The May 2018 cyber security newsletter from the U.S. Department of Health and Human Services Office for Civil Rights (OCR) focused on a topic often overlooked by covered entities and their business associates: physical security. The HIPAA Security Rule requires covered entities and business associates to implement “physical safeguards for all workstations that access ePHI to restrict access to authorized users.”
The U.S. Department of Health and Human Services Office for Civil Rights (OCR) recently announced a $100,000 settlement with a company that is no longer in business. Filefax, Inc. (Filefax) was an Illinois company that provided storage and delivery services for medical records held by covered entities. OCR had been investigating Filefax since 2015 for allegedly leaving medical records containing PHI of approximately 2,150 patients in an unlocked vehicle in a Filefax parking lot and/or allowing an unauthorized person to remove the files from the facility.
A court-ordered receiver liquidated Filefax’s assets in 2016. As part of the settlement with OCR, the receiver agreed to pay $100,000 and properly dispose of all medical records and PHI remaining in Filefax’s possession. The settlement amount may be small, but the circumstances are striking. OCR’s pursuit of a settlement against a defunct company serves as a lesson to other health care companies that no one is off limits to HIPAA enforcement actions.
OCR’s press release about the settlement is available here.
OCR released a simple checklist and infographic last week to assist Covered Entities and Business Associates with responding to potential cyber attacks. As cybersecurity remains a pressing concern for health care entities, these guidance documents are a useful reminder of best practices that health care entities should have in place in case of a cybersecurity incident.
On February 16, 2017, the HHS Office for Civil Rights (OCR) disclosed a $5.5 million settlement with Memorial Healthcare Systems (MHS) for HIPAA violations affecting the protected health information (PHI) of 115,143 individuals. The Resolution Agreement, which can be found here, also contains a detailed corrective action plan (CAP).
The Florida-based health system reported to OCR that the PHI had been impermissibly accessed by MHS employees and impermissibly disclosed to affiliated physician office staff. The PHI consisted of names, dates of birth, and social security numbers.
The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) recently announced the first ever settlement related to a Covered Entity’s untimely breach notification in violation of HIPAA. Presence Health, a health care network in Illinois, discovered a breach of unsecured personal health information (PHI) on October 22, 2013. After reporting the breach to OCR over three months later on January 31, 2014, OCR determined that Presence Health failed to notify OCR, each of the affected individuals, and prominent media outlets of the breach without unreasonable delay and within 60 days of learning of the breach, as required of Covered Entities under HIPAA. The violation resulted in a $475,000 settlement between OCR and Presence Health.
In non-election news, the Office for Civil Rights (OCR) at the Department of Health and Human Services recently released its November Cyber Awareness Newsletter. This month’s newsletter focuses on the topic of authentication. OCR encouraged health care companies to review and strengthen their authentication methods and other safeguards to avoid breaches of electronic protected health information (ePHI).
Although National Cyber Security Month isn’t until October, September has brought plenty of privacy and security updates that health care companies need to be aware of. In this post, we review guidance from the Office for Civil Rights (OCR) on cyberattacks, describe new state breach notification laws, and highlight the upcoming NIST/OCR security conference. Continue Reading September Privacy and Security Updates
HHS Office for Civil Rights will cast a wider net and increase its investigations into smaller HIPAA privacy breaches starting this month. OCR announced a new initiative to increase its efforts examining breaches that affect fewer than 500 individuals. OCR Regional Offices already investigate every reported breach affecting 500 or more individuals, and will continue to do so, but now they will intensify efforts to scrutinize smaller breaches.
Investigations into the root cause of even a small breach can discover system- and enterprise-wide noncompliance and security and privacy shortcomings. An investigation into a single stolen laptop that held PHI of 80 individuals may uncover an entity’s failure to encrypt any of the data it stores and uses. And just as easily as a larger breach, a small breach can reveal that a covered entity has not completed a full risk assessment of its organization and its PHI protections. Continue Reading OCR to Increase Investigations of Smaller HIPAA Breaches
Capping off a busy month of HIPAA settlements, on August 4, the Office for Civil Rights (“OCR”) announced a $5.55 million settlement with Advocate Health Care Network (“Advocate”), the largest fully-integrated healthcare system in Illinois. The settlement is the largest HIPAA settlement ever by a single entity. The settlement comes on the heels of two July settlement announcements with Oregon Heath & Sciences University (“OHSU”) ($2.7 million) and the University of Mississippi Medical Center ($2.75 million). In total, OCR has reached nine HIPAA settlements in 2016, in addition to the imposition of civil monetary penalties against Lincare, Inc. (which we covered here). In contrast, the office entered into only six settlements in all of 2015. As Jocelyn Samuels, the Director of OCR, indicated in a press release regarding the Advocate settlement, the settlements should be a wake-up call to HIPAA Covered Entities and Business Associates:
We hope this settlement sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals’ ePHI is secure. This includes implementing physical, technical, and administrative security measures sufficient to reduce the risks to ePHI in all physical locations and on all portable devices to a reasonable and appropriate level.
On Monday, the Office for Civil Rights (OCR) released important new guidance on ransomware for hospitals and other healthcare providers and finally addressed the question of whether electronic protected health information (ePHI) that has been encrypted on a covered entity’s systems, but potentially not accessed by the hacker, has been breached for HIPAA purposes. Back in March, OCR highlighted the threat of ransomware in its “OCR Cyber-Awareness Monthly Update.” Rather than just describing the threat, yesterday’s guidance ties the prevention of, detection of, and response to a ransomware attack to a Covered Entity’s obligations under HIPAA. A key component of the guidance provides a ransomware attack that encrypts a Covered Entity’s ePHI is presumed to be a breach. As ransomware can infect a Covered Entity’s entire system, this presumption may lead to enormous breach notification obligations. Continue Reading “Your Money or Your PHI”: OCR Releases Guidance on Ransomware