It’s been a busy summer for the Department of Health and Human Services’ HIPAA-compliance body, the Office for Civil Rights (OCR). Between late June and early August, OCR reached settlements totaling $11.65 million in four cases of HIPAA violations and vulnerabilities.
In chronological order:
A $650,000 settlement announced June 29 stated that Catholic Health Care Services (CHCS), which provided management and IT services as an HIPAA business associate to six skilled nursing facilities in the Philadelphia area, failed to safeguard residents’ electronic protected health information (ePHI). Theft of a CHCS-issued iPhone — unencrypted and not password-protected — compromised the ePHI of 412 residents. OCR determined that CHCS had no risk analysis or risk management plan in place for handling PHI, as required under HIPAA’s Security Rule.
OCR announced on July 18 a $2.7 million settlement with Oregon Health & Science University (OHSU) over “widespread and diverse problems” that will be addressed through a three-year corrective action plan. OCR’s investigation started after OHSU submitted breach reports involving unencrypted laptops and a stolen unencrypted thumb drive containing ePHI. Although OHSU performed risk analyses in six years between 2003 and 2013, the processes did not cover all ePHI in OHSU’s enterprise. “While the analyses identified vulnerabilities and risks to ePHI located in many areas of the organization, OHSU did not act in a timely manner to implement measures to address these documented risks and vulnerabilities to a reasonable and appropriate level,” according to OCR.
A statement released July 21 detailed multiple alleged HIPAA violations at the University of Mississippi Medical Center (UMMC) settled by a $2.75 resolution amount and corrective action plan. OCR found that ePHI stored on a UMMC network drive was vulnerable to unauthorized access via the organization’s wireless network. Users could access files in an active directory after entering a generic username and password. The directory included 328 files with the ePHI of an estimated 10,000 patients dating back to 2008. OCR determined that UMMC was aware of risks and vulnerabilities to its systems as early as 2005, but failed to take risk-management action until after the breach. The agency cited “organizational deficiencies and insufficient institutional oversight.”
Advocate Health Care Network agreed to settle potential HIPAA penalties for $5.5 million and by implementing a corrective action plan, OCR announced on Aug. 4. The settlement amount was the largest to date against a single entity, according to OCR, reflecting “the extent and duration of the alleged non-compliance.” The investigation began in 2013 after Advocate submitted three breach notification reports pertaining to separate incidents involving a subsidiary, Advocate Medical Group. The combined breaches affected the ePHI of approximately 4 million individuals, the agency reported. The incidents included the theft of four desktop computers from an administrative office building, unauthorized access to a billing service’s network, and theft from an employee vehicle of an unencrypted laptop — exposing ePHI in each case.
HIPAA audits also a consideration
OCR’s recent actions stemmed from investigations following breach notifications. However, healthcare organizations should also be prepared for the agency’s stepped-up HIPAA audit activity. Every HIPAA covered entity and business associate is eligible for an audit. So-called remote “desk audits” are currently underway and will be completed by the end of 2016. Onsite audits will follow, covering a broader scope of requirements from HIPAA’s rules.
As indicated, the stakes have never been higher for healthcare providers and vendors when handling ePHI. Technology such as NetDirector’s HealthData Exchange electronically moves data among disparate systems while adhering to HIPAA security standards. While helping to ensure compliance, the cloud-based solution frees up time that can be allocated to optimizing the patient care experience.