Recently, I created two new HIPAA training resources.
I created a 1-page visual summary of HIPAA, which I call the HIPAA Whiteboard. The idea was to summarize HIPAA in a concise and visually-engaging way. You can download a PDF handout version here. We’ve been licensing it to many organizations for training and awareness purposes.
HIPAA Interactive Whiteboard
I subsequently created a new training module — an interactive version of the HIPAA Whiteboard — the HIPAA Interactive Whiteboard. When people click on each topic, the program provides brief narrated background information, presented in a very understandable and memorable way. Trainees can learn at their own pace. This program is designed to be very short — it is about 5 minutes long.
It can readily be used on internal websites to raise awareness and teach basic information about HIPAA. It can also be used in learning management systems.
This week the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced an agreement to settle HIPAA violations with Filefax, located in Northbrook, Illinois. One aspect was different than their usual settlement process in that Filefax closed the business down during the OCR investigation and was no longer operating when the settlement was reached. OCR announced that Filefax could not avoid their obligations under HIPAA even though they were no longer running the company. The receiver that is liquidating the company’s assets agreed to pay $100,000 to settle the potential HIPAA violations made by the company while open.
Their HIPAA violations stemmed from an anonymous complaint stating that the medical records of approximately 2,150 patients, which contained protected health information (PHI), received by Filefax had been taken to a shredding/recycling facility and sold. The OCR investigation found over a period of several weeks the PHI had been left unsecured outside Filefox and had been removed from the facility by an unauthorized person.
The press release can be viewed here. The Resolution Agreement can be viewed here.
Also of Interest
HIPAA Enforcement Guide
HIPAA Enforcement 2017: Another Big Year for HIPAA Enforcement
Why Is HIPAA Data Breach Enforcement Increasing? An Insurer’s View from Katherine Keefe
Lessons from 2016, the Biggest HIPAA Enforcement Year on Record
Is HIPAA Enforcement Too Lax?
Recently, HIPAA enforcement over data breaches is increasing – a lot. This year has seen some of the largest monetary penalties. Why is this happening?
I had the chance to interview Katherine Keefe, who leads the Beazley Breach Response (BBR) Services Group. I am particularly interested in the insurer’s perspective, so I interviewed Katherine.
The first quarter of 2017 is not yet over and the OCR has already released details of four enforcement penalties totaling over $11 million. 2016 set a record with $20 million in fines for the year, with $5.2 million of that coming in the first quarter. In just the first 2 months of 2017, the fines have been more than half what the entire amount for 2016 was. Here are details about enforcement actions in 2017 thus far:
- Illinois health care network, Presence Health, was fined $475,000 for failing to notify patients of a breach within the 60-day period. The incident took place over 3 years ago. In October 2013, operating room schedules that were written on paper and contained PHI of 836 individuals went missing. Patients were not notified of the breach until February of 2014. This represents the first enforcement related to the timeliness of breach notification.
- An insurance company, MAPFRE, was fined $2.2 million for failure to safeguard portable devices and poor risk assessment and risk management. OCR found that MAPFRE did not have an adequate security awareness training program in place for their workforce. In 2011, an unsecured USB device containing the ePHI of 2,209 individuals was stolen from the company’s IT department. Despite the corrective measures MAPFRE indicated it would take, it did not actually start securing portable devices until 3 years after the incident.
- Children’s Medical Center of Dallas received a $3.2 million fine for multiple incidents where devices with unsecured ePHI were stolen. In 2010 an unencrypted Blackberry was stolen with the ePHI of 3,800 individuals. In 2013, an unencrypted laptop was stolen with ePHI of 2,463 individuals. The OCR investigation discovered that the hospital did not begin to secure and safeguard workstations and portable devices until 2013 despite being aware of the risks for many years.
- Florida corporation, Memorial Healthcare System, agreed to pay a fine of $5.5 million. This ties Advocate Health Care Network’s fine in August of 2016 for the record of highest penalty. In this incident, the PHI of 115,143 patients was improperly accessed and disclosed. Memorial Healthcare failed to terminate a former employee’s log-in credentials which was then used to access 80,000 records with PHI over the course of an entire year. The company also neglected to review the activity within the system that would have identified that the records were being improperly accessed. Memorial discovered the breach while investigating two employees who were stealing patient information to file fake tax returns.
Not too long ago, I posted an overview of OCR’s enforcement in 2016. OCR continues to be active in its enforcement, at its highest level to date. This is a great opportunity for privacy and security officials to point out to upper management the need for greater resources and attention to HIPAA compliance.
Time to call the Guinness Book of World Records because HHS has set a new world record in HIPAA enforcement. 2016 saw a considerable increase in HIPAA enforcement resolution agreements and monetary penalties. At the end of 2016, the OCR logged over $20 million in fines for HIPAA violations from 15 enforcement actions with monetary penalties — a stark contrast to 2015 penalties which were just over $6 million from just 6 resolution agreements.
The per entity fines have increased as well increasing from about $850K in recent years to $2 million in 2016.
Also, in late 2015, the Office of the Inspector General released findings of a study that recommended a stronger enforcement and follow-up from the OCR for HIPAA violations:
As ransomware escalates and poses serious security risks for healthcare institutions, many privacy experts and legislators have called for more specific guidance from the U.S. Department of Health and Human Services (HHS).
A few weeks ago, HHS responded to these calls with a detailed fact sheet to explain ransomware and provide advice. Although most of the document outlines what should be obvious for an organization that already has a solid data security plan (including reliable back-ups, workforce training, and contingency plans), the major headline is HHS’s verdict on whether or not a ransomware attack qualifies as a data breach under HIPAA.
By Daniel J. Solove
ProPublica has been running a series of lengthy articles about HHS Office for Civil Rights (OCR) enforcement that are worth reading.
A Sustained and Vigorous Critique of OCR HIPAA Enforcement
A ProPublica article from early in 2015 noted that HIPAA fines were quite rare. The article noted that from 2009 through 2014, more than 1,140 large data breaches were reported to OCR, affecting 41 million people. Another 120,000 HIPAA violations were reported affecting fewer than 500 people. “Yet, over that time span,” the article notes, “the Office for Civil Rights has fined health care organizations just 22 times. . . . By comparison, the California Department of Public Health . . . imposed 22 penalties last year alone.”
I’ve been going through my blog posts from 2015 to find the ones I most want to highlight. Here are some selected posts about health privacy and security:
by Daniel J. Solove
Recently, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) publicized its resolution agreement in its HIPAA enforcement action against St. Elizabeth’s Medical Center (SEMC). SEMC agreed to pay $218,000.
The case began with a complaint filed with OCR back in 2012 that employees were sharing PHI of nearly 500 patients via an online sharing application without a risk analysis on such activities being undertaken. OCR investigation found that the medical center “failed to timely identify and respond to the known security incident, mitigate the harmful effects of the security incident and document the security incident and its outcome.”
by Daniel J. Solove
I recently created a new resource page for the TeachPrivacy website: HIPAA Training Requirements: FAQ.