OCR recently announced a jaw-dropping settlement that should have every healthcare professional on high alert. An insider breach that had staggering repercussions, leading to a monumental $4,750,000 settlement and a two year CAP. HHS has also released new cybersecurity resources and guidance and more is to come. There is no excuse anymore folks. Cybersecurity is everyone’s responsibility and OCR’s enforcement of privacy and security failures is picking up.
In this episode:
Insider Breach Gets Huge OCR Settlement – Ep 446
Today’s Episode is brought to you by:
Kardon
and
HIPAA for MSPs with Security First IT
Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity.
Great idea! Share Help Me With HIPAA with one person this week!
Learn about offerings from the Kardon Club
and HIPAA for MSPs!
Thanks to our donors. We appreciate your support!
If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com
Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA
If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!
Thanks to our donors.
The HIPAA Privacy and Security Boot Camp
3.5 day In Person Event
April 9, 10, 11 and 12, 2024
PriSecBootCamp.com
HIPAA Say What!?!
[06:21] Audits may be coming back soon: Posted in Federal RegisterOCR is doing some data collection about the 2016-2017 HIPAA Audits:
Online survey of “39 questions that will be sent to 207 covered entities and business associates that participated in the 2016–2017 OCR HIPAA Audits. The survey will gather information relating to the effect of the audits on the audited entities and the entities’ opinions about the audit process.”
“OCR is conducting a review of the 2016–2017 HIPAA Audits to determine its efficacy in assessing the HIPAA compliance efforts of covered entities. “
“Measure the effect of the 2016–2017 HIPAA Audits on covered entities’ and business associates’ subsequent actions to comply with the HIPAA Rules.”
Insider Breach Gets Huge OCR Settlement
[13:34]HHS’ Office for Civil Rights Settles Malicious Insider Cybersecurity Investigation for $4.75 Million
The first settlement announced in 2024 is a whopper! Note: This agreement was signed Nov 16, 2023. We don’t know why the announcement was held until now, but it sure makes it hard to track resolutions by year. For us, we will just stick with the announcement date.
Montefiore Medical Center, a non-profit hospital system based in New York City, has the joy of dealing with the big announcement. The settlement amount on this one is $4,750,000. As a point of reference, that amount is more than the total for all settlements announced in 2023. Also more than those announced total settlements for 2022. Back in 2021 the total settlement amount was just below $6m.
This one hit a nerve because it involved an insider abusing their privileges for financial gain. Just speculation here, but the delay may have something to do with a criminal case because this one certainly warrants being sent over to the DOJ.
The press release starts with a point about that right from the beginning:
What happened?
[17:42] In May 2015, the NYPD informed Montefiore Medical Center that there was evidence of theft of a specific patient’s medical information. After being told it was happening Montefiore Medical Center conducted an internal investigation. That is how they discovered that two years prior, one of their employees had stolen the PHI of 12,517 patients and sold the information to an identity theft ring. You know that was a great day for those doing the research. Of course, after that finding, Montefiore Medical Center filed a breach report with OCR.A few of the big points here:
- It is not good when you get notified by someone else that there has been a breach of PHI.
- It really isn’t good if you are being notified by law enforcement because that means it is really bad.
- You also don’t want to realize the employee got what they wanted 2 years ago and it was never caught by your staff or systems.
The HHS investigation found that they really had nothing in place to catch it or what they did have in place didn’t work at all. The findings were the usual – no SRA so nothing else was properly done from the get go.
The problem here is it happened way, way back in 2015. It was so long ago we were in a much different place. We can only hope that the same thing would not happen today for a site like this one. We can wish, right?
What is in the CAP?
The 2-year CAP is much of the usual.
The press release included these bullets which is a good thing they started doing. Before the announcements they didn’t point out specifics of the CAP that much.
- Conducting an accurate and thorough assessment of the potential security risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information;
- Developing a written risk management plan to address and mitigate security risks and vulnerabilities identified in the Risk Analysis;
- Developing a plan to implement hardware, software, and/or other procedural mechanisms that record and examine activity in all information systems that contain or use electronic protected health information;
- Reviewing and revising, if necessary, written policies and procedures to comply with the HIPAA Privacy and Security Rules; and
- Providing training to its workforce on HIPAA policies and procedures.
What is the message from HHS?
[25:36] As always we have a quote from the OCR Director to point out the message they are trying to send with each announcement. But this one even has one from the HHS Deputy Security, Andrea Palm. This is all about pointing out that the plans for getting tougher are being implemented.Cyber-attacks do not discriminate based on organization size or stature, and it’s incumbent that our health care system follow the law to protect patient records.OCR Director Melanie Fontes Rainer
- Reviewing all vendor and contractor relationships to ensure business associate agreements are in place as appropriate and address breach/security incident reporting obligations.
- [33:12] Integrating risk analysis and risk management into business processes; and ensuring that they are conducted regularly, especially when new technologies and business operations are planned. Ensuring audit controls are in place to record and examine information system activity.
- Implementing regular review of information system activity.
- Utilizing multi-factor authentication to ensure only authorized users are accessing protected health information.
- Encrypting protected health information to guard against unauthorized access.
- Incorporating lessons learned from previous incidents into the overall security management process.
- Providing training specific to organization and job responsibilities and on a regular basis; and reinforcing workforce members’ critical role in protecting privacy and security.
After this is a list of resources OCR provided Fall of 2023.
Between this delayed announcement and the questions on the eCFR, it certainly seems that the enforcement activity will be picking up. While we would prefer that the enforcement part not be required, it is a necessary component of regulations. We had voluntary HIPAA for several years. It was never taken seriously.
Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!
HIPAA is not about compliance,
it’s about patient care.TM
Special thanks to our sponsors Security First IT and Kardon.
