OCR Aims HIPAA Audits at Covered Entities and Business Associates

April 29, 2016

The second phase of audits under the HIPAA Audit Program will focus on the business associates (BAs) of HIPAA covered entities (CEs) as well as the CEs themselves. The HHS Office for Civil Rights (OCR) will conduct the audits to uncover vulnerabilities to protected health information and evaluate CEs’ and BAs’ policies and procedures regarding compliance with HIPAA’s Privacy, Security, and Breach Notification Rules.

Scope. The HIPAA audit process begins with entity verification, in which the OCR will request, via email, that CEs and BAs respond to the OCR with their contact information in a timely manner. The contact information request is followed by a pre-audit questionnaire regarding the type, size, and operations of an organization. The OCR uses the results of the pre-audit questionnaire to create potential audit pools. Every CE and BA is a potential candidate for an audit. The potential auditees include individual and organizational providers of health services, health plans of all sizes and functions, health care clearinghouses, and the BAs of those organizations. While the first round of program audits narrowly focused on CEs, the OCR planned the second phase of audits to widen the focus of the audit program to more significantly include BAs.

Audits. The OCR plans to begin with desk audits of CEs and BAs. The OCR will notify selected entities of the subject of an audit in a document request letter. Entities chosen for the audit will submit documents online through a new secure audit portal on OCR’s website. If selected, an entity will have 10 business days to respond to the OCRs information request. The OCR will then provide the entity with draft findings, which the entity will have 10 business days to respond to.

Although the OCR believes there will be less in-person audits in the second round, as compared to the first phase of the audit program, entities should remain prepared for site visits because the OCR will perform an on-site visit if it deems one appropriate. The audits aid the OCR in determining what kind of assistance should be developed or what kind of corrective action is necessary to keep CEs and BAs in compliance.

Advertisements

$750,000 HIPAA Settlement Emphasizes the Importance of Risk Analysis and Device and Media Control Policies

September 10, 2015

Cancer Care Group, P.C. agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules with the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR). Cancer Care paid $750,000 and will adopt a robust corrective action plan to correct deficiencies in its HIPAA compliance program. Cancer Care Group is a radiation oncology private physician practice, with 13 radiation oncologists serving hospitals and clinics throughout Indiana. 

On August 29, 2012, OCR received notification from Cancer Care regarding a breach of unsecured electronic protected health information (ePHI) after a laptop bag was stolen from an employee’s car. The bag contained the employee’s computer and unencrypted backup media, which contained the names, addresses, dates of birth, Social Security numbers, insurance information and clinical information of approximately 55,000 current and former Cancer Care patients.

OCR’s subsequent investigation found that, prior to the breach, Cancer Care was in widespread non-compliance with the HIPAA Security Rule.  It had not conducted an enterprise-wide risk analysis when the breach occurred in July 2012.  Further, Cancer Care did not have in place a written policy specific to the removal of hardware and electronic media containing ePHI into and out of its facilities, even though this was common practice within the organization.  OCR found that these two issues, in particular, contributed to the breach, as an enterprise-wide risk analysis could have identified the removal of unencrypted backup media as an area of significant risk to Cancer Care’s ePHI, and a comprehensive device and media control policy could have provided employees with direction in regard to their responsibilities when removing devices containing ePHI from the facility.

“Organizations must complete a comprehensive risk analysis and establish strong policies and procedures to protect patients’ health information,” said OCR Director Jocelyn Samuels. “Further, proper encryption of mobile devices and electronic media reduces the likelihood of a breach of protected health information.”

Full article available at: http://www.hhs.gov/news/press/2015pres/09/20150902a.html


$800,000 HIPAA Settlement in Medical Records Dumping Case

July 2, 2014

Parkview Health System, Inc. has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule with the U.S. Department of Health and Human Services Office for Civil Rights (OCR).  Parkview will pay $800,000 and adopt a corrective action plan to address deficiencies in its HIPAA compliance program.  Parkview is a nonprofit health care system that provides community-based health care services to individuals in northeast Indiana and northwest Ohio.

