5 breaches settlement As expected, OCR has continued to announce enforcement actions in 2018.  This one is a bit different than any previous resolution in that there are 5 breaches in one settlement across multiple locations in a single organization. It is also important to note that all 5 breaches date back to 2012.  Almost 6 years since the first one occurred, we have the resolution agreement.

In this episode:

5 Breaches Equals 1 Big Settlement – Ep 141

Today’s Episode is brought to you by:

Kardon and HIPAA for MSPs / Security First IT

Where to meet us [2:30]

Learn more about our Live HIPAA Boot Camp and request one in your area: www.HelpMeWithHIPAA.com/bootcamp  [4:09]

The HIPAA Boot Camp – Virtual Edition – For the first time, our Boot Camp is going virtual.

  • The virtual format is done in 3-4 hour online sessions over a two week period.
  • March 13/14/15 and 21/22.
  • $997 early bird special rate through Feb 28th.
  • $1,297 March 1 – 12.
  • One registration covers attendance of up to 3 people on your team.
  • One on one planning sessions for each organization included.  You schedule them for after the end of class.
  • Access to recordings and all resource material available online for at least 6 months.

Want to be part of Help Me With HIPAA? Become a Patreon at www.HelpMeWithHIPAA.com/give

HMWH App now has more features.  You can now access a PDF with the show notes ready for your HIPAA training documentation!  Find it under the bonus feature in the app for both the Apple and Android versions.  It is a little gift box on the app bar.

Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA

[8:06]

5 Breaches Equals 1 Big Settlement – Ep 141

Another interesting resolution agreement for us to evaluate as guidance for our own programs.  First, let’s get the details of the organization’s five different breach issues.  This one involves a $3,500,000.00 settlement check and a 2-year corrective action plan (CAP).  Definitely Consuela money!

The Facts

On Jan 12, 2013, Fresenius Medical Care North America (“FMCNA”) submitted five breach reports to HHS.  Each breach was a separate and distinct incident that occurred in 2012.

FMCNA provides services for people with chronic kidney failure.  Pretty big network too, with over 60K employees and 170K patients.

FMCNA provides centralized corporate support to the FMCNA Covered Entities involved in the breaches, including centrally storing its patients’ medical records, creating and disseminating HIPAA policies and procedures, and investigating the circumstances of each breach reported to it by the FMCNA Covered Entities.

There are many more companies out there like these now than there were back then.  I know this because we work with clients that use these kinds of services.  I have seen the policies and procedures being put out there and let’s just say….. Well, let’s just say nothing about them.

The 5 FMCNA locations and their breaches that were reported are:

  1. Jacksonville, FL
    1. Feb 23, 2012
    2. two desktop computers were stolen during a break-in
    3. 200 patients
  2. Semmes, AL (Near Mobile, AL)
    1. Apr 3, 2012
    2. USB drive was stolen from employee car parked in the parking lot of their office
    3. 245 patients
  3. Maricopa, AZ (Near Phoenix)
    1. Anonymous report on their compliance line came on June 18, 2012.
    2. A hard drive from a desktop computer that was not being used anymore was removed on April 6.
    3. 35 patients on the drive
    4. The employee notified the manager in April but nothing was done about it
    5. “Someone” reported in finally in June.
  4. Augusta, GA
    1. June 16, 2012, unencrypted laptop stolen from employee car parked at their home overnight
    2. Stored in a bag with a list of passwords
    3. 10 patients
  5. Blue Island, Illinois (Near Chicago)
    1. On or around June 17-18, 2012, 3 desktop computers and one encrypted laptop were stolen from the facility.
    2. One desktop had patient info and was not encrypted
    3. 31 patients

On July 15, 2013, OCR let them know they were opening an investigation of all 5 of them.  Here is the list of things the investigation found:

  1. All of the locations failed to conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of all of its ePHI.
  2. All of the locations had impermissibly disclosed ePHI since there was unauthorized access possible in every case
  3. Jacksonville and Blue Island did not implement policies and procedures to safeguard facilities and equipment from unauthorized access, tampering, and theft.
  4. Mobile did not implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain ePHI into and out of a facility, and the movement of these items within the facility
  5. Mobile and Augusta didn’t do encryption
  6. Phoenix didn’t have policies and procedures to address security incidents
  7. Augusta also failed to implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access ePHI

What should we learn?

We always have to check out the OCR official quote about the settlement.  Here is what Roger Severino had to say about this settlement:

The number of breaches, involving a variety of locations and vulnerabilities, highlights why there is no substitute for an enterprise-wide risk analysis for a covered entity. Covered entities must take a thorough look at their internal policies and procedures to ensure they are protecting their patients’ health information in accordance with the law.

I am starting to see a trend – maybe, maybe not – but doesn’t Severino use the phrase “in accordance with the law” in these kinds of statements.  Maybe he is pointing out this is about following the law, I don’t know.

Reporting small breaches all at the same time may not be a good idea.

First, let’s address the fact that these were all breaches reported the same day.  This is exactly the point that we make when people ask us about reporting small breaches to HHS.  The law says you have until basically the end of Feb of the following year to report any breach under 500 patients.  But, we always point out that there is no reason to wait to submit them once you know the details.  Just get it done.  You don’t want to do anything that might bring attention to yourself.  The current systems HHS uses for these things are slapped together to just capture the data even now. Back then, for sure.  But, you show up on a list in a big chunk like this and someone will likely notice.

