Last week the Department of Health and Human Services Office for Civil Rights (“OCR”) announced another large HIPAA fine. This instance is a $5.5 million fine with Memorial Healthcare System (“MHS”). Unfortunately, some of the issues that led to the breach, and thus the settlement, were highly preventable, and therefore are worth pointing out. The primary issues included,
Failing to implement its own policies and procedures for modifying/terminating access to PHI;
Failing to review records of PHI accessed by staff; and
Failing to act on risks identified during a security risk assessment.
Specifically, for over a year MHS failed to close the account of a terminated employee. That account was used to access PHI affecting more than 80,000 individuals.
This highlights the need for several things. First, you must have a specific process in place to terminate accounts when employees leave. This typically requires HR and IT to work closely together. If you don’t have a smooth process, consider working closely with both departments to establish a consistent procedure.
Second, you should periodically review who is accessing PHI. If MHS had done this they would likely have noticed that an account of a terminated employee was not only still active, but was being utilized to access PHI. As we have discussed in the past, the reviews can be a high frequency sample that is conducted on a consistent schedule, rather than an exhaustive review of all accounts and access levels.
Additionally, MHS identified many of these items as causing potential risk to the organization through several Security Risk Assessments. However, it failed to do anything to remediate the issues. Much significance has been placed on conducting a risk assessment, but little has been done to highlight the need that identified risks need to be corrected. One output of your risk assessment should be a prioritized list of items that need remediation. You should be establishing milestones along the way to correct these issues and tracking your progress.
Finally, MHS failed to implement the policies and procedures it had in place on many of these issues. Having policies and procedures that outline your safeguards is important, but following your documentation is absolutely critical. HIPAAcompliance is as much about compliance with your own policies and procedures as it is doing what the rule requires. This is one reason why it is important to frequently review your policies and procedures to ensure you are doing what those documents outline.
In summary, this large breach fine highlightsthe fact that protecting patient information is not about high tech solutions, but rather about doing the little things. Not doing some basic tasks compounds the issues and exacerbates the damage.
Covered Entities and Business Associate must report breaches of PHI in a timely manner. In most states, you will have up to 60 days (without unreasonable delay) from the time of the discovery to notify the individual, however, your state may have shortened that timeframe. For breach notification to the U.S. Secretary of Health and Human Services there are two potential times for notification. For breaches affecting more than 500 people, it must also be within 60 days of discovery (without unreasonable delay). For breaches that occurred in 2016 and affected under 500 people, they must be made to the Secretary before Thursday, March 2, 2017. Instead of sending HIPAA breach notification letter, these breaches should be submitted via the electronic breach report.
As a reminder, you must consider the following factors when determining if a breach occurred,
- The nature and extent of the PHI involved, including the type of identifiers and the likelihood of re-identification;
- The unauthorized person to whom the disclosure was made;
- Whether the PHI was actually acquired or viewed; and
- The extent to which the risk to the PHI has been mitigated.
If you can determine through this analysis that there is a low probability the PHI was compromised, then a breach did not occur and notification is not necessary. However, if you determine that it was anything more than a low probability the PHI was compromised, then a breach did occur and must be reported.
By way of summary, all breaches must be reported to the individual and the to the Secretary of HHS. If you had breach in 2016 affecting under 500 people, the deadline for you to notify the Secretary is March 2.
In a recent survey, privacy, security and risk management leaders felt employee negligence was the largest privacy and security threat. Given the number of recent breaches caused by malicious cyber-attacks, this is an interesting observation by the professionals in the field. Furthermore, over 50% of respondents believe healthcare will remain the industry most at risk in 2016.
What do you think is the largest privacy and security threat in your organization? What are you doing to prevent a breach? To face challenges, a majority of respondents are increasing their budgets for privacy and security protections. If your budget is limited, there are ways to put cost-efficient safeguards in place. Some suggestions include,
- Send periodic e-mail reminders to your staff about specific safeguards (access controls, passwords, minimum necessary rule);
- Check that patches (including on mobile devices) are up-to-date; and
- Verify that your business associates or subcontractors have implemented their own safeguards.
Updated HIPAA Audit Whitepaper
The HHS Office of Civil Rights now says the HIPAA audits will start soon. Take a look at our most recent whitepaper to learn what you can do today to prepare.
Part One in a Three Part Series on The HIPAA Impact on Organizational Arrangements
Reduce Administrative Burden While Still Maintaining Compliance
By Adam Bullian, JD
Provide your e-mail address and the file will be sent to you as an attachment.
[download file=”http://qiexpress.com/wp-content/uploads/2015/09/HIPAA-ORGANIZATIONAL-ARRANGEMENTS-1.pdf” title=”HIPAA Impact Part 1″]
By now you have probably heard, through news media, about a significant security issue that probably will affect you. The name that has been given to it is “Heartbleed” vulnerability. It is a vulnerability, not a virus or malicious software, and is so widespread and important that we feel it appropriate to provide you with an explanation of the problem and how it affects you…
A major software bash vulnerability was announced today that affects Linux, Unix and Mac OSX systems. It does not affect most Windows systems unless they are running the affected Operating Systems as virtual machines. Nearly all Linux and Mac OSX system are affected. Because of the seriousness of the bash vulnerability all systems should be checked. The vulnerability is a bug that affects a very core component of the Operating System called the “Shell”. “Bash” is the most common shell in the Unix/linux world. It is a general purpose tool used by all system administrators to load, maintain, run and delete software and files.