Share this article on:
Yesterday, the Department of Health and Human Services’ Office for Civil Rights (OCR) announced a HIPAA settlement has been reached with St. Elizabeth Medical Center (SEMC) for violations of HIPAA Privacy, Security and Breach Notification Rules.
The settlement for HIPAA violations was reached with SEMC for violations that lead to a document sharing system data breach that exposed 498 records, and a data breach involving the theft of a flash drive containing unencrypted data of 595 patients.
The number of records exposed was relatively low compared to some of the recent “mega data breaches”, but the OCR deemed the offenses leading to the security incidents to be serious enough to warrant a financial penalty.
This OCR HIPAA settlement shows how important it is to make HIPAA compliance a priority. Data breaches may not always be preventable; but HIPAA violation penalties are.
Privacy, Security and Breach Notification Rule Violations Uncovered
The initial HIPAA violation was uncovered in November, 2012, when a complaint was received by the OCR alerting it to potential non-compliance with HIPAA Rules. SEMC had implemented a new document sharing program which it used to store electronic documents containing the ePHI of patients.
However, the application was insecure, and SEMC failed to conduct a risk assessment to determine security flaws. Had that assessment taken place, controls could have been put in place to allow data to be shared securely and patient data would have remained secure. If appropriate security controls had been put in place, last year’s lost flash drive would also not have resulted in any data exposure.
Furthermore, after the data beaches were discovered SEMC did not notify the affected patients “in a timely manner”, a violating the HIPAA Breach Notification Rule.
OCR Director, Jocelyn Samuels, has sent a stern warning to covered entities looking to take advantage of cloud services. There are serious risks involved, and any organization failing to conduct a risk assessment to check for vulnerabilities could be handing PHI to criminals on a platter.
Samuels said “Organizations must pay particular attention to HIPAA’s requirements when using internet-based document sharing applications,” she went on to say “in order to reduce potential risks and vulnerabilities, all workforce members must follow all policies and procedures, and entities must ensure that incidents are reported and mitigated in a timely manner.”
OCR HIPAA Settlement Reached for Failure to Secure Data and Lack of a Timely Breach Response
The OCR investigation into potential HIPAA violations determined:
(1) SEMC disclosed the PHI of a t least 1,093 individuals. (Under 45 C.F.R. §§160.103 and 164.502 (a).)
(2) SEMC failed to implement sufficient security measures regarding the transmission of and storage of ePHI to reduce risks and vulnerabilities to a reasonable and appropriate level. (Under 45 C.F.R. §164.308 (a)(1)(ii)(B))
(3) SEMC failed to timely identify and respond to a known security incident laptop/flash drive theft, mitigate the harmful effects of the security incident, and document the security incident and its outcome. (Under 45 C.F.R. § 164.308 (a)(6)(ii).)
In the agreement it is stated that there is no “concession by HHS that SEMC is not in violation of the HIPAA Rules and that SEMC is not liable for civil money penalties.”
The OCR Issues a Robust Corrective Action Plan
After investigation, the OCR discovered numerous privacy, security and breach notification failings that required a “robust corrective action plan to correct deficiencies in its HIPAA compliance program.”
The action plan spans 7 pages of the resolution agreement and contains a list of actions that must be taken over the course of the following 12 months. The minimum duration of the Corrective Action Plan (CAP) is 12 months; although this can be extended if the OCR deems it necessary. The CAP stays in place until the OCR determines that HIPAA Rules are being followed.
The CAP requires SEMC to conduct a self-assessment within 120 days, which must be focused on identifying and dealing with security vulnerabilities and compliance issues related to:
- The transmission of ePHI through unauthorized networks
- Storage of ePHI on unsecured networks, devices and unauthorized systems
- Removal of ePHI from SEMC premises
- Data encryption of portable storage devices
- ePHI security incident reports.
An OCR action plan requires a considerable amount of resources and man hours to complete successfully. Once security measures have been put in place, the OCR has stipulated SEMC must conduct:
- 5 unannounced site visits to assess for compliance with policies and procedures
- 15 random interviews on staff with ePHI access rights
- A minimum of three portable device audits to ensure data security measures have been addressed.
All processes and procedures must be documented and progress and compliance reports issued to the OCR at set intervals over the course of the following year.
Recent OCR Enforcement Activity
This is the second HIPAA settlement to be reached between the OCR and a HIPAA-covered entity this year, the last HIPAA settlement for HIPAA violations being the settlement for potential HIPAA violations with Cornell Prescription Pharmacy in April. A CAP was issued along with a $125,000 fine for improper disposal of Protected Health Information.
The OCR investigates all data breaches involving more than 500 individuals to determine if they were caused, at least in part, as a result of violations of HIPAA Rules. Investigations are also conducted into a number of smaller data breaches if there is an indication they have been caused by serious HIPAA violations.
The OCR – along with state attorneys general – enforce HIPAA regulations and hold healthcare organizations and other covered entities accountable for their actions – or lack of them.
The OCR does not rule issue financial penalties to all offenders; in many cases a CAP (with strict reporting requirements) is more appropriate. Financial penalties are typically reserved for serious breaches of HIPAA regulations or persistent violations.
Many violations are uncovered each year; but financial penalties and settlements are relatively few and far between. The only other recent penalties issued were for the Anchorage Community Mental Health Services data breach (December 2014) and the Parkview Health System settlement reached in June, 2014.
Only an Apparent Lack of OCR Enforcement Activity
The apparent lack of enforcement action should not be viewed as the OCR taking a softer approach on HIPAA violators. Cover entities are being investigated and penalized; however settlements usually take many years to resolve.
The Cornell settlement was reached on April 22, 2015, yet the compliance review ordered by the OCR took place on January 13, 2012. The settlement took three years and 5 months to be reached from the date the OCR compliance review report was issued.
The St. Elizabeth Medical Center HIPAA settlement was reached for an offense discovered on November 16, 2012; with the resolution agreement taking a similar amount of time to be reached.
The high volume of data breaches now occurring as a result of HIPAA violations could see a considerable number of financial penalties issued; however it may take until 2018 or longer before settlements for this year’s data breaches are reached.