OCR Announces Initiative to More Widely Investigate Breaches Affecting Fewer than 500 Individuals
Since the passage of the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH) and the subsequent implementation of the Health Insurance Portability and Accountability Act (HIPAA) Breach Notification Rule, OCR has prioritized investigation of reported breaches of protected health information (PHI).
The root causes of breaches may indicate entity-wide and industry-wide noncompliance with HIPAA’s regulations, and investigation of breaches provides OCR with an opportunity to evaluate an entity’s compliance programs, obtain correction of any deficiencies, and better understand compliance issues in HIPAA-regulated entities more broadly.
OCR’s Regional Offices investigate all reported breaches involving the PHI of 500 or more individuals. Regional Offices also investigate reports of smaller breaches (involving the PHI of fewer 500 individuals), as resources permit.
Beginning this month, OCR, through the continuing hard work of its Regional Offices, has begun an initiative to more widely investigate the root causes of breaches affecting fewer than 500 individuals. Regional Offices will still retain discretion to prioritize which smaller breaches to investigate, but each office will increase its efforts to identify and obtain corrective action to address entity and systemic noncompliance related to these breaches. Among the factors Regional Offices will consider include:
- The size of the breach;
- Theft of or improper disposal of unencrypted PHI;
- Breaches that involve unwanted intrusions to IT systems (for example, by hacking);
- The amount, nature and sensitivity of the PHI involved;
- Instances where numerous breach reports from a particular covered entity or business associate raise similar issues.
Regions may also consider the lack of breach reports affecting fewer than 500 individuals when comparing a
specific covered entity or business associate to like-situated covered entities and business associates.
Comment: So, those of you who hold the opinion that you are “too small” for the government to audit you, may want to reconsider that philosophy. If you are a Practice Administrator, you are charged with safekeeping the business of your Physician employer. Failure to adhere to current Federal Law is probably not going to go over well if your Practice has to pay a large fine for non-compliance. It is probably not a career building move, either.
OCR has collected almost $20 million in fines this year and it is only August. Compare that to $6.1 million in all of 2015. The kicker? OCR gets to keep what they collect and can use it for additional enforcement actions. So, they have 3x the money in the first 8 months of 2016 to use for enforcement than they had in all of 2015. And, it ain’t over yet!
Small Practice Enforcement Actions
Business Associate’s Failure to Safeguard Nursing Home Residents’ PHI Leads to $650,000 HIPAA Settlement
The total number of individuals affected by the combined breaches was 412. The settlement includes a monetary payment of $650,000 and a corrective action plan.
St. Elizabeth’s Medical Center (SEMC) has agreed to settle potential violations
SEMC will pay $218,400 and will adopt a robust corrective action plan to correct deficiencies in its HIPAA compliance program. “…workforce members used an internet-based document sharing application to store documents containing electronic protected health information (ePHI) of at least 498 individuals without having analyzed the risks associated with such a practice.” Additionally, OCR’s investigation determined that SEMC failed to timely identify and respond to the known security incident, mitigate the harmful effects of the security incident, and document the security incident and its outcome.
Separately, on August 25, 2014, SEMC submitted notification to HHS OCR regarding a breach of unsecured ePHI stored on a former SEMC workforce member’s personal laptop and USB flash drive, affecting 595 individuals.
$750,000 settlement highlights the need for HIPAA business associate agreements
Raleigh Orthopaedic Clinic, P.A. of North Carolina (Raleigh Orthopaedic) has agreed to pay $750,000 to settle charges. Raleigh Orthopaedic released the x-ray films and related protected health information of 17,300 patients to an entity that promised to transfer the images to electronic media in exchange for harvesting the silver from the x-ray films. Raleigh Orthopedic failed to execute a business associate agreement with this entity prior to turning over the x-rays (and PHI).
$750,000 HIPAA Settlement Underscores the Need for Organization Wide Risk Analysis
The University of Washington Medicine (UWM) has agreed to settle for failing to implement policies and procedures to prevent, detect, contain, and correct security violations. The settlement includes a monetary payment of $750,000, a corrective action plan, and annual reports on the organization’s compliance efforts.
Are Your Business Associates HIPAA Compliant? Prove It!!
At the risk of repeating myself, ALL of your Business Associates MUST be HIPAA compliant. This means the IT firm, the shredding company, your Practice Management and EHR Vendor and pretty much any company that has access into your Patient records or database.
Here is a chart to show the differences between your compliance as a Covered Entity and their compliance as a Business Associate:
| Covered Entity | Business Associate | |
| Security Risk Analysis completed annually | Required | Required |
| Staff Training completed annually | Required | Required |
| Policies and Procedures developed and implemented | Required | Required |
Ummm, the chart is the same. What difference? Exactly! There is no difference! A Business Associate has to be just as compliant as you. So, if your IT Vendor is not compliant, you have a reportable Data Breach now, today, because you are allowing access to Patient Records by unauthorized persons.
Do you have an offsite Backup and Disaster Recovery program? Do you have a Business Associate Agreement signed with them? I hope so, because mere possession of ePHI (even encrypted ePHI!) constitutes a Data Breach in the absence of a signed Business Associate Agreement with a compliant Business Associate.