OCR opened an investigation after receiving a complaint from a retiring physician alleging that Parkview had violated the HIPAA Privacy Rule.  In September 2008, Parkview took custody of medical records pertaining to approximately 5,000 to 8,000 patients while assisting the retiring physician to transition her patients to new providers, and while considering the possibility of purchasing some of the physician’s practice.  On June 4, 2009, Parkview employees, with notice that the physician was not at home, left 71 cardboard boxes of these medical records unattended and accessible to unauthorized persons on the driveway of the physician’s home, within 20 feet of the public road and a short distance away from a heavily trafficked public shopping venue.

As a covered entity under the HIPAA Privacy Rule, Parkview must appropriately and reasonably safeguard all protected health information in its possession, from the time it is acquired through its disposition.

“All too often we receive complaints of records being discarded or transferred in a manner that puts patient information at risk,” said Christina Heide, acting deputy director of health information privacy at OCR.  “It is imperative that HIPAA covered entities and their business associates protect patient information during its transfer and disposal.”

Parkview cooperated with OCR throughout its investigation. In addition to the $800,000 resolution amount, the settlement includes a corrective action plan requiring Parkview to revise their policies and procedures, train staff, and provide an implementation report to OCR.

Full article available at: http://www.hhs.gov/news/press/2014pres/06/20140623a.html


Data Breach Results in $4.8 Million HIPAA Settlements

May 14, 2014

Two health care organizations have agreed to settle charges that they potentially violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules by failing to secure thousands of patients’ electronic protected health information (ePHI) held on their network. The monetary payments of $4,800,000 include the largest HIPAA settlement to date.

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) initiated its investigation of New York and Presbyterian Hospital (NYP) and Columbia University (CU) following their submission of a joint breach report, dated September 27, 2010, regarding the disclosure of the ePHI of 6,800 individuals, including patient status, vital signs, medications, and laboratory results.

NYP and CU are separate covered entities that participate in a joint arrangement in which CU faculty members serve as attending physicians at NYP. The entities generally refer to their affiliation as “New York Presbyterian Hospital/Columbia University Medical Center.” NYP and CU operate a shared data network and a shared network firewall that is administered by employees of both entities. The shared network links to NYP patient information systems containing ePHI.

The investigation revealed that the breach was caused when a physician employed by CU who developed applications for both NYP and CU attempted to deactivate a personally-owned computer server on the network containing NYP patient ePHI. Because of a lack of technical safeguards, deactivation of the server resulted in ePHI being accessible on internet search engines. The entities learned of the breach after receiving a complaint by an individual who found the ePHI of the individual’s deceased partner, a former patient of NYP, on the internet.

In addition to the impermissible disclosure of ePHI on the internet, OCR’s investigation found that neither NYP nor CU made efforts prior to the breach to assure that the server was secure and that it contained appropriate software protections. Moreover, OCR determined that neither entity had conducted an accurate and thorough risk analysis that identified all systems that access NYP ePHI. As a result, neither entity had developed an adequate risk management plan that addressed the potential threats and hazards to the security of ePHI. Lastly, NYP failed to implement appropriate policies and procedures for authorizing access to its databases and failed to comply with its own policies on information access management.

NYP has paid OCR a monetary settlement of $3,300,000 and CU $1,500,000, with both entities agreeing to a substantive corrective action plan, which includes undertaking a risk analysis, developing a risk management plan, revising policies and procedures, training staff, and providing progress reports.


Stolen Laptops Lead to Important HIPAA Settlements

April 30, 2014

Two entities have paid the U.S. Department of Health and Human Services Office for Civil Rights (OCR) $1,975,220 collectively to resolve potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. These major enforcement actions underscore the significant risk to the security of patient information posed by unencrypted laptop computers and other mobile devices.

“Covered entities and business associates must understand that mobile device security is their obligation,” said Susan McAndrew, OCR’s deputy director of health information privacy. “Our message to these organizations is simple: encryption is your best defense against these incidents.”

