release regarding the Advocate settlement, the settlements should be a wake-up call to HIPAA Covered Entities and Business Associates:
We hope this settlement sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals’ ePHI is secure. This includes implementing physical, technical, and administrative security measures sufficient to reduce the risks to ePHI in all physical locations and on all portable devices to a reasonable and appropriate level.
On Monday, the Office for Civil Rights (OCR) released important new guidance on ransomware for hospitals and other healthcare providers and finally addressed the question of whether electronic protected health information (ePHI) that has been encrypted on a covered entity’s systems, but potentially not accessed by the hacker, has been breached for HIPAA purposes. Back in March, OCR highlighted the threat of ransomware in its “OCR Cyber-Awareness Monthly Update.” Rather than just describing the threat, yesterday’s guidance ties the prevention of, detection of, and response to a ransomware attack to a Covered Entity’s obligations under HIPAA. A key component of the guidance provides a ransomware attack that encrypts a Covered Entity’s ePHI is presumed to be a breach. As ransomware can infect a Covered Entity’s entire system, this presumption may lead to enormous breach notification obligations. Continue Reading “Your Money or Your PHI”: OCR Releases Guidance on Ransomware
As we have repeatedly emphasized on this blog, HIPAA Covered Entities must ensure that they have compliant business associate agreements (“BAAs”) in place with all of their business associates and must ensure that they have performed a comprehensive risk assessment. A $1.55 million settlement between North Memorial Health Care of Minnesota (“NMHC”) and the Office for Civil Rights (“OCR”) announced this week emphasizes the seriousness of these requirements.
NMHC came under investigation by OCR after a September 2011 breach involving the theft of an unencrypted laptop from a business associate’s employee’s car. The laptop contained the electronic protected health information of nearly 10,000 individuals. The investigation uncovered that NMHC had not entered into a BAA with the business associate, Accretive Health, when it engaged Accretive in March 2011 and did not enter into a BAA until October 2011. During this interim period, Accretive had access to the protected health information of more than 250,000 individuals. Additionally, OCR found that NMHC had not conducted an accurate and thorough enterprise-wide risk analysis. Continue Reading Don’t Neglect Your Business Associate Agreements!
January 28th is Data Privacy Day. Given that privacy is the bedrock on which successful health care delivery is built, I would like to mark the occasion with a few thoughts for our health care industry clients and friends:
HIPAA is big, but privacy is bigger. Health care providers and others in the health care industry must take a broad view of any privacy issue and remember that HIPAA is only part of any privacy law analysis. Individual states have privacy laws that are often more stringent than HIPAA and that must be considered along with HIPAA.
Privacy is good for business. Conversely, lack of privacy can result in significant reputational and economic harm. State and federal breach notification laws are designed to make failures embarrassing and public. The Office for Civil Rights’ breach notification summary is called the “Wall of Shame” for a reason. Stay off it!
No privacy program can eliminate human error, but education can help. People make mistakes and even the government acknowledges that perfect compliance with laws like HIPAA is not possible. Education is the only way to minimize the risk of human error as well as the risk of malicious or deliberate misuse of health or other personal information by workforce members.
There is no privacy without security. Rigorous administrative, physical and technical security measures are mandatory for ensuring the ongoing privacy of health and personal information.
You can stay abreast of changes in this constantly evolving area by following our blog, as well as our Privacy & Security Matters blog.