HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

The Importance of Auditing Business Associates Highlighted by OIG Investigation

The Department of Veteran Affairs’ Office of Inspector General (OIG) has published a report on the investigation of a VA contractor that was alleged to be allowing employees to access, share, and store the protected health information of veterans on personally owned devices.

Anchorage-based ProCare Home Medical Inc., a supplier of home oxygen services on behalf of the VA, was reported to OIG for breaching federal information security standards. The tipoff came via the VA OIG Hotline in December 2014. OIG was informed that the company’s employees were permitted to use personal computers and smartphones to access the company’s computer system. They were also alleged to have downloaded the PHI of veterans to their personal devices.

OIG conducted an onsite review of ProCare facilities in May 2015. Staff were interviewed and contractor business processes were observed. VA staff were also interviewed to determine the level of oversight of contractors that was taking place.

The allegations made against ProCare were substantiated by OIG, and while it was not possible to examine the devices of staff members to check for downloaded data, OIG did confirm that it was possible for personal devices to be used to connect to an unauthorized Wi-Fi network and gain access to the PHI of veterans.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

According to the OIG report, “ProCare staff told us they could use personal computers from home with unauthorized cloud-based software that managed client information that was accessing and transmitting sensitive VA data without encryption controls and without VA’s knowledge or permission.”

OIG also found that ProCare was storing sensitive data, including PHI, on a server and computer workstations that lacked appropriate security controls. There were insufficient physical controls and no logical access controls. Consequently, PHI was at risk of being accessed by unauthorized users. A server was also located close to an unsecured door to the car park of the facility, as was a shredding bin containing sensitive documents ear-marked for destruction. The PHI of veterans was also discovered to have been printed and stored in unlocked filing cabinets at the ProCare facility. ProCare was also unable to provide documentation to show that staff members who were allowed to access the PHI of veterans had received security awareness training.

OIG determined that these security and privacy failures occurred as a direct result of the lack of oversight of the contractor by the VA. No site visit had taken place to ensure the company was in compliance with VA policies and procedures and insufficient assistance had been provided to ensure compliance with VA policies.

OIG made a number of recommendations to improve oversight of VA contractors. Those measure included assigning a Local Contracting Officer’s Representative and Information Security Officer to provide oversight of contractors used by the Alaska VA Healthcare System.

Staff at ProCare were required to undergo security awareness training, and it was recommended that the Assistant Secretary for Information and Technology visit ProCare to assess security controls and to perform a thorough risk assessment.

The VA concurred with the recommendations and issued a corrective action plan to ProCare. A site visit was also conducted and it was confirmed that ProCare had implemented all points on its CAP. All PHI was secured, shred bins were kept in secure areas, access to the facility required a sign in and security passes were in use, and all ePHI was stored in a password protected system. Encrypted email is now used for transmitting all ePHI. Physical records are also kept in locked cabinets when not in use. No evidence was found of personal devices being used to access sensitive data.

The report serves as a reminder for all healthcare organizations that they should not take it for granted that their business associates are complying with HIPAA regulations. It is essential that security reviews are conducted to ensure PHI is being stored, transmitted, and used in accordance with HIPAA regulations.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.