Pagosa Springs Medical Center (PSMC) has agreed to pay $111,400 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) for an alleged violation of HIPAA. OCR found that the company failed to deactivate a former employee’s access to a web-based calendar that contained the protected health information (PHI) of 557 patients. The company also failed to obtain a business associate agreement (BAA) with the calendar company (Google).
All posts in Training: HIPAA
Advanced Care Hospitalists PL (ACH) has agreed to pay $500,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) for an alleged violation of HIPAA. OCR found that the company shared protected health information (PHI) with an unknown vendor without a business associate agreement (BAA). According to the Resolution Agreement, “ACH impermissibly disclosed the PHI of 9,255 of its patients to a third party for billing processing services without the protections of a business associate agreement in place.” The PHI later turned up on the vendor’s website.
This was clearly an unforced error in compliance — and an expensive one! So easy to avoid too! Providing PHI to a vendor without a business associate agreement is like going to work without your clothes on. Vendor management is incredibly important, and organizations that fail to have proper agreements with their vendors that receive personal data are often punished severely by many privacy laws beyond HIPAA. The GDPR requires vendor agreements, and the FTC has found that companies engage in an unfair practice under the FTC Act Section 5 when they lack an adequate vendor agreement.
The main lesson from most privacy enforcement cases, whether HIPAA or otherwise: Do the basics! So many cases involve failing to do obvious things. There’s not much muddy ground in the land of enforcement.
Also of Interest Regarding HIPAA
I am very excited to announce that my HIPAA training programs and short courses have received a complete update and new design.
- different comprehensive annual HIPAA privacy and security modules depending upon whether an entity is a covered entity or business associate
- courses to cover the material at different lengths
- short modules (most 5 minutes or less) designed for on-demand or periodic training
- many humorous cartoon vignettes to reinforce essential points about HIPAA
- HIPAA games
Learn more about our 60+ HIPAA training topics for your workforce.
Recently, I created two new HIPAA training resources.
I created a 1-page visual summary of HIPAA, which I call the HIPAA Whiteboard. The idea was to summarize HIPAA in a concise and visually-engaging way. You can download a PDF handout version here. We’ve been licensing it to many organizations for training and awareness purposes.
HIPAA Interactive Whiteboard
I subsequently created a new training module — an interactive version of the HIPAA Whiteboard — the HIPAA Interactive Whiteboard. When people click on each topic, the program provides brief narrated background information, presented in a very understandable and memorable way. Trainees can learn at their own pace. This program is designed to be very short — it is about 5 minutes long.
It can readily be used on internal websites to raise awareness and teach basic information about HIPAA. It can also be used in learning management systems.
This week the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced an agreement to settle HIPAA violations with Filefax, located in Northbrook, Illinois. One aspect was different than their usual settlement process in that Filefax closed the business down during the OCR investigation and was no longer operating when the settlement was reached. OCR announced that Filefax could not avoid their obligations under HIPAA even though they were no longer running the company. The receiver that is liquidating the company’s assets agreed to pay $100,000 to settle the potential HIPAA violations made by the company while open.
Their HIPAA violations stemmed from an anonymous complaint stating that the medical records of approximately 2,150 patients, which contained protected health information (PHI), received by Filefax had been taken to a shredding/recycling facility and sold. The OCR investigation found over a period of several weeks the PHI had been left unsecured outside Filefox and had been removed from the facility by an unauthorized person.
Also of Interest
At the end of 2017, the OCR logged just under $20 million in fines for HIPAA violations from 10 enforcement actions with monetary penalties. In 2016, the total in penalties was roughly the same amount but from 15 organizations.
Here is an overview of the resolution agreements and enforcement actions with civil monetary penalties from 2017:
Lessons from 2017
Devices, devices, devices . . .
Quite a number of cases involved failure to implement safeguards for PHI on mobile devices. The best fix is to superglue devices to staff. Short of doing that, organizations should recognize that mobile devices frequently get lost or stolen, so there should be heightened security controls when PHI is accessible on these devices.
Several cases involved failing to provide timely notice or to act promptly after problems were discovered. In politics, it’s often not the scandal, but the coverup that fells politicians. In the world of HIPAA, it’s often not the incident, but the response that leads to organizations being penalized.
Recently, HIPAA enforcement over data breaches is increasing – a lot. This year has seen some of the largest monetary penalties. Why is this happening?
I had the chance to interview Katherine Keefe, who leads the Beazley Breach Response (BBR) Services Group. I am particularly interested in the insurer’s perspective, so I interviewed Katherine.
The first quarter of 2017 is not yet over and the OCR has already released details of four enforcement penalties totaling over $11 million. 2016 set a record with $20 million in fines for the year, with $5.2 million of that coming in the first quarter. In just the first 2 months of 2017, the fines have been more than half what the entire amount for 2016 was. Here are details about enforcement actions in 2017 thus far:
- Illinois health care network, Presence Health, was fined $475,000 for failing to notify patients of a breach within the 60-day period. The incident took place over 3 years ago. In October 2013, operating room schedules that were written on paper and contained PHI of 836 individuals went missing. Patients were not notified of the breach until February of 2014. This represents the first enforcement related to the timeliness of breach notification.
- An insurance company, MAPFRE, was fined $2.2 million for failure to safeguard portable devices and poor risk assessment and risk management. OCR found that MAPFRE did not have an adequate security awareness training program in place for their workforce. In 2011, an unsecured USB device containing the ePHI of 2,209 individuals was stolen from the company’s IT department. Despite the corrective measures MAPFRE indicated it would take, it did not actually start securing portable devices until 3 years after the incident.
- Children’s Medical Center of Dallas received a $3.2 million fine for multiple incidents where devices with unsecured ePHI were stolen. In 2010 an unencrypted Blackberry was stolen with the ePHI of 3,800 individuals. In 2013, an unencrypted laptop was stolen with ePHI of 2,463 individuals. The OCR investigation discovered that the hospital did not begin to secure and safeguard workstations and portable devices until 2013 despite being aware of the risks for many years.
- Florida corporation, Memorial Healthcare System, agreed to pay a fine of $5.5 million. This ties Advocate Health Care Network’s fine in August of 2016 for the record of highest penalty. In this incident, the PHI of 115,143 patients was improperly accessed and disclosed. Memorial Healthcare failed to terminate a former employee’s log-in credentials which was then used to access 80,000 records with PHI over the course of an entire year. The company also neglected to review the activity within the system that would have identified that the records were being improperly accessed. Memorial discovered the breach while investigating two employees who were stealing patient information to file fake tax returns.
Not too long ago, I posted an overview of OCR’s enforcement in 2016. OCR continues to be active in its enforcement, at its highest level to date. This is a great opportunity for privacy and security officials to point out to upper management the need for greater resources and attention to HIPAA compliance.
Time to call the Guinness Book of World Records because HHS has set a new world record in HIPAA enforcement. 2016 saw a considerable increase in HIPAA enforcement resolution agreements and monetary penalties. At the end of 2016, the OCR logged over $20 million in fines for HIPAA violations from 15 enforcement actions with monetary penalties — a stark contrast to 2015 penalties which were just over $6 million from just 6 resolution agreements.
The per entity fines have increased as well increasing from about $850K in recent years to $2 million in 2016.
Also, in late 2015, the Office of the Inspector General released findings of a study that recommended a stronger enforcement and follow-up from the OCR for HIPAA violations: