The Importance of Auditing Business Associates Highlighted by OIG Investigation
The Department of Veteran Affairs’ Office of Inspector General (OIG) has published a report on the investigation of a VA contractor that was alleged to be allowing employees to access, share, and store the protected health information of veterans on personally owned devices.
Anchorage-based ProCare Home Medical Inc., a supplier of home oxygen services on behalf of the VA, was reported to OIG for breaching federal information security standards. The tipoff came via the VA OIG Hotline in December 2014. OIG was informed that the company’s employees were permitted to use personal computers and smartphones to access the company’s computer system. They were also alleged to have downloaded the PHI of veterans to their personal devices.
OIG conducted an onsite review of ProCare facilities in May 2015. Staff were interviewed and contractor business processes were observed. VA staff were also interviewed to determine the level of oversight of contractors that was taking place.
The allegations made against ProCare were substantiated by OIG, and while it was not possible to examine the devices of staff members to check for downloaded data, OIG did confirm that it was possible for personal devices to be used to connect to an unauthorized Wi-Fi network and gain access to the PHI of veterans.
Get The Checklist
Free and Immediate Download
of HIPAA Compliance Checklist
Delivered via email so verify your email address is correct.
Your Privacy Respected
According to the OIG report, “ProCare staff told us they could use personal computers from home with unauthorized cloud-based software that managed client information that was accessing and transmitting sensitive VA data without encryption controls and without VA’s knowledge or permission.”
OIG also found that ProCare was storing sensitive data, including PHI, on a server and computer workstations that lacked appropriate security controls. There were insufficient physical controls and no logical access controls. Consequently, PHI was at risk of being accessed by unauthorized users. A server was also located close to an unsecured door to the car park of the facility, as was a shredding bin containing sensitive documents ear-marked for destruction. The PHI of veterans was also discovered to have been printed and stored in unlocked filing cabinets at the ProCare facility. ProCare was also unable to provide documentation to show that staff members who were allowed to access the PHI of veterans had received security awareness training.
OIG determined that these security and privacy failures occurred as a direct result of the lack of oversight of the contractor by the VA. No site visit had taken place to ensure the company was in compliance with VA policies and procedures and insufficient assistance had been provided to ensure compliance with VA policies.
OIG made a number of recommendations to improve oversight of VA contractors. Those measure included assigning a Local Contracting Officer’s Representative and Information Security Officer to provide oversight of contractors used by the Alaska VA Healthcare System.
Staff at ProCare were required to undergo security awareness training, and it was recommended that the Assistant Secretary for Information and Technology visit ProCare to assess security controls and to perform a thorough risk assessment.
The VA concurred with the recommendations and issued a corrective action plan to ProCare. A site visit was also conducted and it was confirmed that ProCare had implemented all points on its CAP. All PHI was secured, shred bins were kept in secure areas, access to the facility required a sign in and security passes were in use, and all ePHI was stored in a password protected system. Encrypted email is now used for transmitting all ePHI. Physical records are also kept in locked cabinets when not in use. No evidence was found of personal devices being used to access sensitive data.
The report serves as a reminder for all healthcare organizations that they should not take it for granted that their business associates are complying with HIPAA regulations. It is essential that security reviews are conducted to ensure PHI is being stored, transmitted, and used in accordance with HIPAA regulations.