The following was written by Leslie Bender, CIPP/US, the General Counsel and Chief Strategy Officer at BCA Financial Services.
And the HIPAA enforcement actions continue as 2019 draws to a close. The theme seems to be “skip the trust part and just verify.”
For any organization that is responsible for mailing information to consumers, take note of the recent HIPAA enforcement action in the MidAtlantic. In this instance the ordinary task of sending out bills to patients – but accidentally mixing up patients’ billing statements and mailing labels — led to a fine of over $2 million against a large MidAtlantic health system. https://www.hhs.gov/sites/default/files/signed-ra-sentara-508.pdf
The vulnerability of sending information to the wrong person exists for each and every organization that is responsible for mailing sensitive information to consumers. In brief the facts were that over a course of time, billing statements for 577 patients were merged with 16,342 different guarantors’ mailing labels resulting in the disclosure of those 577 patients’ protected health information. Upon receipt of a complaint the health system conducted an investigation but only reported a breach affecting 8 of the individuals. The two key factors in this governmental enforcement action were as follows: first, the process of mailing out billing statements was done by a business associate but the health system failed to obtain satisfactory assurances about how the process would be accomplished and monitored; and second, the health system did not notify the U.S. Department of Health and Human Services (“HHS”) of the breach of unsecured PHI as required by law.
Not a month earlier HHS announced a $1.6 million civil money penalty against the Texas Health & Human Services Commission (“TX HHSC” as successor in interest to Texas’ Department of Aging Services or “DADS”) for violating HIPAA when the PHI of over 6,600 individuals was viewable over the internet including names, addresses, social security numbers and treatment information. Allegedly the breach happened when DADS moved an internal software application from a private, secure server to a public server. Somehow a flaw in the software code allegedly allowed access to the PHI without access credentials. HHS learned in its investigation that DADS had not conducted any sort of enterprise-wide risk analysis and had not met HIPAA’s Security Rule’s standards for implementing access and audit controls. Because of the gaps in its audit controls, DADS was unable to figure out how many unauthorized persons may have accessed individuals’ PHI. An essential feature of a HIPAA compliance effort is knowing who can access PHI in an organization’s custody at all times. https://www.hhs.gov/about/news/2019/11/07/ocr-imposes-a-1.6-million-dollar-civil-money-penalty-against-tx-hhsc-for-hipaa-violations.html
That same week a month ago, HHS entered into an agreement with the University of Rochester Medical Center (URMC) to pay a $3 million civil money penalty for improperly disclosing PHI through the loss of an unencrypted flash drive and the theft of an unencrypted laptop. Again as in the DADS enforcement action HHS learned that URMC had allegedly failed to conduct an enterprise-wide risk assessment and had not implemented sufficient security measures to reduce the risks and vulnerabilities to a reasonable and appropriate level. HHS explained publicly that it had investigated URMC in 2010 for a similar breach and despite this it did not feel URMC had implemented sufficient controls to prevent or mitigate the predictable harm or loss that could flow from unencrypted laptops or other devices with removeable media. https://www.hhs.gov/about/news/2019/11/05/failure-to-encrypt-mobile-devices-leads-to-3-million-dollar-hipaa-settlement.html
Earlier in the quarter we noted that HHS imposed a $2.15 million civil money penalty against the world renowned academic medical center, the Jackson Health System (“JHS”). The JHS employs over 12,000 individuals and sees over 650,000 patients annually. Over a course of two years HHS learned that JHS allegedly had inadequate controls over paper patient records containing PHI. It became aware of the loss of over 750 patients’ paper records, HHS learned that employees were accessing patients’ electronic health records with no “need to know,” and tracked down a social media expose that involved photos of a JHS operating room and patients’ health information. During the same timeframe JHS filed a breach report with HHS chronicling a former employee’s theft and sale of information on over 24,000 patients over a five year period. In its investigation of JHS, HHS made findings that JHS was not providing timely breach notifications and in HHS’s opinion had failed to implement sufficient or reasonable risk detection or management strategies. In an emotionally charged statement, a director at HHS stated at JHS’s “compliance program had been in disarray for a number of years.”
So what are the lessons learned from these large HIPAA enforcement actions as we begin to plan our cybersecurity new year’s resolutions? Here are a few:
- While there is no HIPAA police, HIPAA investigations and enforcement actions are ongoing;
- There is no time like the present to schedule and conduct periodic enterprise-wide risk assessments and update your HIPAA compliance program;
- Trust but verify your internal security issue reporting and detection programs and implement reasonable and sensible audit and testing programs. Stated otherwise: make sure it is clear and easy for people to report suspected security issues to you;
- Maintain electronic logs of where PHI is and who is using and disclosing it (and to whom);
- Develop reasonable oversight for any processes that lead to things as simple as mailing out statements or other information to patients to assure errors can be detected and prevented and that corrective action may be taken before mailings are sent. In its more elemental form: a maker/checker system is important and advisable; and
- Security breaches and incidents are nothing like fine wines – do not wait before reporting them as may be required by law. They do not improve with time.