The Office of Civil Rights within the U.S. Department of Health and Human Services recently imposed $2,154,000 in civil money penalties against Jackson Health System in Miami, Florida for multiple violations of HIPAA. The majority of the penalties were due to violations of the HIPAA Security and Breach Notification Rules, rather than for the actual breaches of confidentiality. This action by the government underscores the importance of complying with all of HIPAA, and not just the requirements to safeguard Protected Health Information.
On October 23, 2019, the U.S. Department of Health and Human Services has imposed a civil money penalty of over $2 million against Jackson Health System in Florida for repeated HIPAA violations.
The HIPAA violations mentioned in the HHS Press Release include:
1-Loss of paper patient records in December 2012;
2-Loss of additional paper patient records in January 2013;
3-A media report containing patient information (a photo shared on social media);
4-Employees accessing the information of one patient without a job related purpose;
5- An employee’s improper access and sale of patient records in 2011.
“OCR’s investigation revealed a HIPAA compliance program that had been in disarray for a number of years,” said OCR Director Roger Severino. The state of the compliance program allowed for the failure of several HIPAA requirements, including provision of timely and accurate HIPAA breach notifications, performance of regular risk assessments, investigation of identified risks, audits of system activity records, and imposing appropriate restrictions on workforce members’ access to patient information. The government’s final determination is available here.
When a HIPAA breach is discovered and reported, the government will often take the time to review a covered entity’s history of compliance or non-compliance. This may include an investigation into prior issues, effectiveness of policies and procedures, and employee issues. Overlooking one suspected breach may result in the imposition of sanctions on any later breach. This is why it’s so important for a healthcare business to understand its HIPAA obligations and take them seriously.
When was the last time your business conducted a security risk assessment to understand its potential risk areas for security breaches? If you’ve never had one, or haven’t had one recently, the time is now to conduct one. “When was your last security risk assessment?” is often the first thing that the government will ask in response to a breach.
Federal fines for noncompliance with HIPAA are based on the level of negligence perceived by the Federal government at the time of the breach. Fines and penalties range from $100 to $50,000 per violation (or per record), with a maximum penalty of $1.5 million. Simply put, your healthcare business can’t afford to bury its head and hope that it won’t be hit.
Ransomware attacks are impacting the healthcare community’s HIPAA security at a staggering rate. If a practice has data stolen from their network and they did not report the breach to The Office of Civil Rights (OCR), they could be subject to massive fines for the lack of reporting. Specific steps must be followed to determine if ePHI (electronic protected health information) was compromised. This often involves hiring a forensics company and working with a Cybersecurity company to harden the practice’s infrastructure. When you are the victim of an attack once, you will mostly likely be a victim again because of vulnerabilities in your network that enabled the attack vector (or payload) to infiltrate your system. You cannot simply restore your data and hope for the best.
In the last few months, settlements related to potential violations of HIPAA and the Security Rule have ranged from $31,000 to $5.5 million. The smallest settlement amount, $31k, for potential HIPAA compliance breach violations related to one missing Business Associate Agreement (“BAA”) between a pediatric group and an ePHI records storage company that had come under HHS’ Office of Civil Right’s (“OCR”) scrutiny. The pediatric group used the ePHI record storage company since 2003, yet could not locate or provide a signed BAA to the OCR prior to 2015. The outcome of the OCR’s compliance review indicates that internal risk analysis and risk management was not thoroughly undertaken.
The largest settlement reached was $5.5 million to be paid by Memorial Healthcare Systems (“MHS”) located in south Florida. MHS operates 6 hospitals, an urgent care center, a nursing home, and numerous ancillary healthcare facilities. Additionally, MHS is affiliated with physician offices through an Organized Health Care Arrangement. MHS experienced a breach that potentially compromised the ePHI of over 115,000 individuals, when impermissible access by its employees and impermissible disclosure to affiliated physicians occurred through the use of the login credentials of an affiliated physician’s former employee. Although MHS reported the breach and had policies and procedures in place related to HIPAA and the Security Rule, it had not implemented procedures for reviewing, modifying, and/or terminating users’ rights of access as required by HIPAA. Further, MHS failed to regularly review records of information system activity, in applications that maintain ePHI, by employees or workforce users or users at affiliated physician practices, even though MHS had identified such risk during risk analysis conducted from 2007 to 2012.
Medical web-based businesses have been on the rise, while the number of HIPAA enforcement actions by the US Department of Health and Human Services (HHS) has risen exponentially as well. Since the beginning of this year, HHS has announced several large settlements with companies that failed to comply with HIPAA Compliance requirements. For example, in January, HHS announced a $2.2 million settlement with a health insurance company when a breach resulted from a stolen portable USB device containing PHI. Also, In February, HHS announced a penalty of $3.2 million against a medical center for a breach that arose from a theft of an unencrypted laptop containing PHI. This enforcement activity is becoming the norm, so it is best to ensure that your medical website is legally compliant.
If you are handling any PHI on or through your website, you must ensure that your website is up to speed with HIPAA compliance. Here are some recommendations to address the security and privacy of PHI that your website may manage (please note that this is not a comprehensive list):
Healthcare providers have heard the HIPAA disaster stories: a laptop containing patient information is left on the counter at the coffee shop; a thumb drive with patient files goes missing; a rogue employee accesses patient information she has no business accessing; hackers get into a practice’s server and hold the patient information for ransom.
HIPAA is a federal law designed for safe disclosure of patient’s protected health information. The news headlines showcase giant penalties for violations. However, Florida healthcare providers should also know that Florida has its own consumer protection statute, called the Florida Information Protection Act. So while you’re busy worrying about your HIPAA exposure in any of these situations, remember that there is potential State exposure as well.
So what should a healthcare provider do if it believes there has been a hack or some other unauthorized disclosure? Responses vary based on the situation presented, but below is a good jumping off point:
Section 13411 of the HITECH Act authorizes and requires the Department of Health & Human Services Office for Civil Rights (“OCR”) to provide for periodic audits to ensure that covered entities and business associates comply with the HIPAA Privacy and Security Rules. OCR conducted its first round of those audits in 2011 and 2012, and has announced that it will begin a second phase. Unlike the first phase of audits, which were limited to covered entities, both covered entities and business associates are intended to be audited during this second phase.
How will audited businesses be selected?
This fall, OCR will deliver pre-audit surveys to between 550 and 800 covered entities. OCR is attempting to obtain a fair snapshot of all covered entities, so these pre-audit surveys will be sent to health care providers, health plans, and health clearinghouses. Moreover, the audits will span the gamut of business sizes, from large corporations to solo practitioners. After pre-audit surveys are returned, OCR will randomly select 350 of those covered entities for a full audit. As a part of these full audits, covered entities will be asked to identify their business associates. OCR will then select 50 business associates to participate.
The US Department of Health and Human Services, Office of Civil Rights is the chief enforcer of HIPAA. The Office’s recent enforcement of HIPAA with respect to a Massachusetts derm practice is illustrative of how the government views HIPAA and how vulnerable medical practices are.
Health law is the federal, state, and local law, rules, regulations and other jurisprudence among providers, payers and vendors to the healthcare industry and its patient and delivery of health care services; all with an emphasis on operations, regulatory and transactional legal issues.