OCR Resolutions 3 and 4 for 2017 were released in February.  Examples of what not to do from OCR were released AGAIN.  We kept waiting for another resolution to be announced and lump them together.  Once we gave up and recorded this episode to review those two you know another one was announced.  We will hit that one next time.  For now, we review what happened in these cases that resulted in OCR resolutions after a breach notification started an investigation.  They are so kind to give us examples of what not to do from OCR without us paying for it!

In this episode:

HIPAA Boot Camp

Speaking Events

• GA MGMA – Hilton Head
• Boot Camp
• Local MGMA – Valdosta
• AALA

Mecklenburg county clinics breach

Childrens OCR fine [12:04]

Memorial OCR resolution [27:22]

Examples of what not to do from OCR

2017-3 Children’s Medical Center

The $3.2 million HIPAA fine Children’s Medical Center that was recently announced by OCR has much to say about the case. That statement itself is important:

$3.2 Million HIPAA Fine.

This was not a settlement. It was a fine.

That means they were fined for the problems and didn’t just settle for less money and a corrective action plan. This is only the 3rd time in HIPAA history that has ever happened. The second time was in 2016.

Is this a sign of things changing within OCR investigations? We review the case and the stories published about it to try to figure out just what was going on with Children’s Medical Center for them to be the first one in 2017, at least, to pay a $3.2 million HIPAA fine.

What happened?

• Jan. 18, 2010, Children’s filed a breach report about the Nov. 19, 2009, loss of an unencrypted, non-password protected BlackBerry device at the Dallas/Fort Worth International Airport. The device contained the ePHI of approximately 3,800 individuals.
• July 5, 2013, they filed another breach report on the theft of an unencrypted laptop from its premises sometime between April 4 and April 9, 2013. That device contained the ePHI of 2,462 individuals.

Official documentation has 20 different notes of issues found in their investigation and attempts to resolve things

• On January 18, 2010, Children’s filed a HIPAA Breach Notification Report with OCR in which it reported the loss of an unencrypted, non-password protected BlackBerry device at the Dallas/Fort Worth International Airport on November 19, 2009. Children’s reported the device contained the electronic protected health infonnation (ePHI) of approximately 3,800 individuals. OCR notified Children’s, in writing, of its commencement of an investigation of this breach report and of Children’s compliance with the Privacy, Security and Breach Notification Rules on or about June 14, 2010.
• During the course of OCR’s investigation, Children’s submitted a Security Gap Analysis and Assessment conducted for Children’s December 2006- February 2007 by Strategic Management Systems, Inc. (SMS) (SMS Gap Analysis). The SMS Gap Analysis identified the absence of risk management as a major finding and recommended that Children’s implement encryption to avoid loss of PHI on stolen or lost laptops.
• In August 2008, PricewaterhouseCoopers (PwC) conducted a separate analysis and determined that encryption was necessary and appropriate. The PwC Analysis also determined that a mechanism was not in place to protect data on a laptop, workstation, mobile device, or USB thumb drive if the device was lost or stolen and identified the loss of data at rest through unsecured mobile devices as being”high”risk. PwC identified data encryption as a “high priority” item and recommended that Children’s implement data encryption in the fourth quarter of 2008.
• With all that info and plenty of tech options available, Children’s had not implemented encryption on all devices as of April 9, 2013
• Even knowing the risks and recommendations back that far Children’s issued unencrypted BlackBerry devices to nurses beginning in 2007 and allowed its workforce members to continue using unencrypted laptops and other mobile devices until at least April 9, 2013
• CE must document why it would not be reasonable and appropriate and must implement an equivalent alternative measure, if reasonable and appropriate. Children’s failed to appropriately document its decision to not implement encryption on mobile devices and/or any applicable rationale behind a decision to use alternative security measures to encryption. Children’s did not implement security measures that were an equivalent alternative to the security protection available from encryption solutions as recommended by the 2007 SMS Gap Analysis and the 2008 PwC Analysis
• Prior to at least November 9, 2012, Children’s did not implement sufficient policies and procedures that govern the receipt and removal o f hardware and electronic media that contain ePHI into and out o f its facility, and the movement o f these items within the facility
• Children’s did not conduct a complete inventory to identify all devices to which its IT asset policies apply to ensure that all devices were covered by its device and media control policies
• In a letter dated August 22, 2011, from Children’s VP of Compliance and Internal Audit and Chief Compliance Officer Ron Skillens to OCR Equal Opportunity Specialist Jamie Sorley, Mr. Skillens stated that a Children’s workforce member (an unidentified medical resident) lost an iPod device in December 2010. The iPod had been synced to the resident’s Children’s email account, which resulted in the ePHI of at least 22 individuals being placed on the device. The ePHI on the iPod was not encrypted.
• In September 2012, the HHS Office o f the Inspector General (OIG) issued the findings from its audit that focused on information technology controls for devices such as smartphones and USB drives
• On July 5, 2013, Children’s filed a separate HIPAA Breach Notification Report
• In Children’s July 5, 2013, Breach Report they explained they had not really protected the protected storage room for laptops. Children’s internal investigation concluded that the laptop was probably stolen by a member o f the janitorial staff
• that makes another violation
• OCR’s investigation indicated Privacy and Security Rule noncompliance by Children’s, OCR attempted to reach a resolution o f the matter by informal means during the period from approximately November 6, 2015, to August 30,2016.
• They gave up May 10, 2016 and moved down the path of fines
• OCR has determined that the information and arguments submitted by Children’s do not support an affirmative defense
• OCR got approval from US attorney general before making the fines