OCR opened a compliance review of Concentra Health Services (Concentra) upon receiving a breach report that an unencrypted laptop was stolen from one of its facilities, the Springfield Missouri Physical Therapy Center. OCR’s investigation revealed that Concentra had previously recognized in multiple risk analyses that a lack of encryption on its laptops, desktop computers, medical equipment, tablets and other devices containing electronic protected health information (ePHI) was a critical risk. While steps were taken to begin encryption, Concentra’s efforts were incomplete and inconsistent over time leaving patient PHI vulnerable throughout the organization. OCR’s investigation further found Concentra had insufficient security management processes in place to safeguard patient information. Concentra has agreed to pay OCR $1,725,220 to settle potential violations and will adopt a corrective action plan to evidence their remediation of these findings.

OCR received a breach notice in February 2012 from QCA Health Plan, Inc. of Arkansas reporting that an unencrypted laptop computer containing the ePHI of 148 individuals was stolen from a workforce member’s car. While QCA encrypted their devices following discovery of the breach, OCR’s investigation revealed that QCA failed to comply with multiple requirements of the HIPAA Privacy and Security Rules, beginning from the compliance date of the Security Rule in April 2005 and ending in June 2012. QCA agreed to a $250,000 monetary settlement and is required to provide HHS with an updated risk analysis and corresponding risk management plan that includes specific security measures to reduce the risks to and vulnerabilities of its ePHI. QCA is also required to retrain its workforce and document its ongoing compliance efforts.


Enrollment in the Health Insurance Marketplace Climbs to 4.2 Million in February

March 26, 2014

Enrollment in the Health Insurance Marketplace continued to rise in February to a five-month total of 4.2 million. As in January, the percent of young adults who selected a Marketplace plan was 3 percentage points higher than it was from October through December (27 percent versus 24 percent). Based on enrollment patterns in other health care programs, it is expected that more people will sign up as we get closer to the March 31st deadline.

“Over 4.2 million Americans have signed up for affordable plans through the Marketplace,” said HHS Secretary Kathleen Sebelius. “Now, during this final month of open enrollment our message to the American people is this: you still have time to get covered, but you’ll want to sign up today – the deadline is March 31st.”

Key findings from today’s report include:

  • More than 4.2 million (4,242,300) people selected Marketplace plans from Oct. 1, 2013, through Mar. 1, 2014, including 1.6 million in the State Based Marketplaces and 2.6 million in the Federally-facilitated Marketplace. About 943,000 people enrolled in the Health Insurance Marketplace plans in the February reporting period, which concluded March 1, 2014.Of the more than 4.2 million:
  • 55 percent are female and 45 percent are male;
  • 31 percent are age 34 and under;
  • 25 percent are between the ages of 18 and 34;
  • 63 percent selected a Silver plan (up one percentage point over the prior reporting period), while 18 percent selected a Bronze plan (down one point); and
  • 83 percent selected a plan and are eligible to receive Financial Assistance (up one point).

County Government Settles Potential HIPAA Violations

March 11, 2014

Skagit County, Washington, has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Breach Notification Rules. Skagit County agreed to a $215,000 monetary settlement and to work closely with the Department of Health and Human Services (HHS) to correct deficiencies in its HIPAA compliance program. Skagit County is located in Northwest Washington, and is home to approximately 118,000 residents. The Skagit County Public Health Department provides essential services to many individuals who would otherwise not be able to afford health care.

“This case marks the first settlement with a county government and sends a strong message about the importance of HIPAA compliance to local and county governments, regardless of size,” said Susan McAndrew, deputy director of health information privacy at the HHS Office for Civil Rights (OCR). “These agencies need to adopt a meaningful compliance program to ensure the privacy and security of patients’ information.”

OCR opened an investigation of Skagit County upon receiving a breach report that money receipts with electronic protected health information (ePHI) of seven individuals were accessed by unknown parties after the ePHI had been inadvertently moved to a publicly accessible server maintained by the County. OCR’s investigation revealed a broader exposure of protected health information involved in the incident, which included the ePHI of 1,581 individuals. Many of the accessible files involved sensitive information, including protected health information concerning the testing and treatment of infectious diseases. OCR’s investigation further uncovered general and widespread non-compliance by Skagit County with the HIPAA Privacy, Security, and Breach Notification Rules.

Skagit County continues to cooperate with OCR through a corrective action plan to ensure it has in place written policies and procedures, documentation requirements, training, and other measures to comply with the HIPAA Rules. This corrective action plan also requires Skagit County to provide regular status reports to OCR.