Ways to win $100

Ways to get an entry in the $100 Amazon card drawing  [41:10]

• Get 1 entry in the drawing:
  • Review/Recommend us online and send a screenshot to us
    • iTunes, Stitcher, our LinkedIn (1 entry per site)
  • Send in a question via email, social media, Speakpipe, etc
  • Do a shout out to us on social media twitter, FB, LinkedIn whatever using our profile @HelpMeWithHIPAA
• Get 2 entries in the drawing when you:
  • Complete our listener survey and add in the notes – Give me $100!  You must include your email in the notes too.
  • Send an email that we joked about sending at the end of one of our episodes about David – this is a trivia question to get extra entries for our regular listeners
• Get 3 entries in the drawing when you:
  • Sign up for the HIPAA Boot Camp

April 12, 2017

Metro Community Provider Network (MCPN)

$400,000 settlement and 3 year CAP

• January 27, 2012, MCPN filed a breach report
• hacker accessed employees’ email accounts and obtained 3,200 individuals’ ePHI through a phishing incident
• OCR investigation revealed that MCPN DID take the necessary corrective action related to the phishing incident
• HOWEVER…., the investigation also revealed that MCPN failed to conduct a risk analysis until mid-February 2012
  • No SRA – EVER
  • No risk management plan EVER
• It gets worse….
  

  When MCPN finally conducted a risk analysis, that risk analysis, as well as all subsequent risk analyses, were insufficient to meet the requirements of the Security Rule

• Official quote from Severino
  

  “Patients seeking health care trust that their providers will safeguard and protect their health information,” said OCR Director Roger Severino. “Compliance with the HIPAA Security Rule helps covered entities meet this important obligation to their patient communities.”

• https://www.hhs.gov/about/news/2017/04/12/overlooking-risks-leads-to-breach-settlement.html

Notes to self on this one

• If email, even encrypted, gets hacked they get all the data that is stored in that email account.
• If you panic and do an SRA at the last-minute – like after a phishing attack breach – you will likely not meet the standard and be in the same boat with these guys.

April 20, 2017

The Center for Children’s Digestive Health (CCDH)

$31,000 settlement and 2 year CAP

• Peds with 7 clinics in Illinois
• No BAA with FileFax, Inc since 2003.
• FileFax had received at least 10,728 individual’s PHI – they store inactive medical records
• A BAA was created in Oct 2015 when found out but too little too late…..
• Started by with an investigation of the BA FileFaxhttps://www.databreaches.net/il-medical-files-of-suburban-lung-associates-patients-found-in-filefax-dumpster/
  • Feb 2015 reporters found Filefax had company dumpsters full of medical records
    • more records in a parked company car could be read standing outside the car
• Neither CE nor BA could prove they ever had a BAA between them
• Chicago AG sues Filefax in May 2015 https://www.databreaches.net/illinois-ag-sues-records-storage-company-filefax-for-dumping-thousands-of-suburban-lung-associates-patients-records/
• Clearly, OCR also involved in investigation them since they picked up this little one from it. They started this investigation in August 2015.
• LOTS of CEs involved in this mess so don’t be surprised if more to come
• Official Severino quote wasn’t included – maybe it was just too hard to find something to say or there may be more to come on this – who knows
• https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/ccdh/index.html
• https://www.hhs.gov/sites/default/files/ra_cap_ccdh.pdf

Notes to self on this one

• Audit your BAAs and vet them!!!
• Don’t assume if your BA gets investigated it won’t come back on you.
• Don’t forget State Attorneys General can use HIPAA now too.
• CAP is mostly about written policies and procedures specifically relating to managing BAs

April 24, 2017

CardioNet – A CE in PA

$2.5 million settlement and 2 year CAP

• Some headlines made note of the wireless provider being a big deal
  

  This settlement is the first involving a wireless health services provider, as CardioNet provides remote mobile monitoring of and rapid response to patients at risk for cardiac arrhythmia.

• It didn’t say much though because it was still just an unencrypted laptop issue not the wireless device
• The real headline was
  

  $2.5 million settlement shows that not understanding HIPAA requirements creates risk

• Jan 10, 2012 report of laptop stolen from employees car outside their home
  • 1,391 patients on unencrypted device
• Feb 27, 2012 another breach reported
  • 2,219 patients this time
• Findings
  • Insufficient risk analysis and risk management program
  • Policies and procedures were in draft form and never implemented
  • There were zero finalized policies and procedures that could be produced
• Official Severino quote:
  

  Mobile devices in the health care sector remain particularly vulnerable to theft and loss,” said Roger Severino, OCR Director. “Failure to implement mobile device security by Covered Entities and Business Associates puts individuals’ sensitive health information at risk. This disregard for security can result in a serious breach, which affects each individual whose information is left unprotected.

• https://www.hhs.gov/about/news/2017/04/24/2-5-million-settlement-shows-not-understanding-hipaa-requirements-creates-risk.html
• https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/cardionet/index.html

Notes to self on this one

• If you are subject to HIPAA don’t just poke it with a stick
• Notified in May 2012 they were being investigated.
  • Settled just a short of 5 years later
• Templates are not gonna cut it. These are not the policies and procedures you are looking for (little hat tip to May the 4th needed to be in here)

Hopefully this will get released before they announce another settlement!