Over 3 years later and they still haven’t encrypted mobile devices. Their SRAs showed them back to 2007 as a risk and continued to show them right up until now.

OCR investigation revealed that

Children’s noncompliance with HIPAA rules, specifically, a failure to implement risk management plans, contrary to prior external recommendations to do so, and a failure to deploy encryption or an equivalent alternative measure on all of its laptops, workstations, mobile devices and removable storage media until April 9, 2013

What were the violations that resulted in the fines

Let us count the ways….

How did they get to a $3.2 million HIPAA fine

• Sounds like Children’s didn’t cooperate very well.
• Also sounds like they realized it was really bad and if they pushed it could get much worse (wonder if they knew that OCR didn’t find everything?)
• Multiple violations
• Non-compliance over many years with multiple standards of the HIPAA Security Rule.

“OCR issued a Notice of Proposed Determination … which included instructions for how Children’s could file a request for a hearing. Children’s did not request a hearing. Accordingly, OCR issued a Notice of Final Determination and Children’s [has] paid the full civil money penalty of $3.2 million,” OCR says.

What do we think this means to the rest of us?

• They took into account it was a Children’s hospital or they could have really nailed them to the proverbial wall.

2017-4 Memorial Healthcare System OCR Resolution

$5.5 million settlement

What happened?

Memorial reported breach 115,143 individuals had been impermissibly accessed by its employees and impermissibly disclosed to affiliated physician office staff.

1. On April 12, 2012, MHS submitted a breach report to HHS indicating that two MHS employees inappropriately accessed patient information, including names, dates of birth, and social security numbers.
2. On July 11,2012, MHS submitted an additional addendum breach report to notify HHS that during its internal investigation, it discovered additional impermissible access by 12 users at affiliated physician offices, potentially affecting another 105,646 individuals. Some of these instances led to federal charges relating to selling protected health information (PHI) and users at affiliated physician offices, potentially affecting another 105,646 individuals filing fraudulent tax returns.

The login credentials of a former employee of an affiliated physician’s office had been used to access the ePHI maintained by MHS on a daily basis without detection from April 2011 to April 2012, affecting 80,000 individuals. Although it had workforce access policies and procedures in place, MHS failed to implement procedures with respect to reviewing, modifying and/or terminating users’ right of access, as required by the HIPAA Rules.

Further, MHS failed to regularly review records of information system activity on applications that maintain electronic protected health information by workforce users and users at affiliated physician practices, despite having identified this risk on several risk analyses conducted by MHS from 2007 to 2012.

What were the violations that resulted in the settlement

• MHS impermissibly disclosed the PHI of 80,000 individuals when it provided access to such PHI to a former employee of an affiliated physician practice from April 1, 2011 to April 27, 2012 in violation of the Privacy Rule. (392 days or violations)
• From January 1, 2011, to June 1, 2012, MHS failed to implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports in violation of the Security Rule. (517 days or violations)
• From January 1, 2011 until June l, 2012, MHS failed to implement policies and procedures that, based upon MHS’s access authorization policies, establish, document, review, and modify a user’s right of access to a workstation, transaction, program, or process in violation of the Security Rule (517 days or violations)

How did they get to a $5.5 million HIPAA settlement

• 392 days or violations
• 517 days or violations
• 517 days or violations
• Total violations 1,426

Not willful neglect issues $1,100 = $1,568,600
Correct in 30 days, willful neglect$1,1000 = $15,686,000

What do we think this means to the rest of us?

• Check your access logs regularly
  • SIEM
  • SPHER
• Make sure your BAs notify you if an employee that has access leaves their employee
  • Audit their employee access regularly to make sure they are doing it

Clearly the enforcement messages in the continued OCR resolutions we see are making a point.  The OCR leadership has even gone so far as to say they address specific cases that have a potential for making a point.  They actually do make an effort in these cases to give us examples of what not to do from OCR in every one of these cases.

Please remember to follow us and share us on your favorite social media site and rate us on your podcasting apps, we need your help to keep spreading the word.

To help us out even more take our listener survey.