The May 2018 cyber security newsletter from the U.S. Department of Health and Human Services Office for Civil Rights (OCR) focused on a topic often overlooked by covered entities and their business associates: physical security. The HIPAA Security Rule requires covered entities and business associates to implement “physical safeguards for all workstations that access ePHI to restrict access to authorized users.”
The U.S. Department of Health and Human Services Office for Civil Rights (OCR) announced another large HIPAA-related settlement last week with Memorial Hermann Health System (Memorial Hermann), the largest not-for-profit health system in southeast Texas. Memorial Hermann agreed to pay $2.4 million and to comply with a corrective action plan after publicly disclosing a patient’s name in the title of a press release regarding an incident at one of its clinics. In a week that has been filled with high-tech cybersecurity issues (see our recent blog posts on the WannaCry attack here and here), this settlement is a good reminder of HIPAA obligations unrelated to technology.
Earlier this week, the HHS Office for Civil Rights (“OCR”) announced a $400,000 settlement with Metro Community Provider Network (“MCPN”) related to a 2012 HIPAA breach caused by a phishing scam. The phishing scam, carried out by accessing MCPN employees’ email accounts, gave a hacker access to the electronic protected health information (“ePHI”) of 3,200 individuals. In investigating the breach, OCR determined that, prior to the breach, MCPN had not conducted a security risk analysis (a requirement under HIPAA). Further, OCR found that even after MCPN conducted a risk analysis, its analysis was insufficient to meet the requirements of the HIPAA Security Rule.
In addition to the $400,000 fine, MCPN agreed to a corrective action plan with OCR. That plan requires MCPN to conduct a comprehensive risk analysis and to submit a written report on the risk analysis to OCR. Additionally, MCPN will be required to develop an organization-wide risk management plan, to review and revise its Security Rule policies and procedures, to review and revise its Security Rule training materials, and to report to OCR any instance of a workforce member failing to comply with its Security Rule policies and procedures. Continue Reading Gone Phishin’: Hack Leads to HIPAA Settlement
Capping off a busy month of HIPAA settlements, on August 4, the Office for Civil Rights (“OCR”) announced a $5.55 million settlement with Advocate Health Care Network (“Advocate”), the largest fully-integrated healthcare system in Illinois. The settlement is the largest HIPAA settlement ever by a single entity. The settlement comes on the heels of two July settlement announcements with Oregon Heath & Sciences University (“OHSU”) ($2.7 million) and the University of Mississippi Medical Center ($2.75 million). In total, OCR has reached nine HIPAA settlements in 2016, in addition to the imposition of civil monetary penalties against Lincare, Inc. (which we covered here). In contrast, the office entered into only six settlements in all of 2015. As Jocelyn Samuels, the Director of OCR, indicated in a press release regarding the Advocate settlement, the settlements should be a wake-up call to HIPAA Covered Entities and Business Associates:
We hope this settlement sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals’ ePHI is secure. This includes implementing physical, technical, and administrative security measures sufficient to reduce the risks to ePHI in all physical locations and on all portable devices to a reasonable and appropriate level.