HIPAA enforcement actions highlight importance of maintaining and auditing security practices
Recent enforcement actions by the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), highlight the importance of maintaining security practices and auditing access activities.
Failure to address risks – Metro Community Provider Network
On April 12, 2017, OCR announced that Metro Community Provider Network, a federally qualified health center, filed a breach report in 2012, indicating that a hacker accessed employees’ email accounts and obtained 3,200 individuals' electronic personal health information (ePHI) through a phishing incident.
OCR’s investigation concluded that prior to the incident, Metro Community Provider Network had failed to conduct a risk analysis to assess the risks and vulnerabilities in its ePHI environment and, consequently, had not implemented any corresponding risk management plans to address the risks and vulnerabilities identified in a risk analysis.
A civil monetary penalty of $400,000 was imposed on Metro Community Provider Network. Additionally, it entered into a Resolution Agreement and Corrective Action Plan requiring Metro Community Provider Network to (1) conduct a risk analysis and formulate a risk analysis plan, subject to the approval of HHS; (2) develop and implement a risk management plan, subject to the approval of HHS; (3) review and revise its HIPAA policies, subject to the approval of HHS; and (4) review and revise its HIPAA training materials, subject to the approval of HHS.
Information from OCR, including the Resolution Agreement and Corrective Action Plan, is available here.
Take away: Covered entities and business associates must conduct risk analyses regularly and act to mitigate the risks to PHI identified. While it may be impossible to prevent all security intrusions, such as hacking, the failure to perform a risk analysis and make reasonable attempts to prevent such security intrusions can lead to HIPAA violations.
Lack of audit controls – Memorial Healthcare System
In February 2017, OCR announced a civil money penalty of $5.5 million against Memorial Healthcare System after ePHI was improperly accessed by current workforce members due to the failure to terminate credentials of former workforce members.
Memorial Healthcare System self-reported the breach of the ePHI of 115,143 individuals due to improper access by current workforce members and by a former workforce member. Memorial Healthcare System discovered that between April 2011 and April 2012, the log-in credentials of a former workforce member, which had not been terminated, were used to access ePHI on a daily basis. Memorial Healthcare System subsequently reported additional breaches resulting from the improper access by twelve users at an affiliated physician office. OCR reported that some of these instances led to federal charges relating to selling PHI and filing fraudulent tax returns.
The investigation by OCR found that Memorial Healthcare System failed to implement procedures to regularly review records of system activity, such as audit logs, access reports and security tracking reports, as required by 45 CFR 164.308(a)(1)(ii)(D). Further, OCR stated that its investigation indicated that for over a year, Memorial Healthcare System failed to implement policies and procedures to establish, modify and document users’ rights of access as required by 45 CFR 164.308(a)(4)(ii)(C).
In addition to the $5.5 million civil monetary penalty, Memorial Healthcare System entered into a Resolution Agreement and Corrective Action Plan required it to (1) conduct a risk analysis and formulate a risk management plan; (2) review and revise its HIPAA policies, subject to the approval of HHS; (3) develop an internal monitoring plan; and (4) engage a third party, subject to approval of HHS, to conduct external assessment of the system’s compliance with the Corrective Action Plan.
Information from OCR, including the press release and Resolution Agreement and Corrective Action Plan, is available here.
Take away: Covered entities and business associates must have procedures in place to terminate the access to systems containing PHI when a workforce member departs for any reason. This should occur immediately upon termination of the workforce member. Additionally, covered entities and business associates should conduct audit activities to monitor their systems for improper access or other security incidents. Monitoring system activity can identify and prevent improper access that may otherwise lead to ongoing, large-scale breaches if not caught.Download PDF