In its most recent Cybersecurity Newsletter, OCR focuses on the intersection of HIPAA and information security.  To be sure, HIPAA requires covered entities and business associates to address their organizations’ information security. This obligation stems from HIPAA’s requirement that covered entities and business associates assess the potential risks and vulnerabilities to the confidentiality, integrity and availability of their electronic protected health information. This is referred to as a “risk assessment” or “risk analysis” and is a core element of HIPAA’s Security Rule. But it is not enough to simply assess or analyze the risk; HIPAA requires that the risks be mitigated. This is particularly important when it comes to information security risk. As OCR states in its newsletter: Continue Reading HIPAA, Security Vulnerabilities and Patching

Earlier this week, I moderated a panel discussion at an event hosted by the New York chapter of the Health Information and Management Systems Society (HIMSS). The panel was comprised of private sector health information technology and security experts and was tasked with discussing challenges related to the interoperability and security of health information systems. I started off by asking the panelists how these challenges have evolved over the years, anticipating that the conversation would soon turn to the challenges faced by newer technologies such as cloud computing and artificial intelligence. But it was the panelists’ opinion that many in the health care space continue to struggle with the basics, including basic HIPAA compliance. Continue Reading HIPAA Tips from the Trenches

As we have repeatedly emphasized on this blog, HIPAA Covered Entities must ensure that they have compliant business associate agreements (“BAAs”) in place with all of their business associates and must ensure that they have performed a comprehensive risk assessment. A $1.55 million settlement between North Memorial Health Care of Minnesota (“NMHC”) and the Office for Civil Rights (“OCR”) announced this week emphasizes the seriousness of these requirements.

NMHC came under investigation by OCR after a September 2011 breach involving the theft of an unencrypted laptop from a business associate’s employee’s car. The laptop contained the electronic protected health information of nearly 10,000 individuals. The investigation uncovered that NMHC had not entered into a BAA with the business associate, Accretive Health, when it engaged Accretive in March 2011 and did not enter into a BAA until October 2011. During this interim period, Accretive had access to the protected health information of more than 250,000 individuals. Additionally, OCR found that NMHC had not conducted an accurate and thorough enterprise-wide risk analysis. Continue Reading Don’t Neglect Your Business Associate Agreements!

Written by: Kimberly J. Gold

Two companies were hit with fines equaling a total of almost $2 million to settle alleged Health Insurance Portability and Accountability Act (HIPAA) violations involving stolen, unencrypted laptops, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced on Tuesday.

OCR conducted an investigation of Concentra Health Services (Concentra) after receiving a breach report that an unencrypted laptop was stolen from one of its facilities.  Concentra’s biggest mistake was its failure to remedy previously recognized security problems.  The company had engaged in multiple risk analyses revealing that a lack of encryption on its laptops and other devices containing electronic protected health information (ePHI) was a critical risk.  While Concentra had taken steps to begin encryption, OCR found that Concentra had insufficient security management processes in place to safeguard patient information. Concentra agreed to pay OCR $1,725,220 to settle potential violations and will adopt a corrective action plan.

The other organization, QCA Health Plan, Inc. (QCA), notified OCR of a breach in February 2012 involving the theft of an unencrypted laptop computer from a workforce member’s car that contained the ePHI of 148 individuals.  OCR reported that QCA encrypted its devices following discovery of the breach, but that it failed to comply with multiple HIPAA Privacy and Security Rule requirements between April 2005 and June 2012.  In addition to a $250,000 monetary settlement, QCA will provide HHS with an updated risk analysis and risk management plan, including specific security measures to reduce ePHI risks and vulnerabilities.  QCA also agreed to retrain its workforce and document its ongoing compliance efforts.

The Resolution Agreements for Concentra and QCA can be found on the OCR website.

Continue Reading No More Excuses: Encrypt Your Laptops or Pay Big $