Tip for today, get your small breaches in when they are resolved and don’t wait.  BTW, we are rapidly approaching the deadline to submit those breaches to HHS for 2017 that weren’t already submitted.

Risk analysis, risk analysis, risk analysis

This is on virtually every single one of these settlements.  The risk analysis needs to evaluate where your PHI lives and moves around.  Then, you figure out what could go wrong and what you can do to prevent bad things from happening.  If you just run a program or fill out a bunch of questions on a spreadsheet you have done parts of the process.  But, that isn’t going to likely be everything that you should be doing in an SRA.  Nothing else will be effective in your privacy and security program unless you have this done properly.  Go to what you have in the past and see if you have any step that included trying to figure out all the places PHI is created, received, maintained and transmitted.  Things like putting PHI on USB drives is probably happening and you don’t even know it.

Encryption matters even on desktops

We always say if it moves encrypt it but there are more cases coming up where desktop encryption would have saved the day.  We just told the story about the person buying a computer and wanting a code to be able to access it in the 6 Cybersecurity Lessons In The News episode.  It saved the day in the new case but all of these older cases were back in the day when encryption was the number one cause of a breach.  Those days are long, long gone.  It hasn’t always been the case before 2015 that you could count on encryption to protect you just because it wasn’t being used.  But, if you are not encrypting today you need to figure out why.  Back then, it was harder to do but today it shouldn’t require the same level of expense.

Note the tampering mentioned in the facilities controls.

The episode on cybersecurity lessons also discussed the importance of inventories to know where your systems are at and when they disappear.  Here are even more reasons to be reminded of that but there was another point in the facilities safeguards that they mentioned in the findings.

safeguard facilities and equipment from unauthorized access, tampering, and theft

Far too often when I am going through facilities I noticed little things like a wiring closet standing wide open.  Or a room that has a very nice sign that says COMPUTER ROOM with a door not locked.  All too often people just assume the environment they work in has nothing to worry about but we just can’t do that any longer.  It is now so very easy to come in with little hacking devices and tools on phones and even in your pocket.  Access to the computer room makes things really easy for someone who needs about 30 seconds to attach a device to your network.  The wiring closet door open in the hallway that every patient comes past on their way in and out of the exam rooms.  What if someone shows up that is really angry and on their way down the hall they stick a hand in and yank out as many wires as they can in one pass.

Train your staff and your managers that security isn’t convenient

A USB device was stolen from the car while parked at the office!  Seriously, you can’t take it in the office?

A laptop was stolen from the car at home with the passwords in the same bag!  Really, in the bag with it and both in the car overnight.

Employee reporting a missing drive and the manager does nothing about it!  Just wow.

At least with the last one, we get a positive note that at least one employee was worried enough about it to take action and use the anonymous reporting line.  This is why those lines are very important.  Kardon does it for a tiny fee because so many folks didn’t have a good option for taking calls where others wouldn’t know who left the message.  It is anonymous if I know your voice.

CAP is the where the meat of the lesson really lives.

Yes, the $3.5 million matters but I still find the corrective action plan (CAP) the most telling and probably the most painful for the organization to address.  If you don’t do your part of the deal over the 2-year period they can just go back to the civil money penalty discussion.  Based on the settlement that dollar amount must have been so big even Consuela would get a new identity!

Interesting that most of the items on the CAP were discussed in our HIPAA Made Easy episode last week.  Things that make you go hmmmm

  • Conduct Risk Analysis
  • Develop and Implement a Risk Management Plan
  • Implement Process for Evaluating Environmental and Operational Changes
  • Develop Encryption Report
  • Review and Revise Policies and Procedures on Device and Media Controls
  • Review and Revise Policies and Procedures on Facility Access Controls
  • Develop an Enhanced Privacy and Security Awareness Training Program

There are some very specific notes on these CAP requirements.  That may require a whole new episode but I did note some interesting points.  The enhanced term in the training program where they also added that existing mandatory training program must be augmented to include all the new things they are doing in the list above.

What was really interesting were the specifics of the encryption report requirements.  The report must consist of:

  1. The total number of all FMCNA Covered Entities’ devices and equipment including, but not limited to, desktop computers, laptop computers, tablets, mobile phones, USB drives, and medical equipment, that may be used to access, store, download, or transmit the FMCNA Covered Entities’ ePHI as of the date of the Encryption Report (“Covered Electronic Media”).
  2. The total number of Covered Electronic Media that are encrypted as of the date of the Encryption Report, as well as evidence of such encryption.

Boom, don’t just tell me you did it but really, really prove you did it.

For the first settlement of 2018, they certainly went big on their points they were making and the cash they were taking.  The message here is clearly that organizations reporting several small breaches aren’t being overlooked by OCR.  Nor do they give them a pass on failures when the management companies that covers multiple locations does the reporting.  So, 5 breaches even smaller ones add up.  Don’t make the same assumption with your small breaches not being a big deal.

Please remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word.  As always, send in your questions and ideas!

HIPAA is not about compliance, it’s about patient care.

Share This
HIPAA Boot Camp