By way of example, we used to store Client backups in a local Data Center. Their hot shot New Jersey attorney said that they did not have to be HIPAA compliant. No amount of reading of the OCR guidance and Code of Federal regulations could convince him otherwise. So, we had to pack up our Client data and move it to Richmond.
Computer Networks of Roanoke, Inc.
Hank Wagner, Owner
hank.wagner@computernetworksinc.com
757-333-3299 x232
PHI is everywhere. Find it. Protect it.
New Ransomware Training Program
I don’t normally use this newsletter to sell things because I provide it as an educational service. But, I am going to make an exception.
Ransomware is the latest and biggest threat, especially in the health care sector. When you get infected, ransomware encrypts all of your files (even if they are already encrypted) and then demands a ransom payment to provide an unlock key. If you don’t pay, then you better have good, current backups because you will need them to restore your systems to pre-ransomware.
You get infected by a user opening a malicious email (phishing) and/or clicking on an infected Internet web link.
Our new program allows us to send your staff members safe phishing emails at varying times and on varying dates so that we can determine their susceptibility to opening these types of emails. We can then provide a report of your “clickers” who opened the suspicious emails so that you can train them further. We also have some training videos that they can be required to watch after they have been labelled as a “clicker”.
This program will allow you to keep tabs on, and change, behavior that leads to network infections. Call me if you are interested.
Safe Harbor
Full Disk Encryption
The loss of a portable device such as a laptop computer is considered a reportable Data Breach unless you have the means to prove to OCR that the device’s hard disk drive was encrypted using Full Disk Encryption (FDE) at the time of loss and that the encryption key was not stored on the device.
Why is that a Data Breach? OCR says that they are going to assume that ePHI was on the lost or stolen device and that the bonus is on you to prove otherwise. Since none of us can prove that the laptop user did not have ePHI stored on the device, OCR has given you a “Get Out Of Jail Free” card in the form of Full Disk Encryption. If you can prove the device was encrypted, then you DO NOT HAVE A REPORTABLE BREACH.
Bon Secours says data breach affects 655,000 patients
Personal information of more than 650,000 Bon Secours patients – including names, insurance identification numbers, banking information, social security numbers and some clinical data – was left exposed on the internet for four days this spring by a business associate of the hospital system.
R-C Healthcare Management, a reimbursement optimization firm, was adjusting its network settings between April 18 and April 21, and in doing so exposed data of Bon Secours patients in three states – 435,000 of them Virginia, the rest in South Carolina and Kentucky – to be accessible online.
Bon Secours first discovered the vulnerability on June 14 and, in turn, notified R-C Healthcare.
"Upon receiving the notification, R-C Healthcare immediately took steps to secure the information so that it could no longer be accessed via the internet,” according to a statement.
R-C Healthcare CEO K. Michael Webdale told Norfolk, Virginia-based WTKR news that the company promptly hired an outside forensic investigator.
"The investigator confirmed the incident has been fully remediated. All R-C customers who might be affected have been notified of the situation and its resolution. "
Bon Secours also kicked off an internal investigation ands found that the files R-C made available via the internet may have exposed patient names, social security numbers, bank account information and limited clinical data.
“Medical records were not made available via the internet and medical care has not and will not be affected,” the health system said.
Bon Secours officials said it took nearly two months for an internal investigation to identify the patients who should be notified. The health system began mailing letters to those affected on August 12.
Ransomware attack on Virginia dermatology office breaches more than 13,000 patient records
Reston, VA based Professional Dermatology Care reported that an unauthorized third party accessed protected health information and financial data of 13,237 of its patients.
The cybercriminals encrypted the patient data with ransomware, intending to extract money from the healthcare organization. According to officials, the breach was not to 'misuse patient data.' The incident occurred between June 19 and 27 this year, when PDC officials discovered the breach.
The stolen data included patient names, addresses, dates of birth, social security numbers, Medicare identification numbers, medical and billing records, according to a statement from PDC.
"PDC has already taken numerous steps to safeguard and prevent any further data breach of its network server and its patients' protected health information," PDC said in a statement. "We've increased cybersecurity, implemented a new firewall, as well as malware protection services."
PDC will provide affected patients with identity protection and support.
Security Incident
OCR Guidance on Ransomware:
The presence of ransomware (or any malware) on a covered entity’s or business associate’s computer systems is a security incident under the HIPAA Security Rule. A security incident is defined as the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system. See the definition of security incident at 45 C.F.R. 164.304. Once the ransomware is detected, the covered entity or business associate must initiate its security incident and response and reporting procedures. See 45 C.F.R. 164.308(a)(6).
HIPAA covered entities and business associates are required to develop and implement security incident procedures and response and reporting processes that they believe are reasonable and appropriate to respond to malware and other security incidents, including ransomware attacks. Entities seeking guidance regarding the implementation of security incident procedures may wish to review NIST SP 800-61 Rev. 2, Computer Security Incident Handling Guide5 for additional information
