HIPAA OCR EnforcementOCR has been busy closing out investigations lately.  They announced 2 more enforcement actions in early November.  One was a settlement in NY, but the other was a civil money penalty with Texas HHSC. Let’s review these 2 new OCR enforcement actions to see what we need to learn from the details released.

 

A 5 star review is all we ask from our listeners.
1x
0:00
...
Free HIPAA Training
Subscribe to the weekly email update from HMWH

I have read and agreed to your Privacy Policy.

In this episode:

OCR Enforcement Picks Up – Ep 232

The HIPAA Boot Camp

2020 Sessions Dates Spring March 24-26, 2020

For info go to TheHIPAABootCamp.com

 

Share Help Me With HIPAA with one person this week!

Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA

We have been remiss in acknowledging our Patreon sponsors.

SHOUT OUT TO OUR PATREON SUPPORTERS

John Dubinski

George Fenton – Kenneth Sims

Listener survey feedback:

Provide better show notes distributed in the RSS feed for podcast players.

The feed on the podcast players all have a link to the show notes post on the website.  You can also subscribe to the feed on the website that has all of the notes published.  

BTW, I switched the website feed to be summary instead of detail and the next week, this note came in. Wow, happenstance or someone noticed that quickly, either way it is enough of a sign that I switched it right back.

Some recent reviews:

CURRENT AND UP TO DATE HIPAA INFO    5 star review
November 1, 2019 by Betsykruton from United States
The Help Me With HIPAA podcast is always aligned with the current issues concerning HIPAA and compliance in today’s business world. I always learn something new and am always entertained by Donna and David! If you need to know about HIPAA and compliance you need to listen to this podcast!
Funny and knowledgeable    5star 1
October 1, 2019 by Cmprather from United States
In so many of the episodes, I feel that these two understand all too well the pain of dealing with businesses these days who make up their own rules or try to circumvent existing policies when it comes to protecting data, regardless of it’s HIPAA related or not. Donna and Dave’s podcast cohesiveness makes for an awesome show every time. Would love to catch up with them at a conference – glad they are successful and are willing to share so much of their experience and knowledge. They never disappoint so give this a listen!

OCR Enforcement Picks Up

OCR enforcement announcements were really light in the first half of the year but they have been closing some out as the end of 2019 draws near.  There were 2 OCR enforcement actions announced during the HIPAA Boot Camp just a couple of weeks ago.  URMC was announced on Nov 5, the first day, and Texas HHSC was announced Nov 7, the last day.  It seems that things happen when we have our boot camps.  Wannacry hit, settlements are announced, major breaches are announced, etc each time we have one.  Wonder what will happen with the next one!

OCR Enforcement 1 in November: URMC

Because theft and loss are constant threats, failing to encrypt mobile devices needlessly puts patient health information at risk.  When covered entities are warned of their deficiencies, but fail to fix the problem, they will be held fully responsible for their neglect.Roger Severino, OCR Director

The first announcement was that the University of Rochester Medical Center (URMC) agreed to pay a $3 million settlement and enter into a 2 year corrective action plan (CAP).  This one is interesting because they were a triple dipper with OCR investigations relating to one problem.

That quote from Severino really does point out the core issue with this case.  Bottom line here is you don’t have a breach and then years later have another breach due to the exact same issue.  February 15, 2013 an unencrypted USB drive was lost with PHI on it.  They reported it May 6, 2013 which prompted an OCR  investigation notification in June 2013.

Before that was resolved on January 26, 2017, URMC reported a breach of an unencrypted personal laptop of one of the resident surgeons on staff was stolen from one of their centers and, of course, it had PHI on it.

So 4 years later they still have unencrypted devices being lost.  One would think that is bad enough but wait, there’s more.  What we didn’t start with here is that in 2010 URMC reported a breach due to losing an unencrypted flash drive.  OCR provided “technical assistance” when they looked into that case.  What that means is they told them you really should make sure everything like that is encrypted. URMC promised to do better and that was the end of it.  This is the way a large number of those thousands of cases closed each year are handled.  But URMC didn’t really change their ways so there was a breach in 2013.  To make it even worse the 2017 one happened.  That is a 7 year period where encryption problems were not addressed!

What is that saying?  Fool me once shame on you, fool me twice shame on me.  OCR enforcement was absolutely necessary when you look at this case.  There is no way they could say they didn’t know there was a problem on the second case much less on the third one.

The CAP is pretty standard including a risk analysis, risk management plans, policies, procedures, training, etc.  The one specific I noted was this requirement:

URMC shall develop a process to evaluate any environmental or operational changes that affect the security of URMC ePHI.

Looks like they may be cracking down on doing the SRA more than just once every few years.  There are changes happening all the time that are not evaluated but this is the first time I recall seeing it specifically addressed in a CAP.  Time we start paying more attention to that requirement and do more frequent SRAs when they are needed.

OCR Enforcement 2 in November: Texas Health and Human Services Commission

This case originated from just one department Department of Aging and Disability Services (DADS) which is a state agency that administered long-term care services for people who are aging, and for people with intellectual and physical disabilities.  On June 11, 2015, DADS reported a breach of 6,617 patients who had their information out on the public web.

It seems that when they moved the information from a private server to a public cloud-based server “a flaw in the software code allowed access to ePHI without access credentials. ”  Yes, we have another one related to IT staff or developers not making sure the information is properly secured.  This is why you do an SRA and develop checklists when you are moving around sensitive data.  You have to like how blunt that quote is from the director for this one:

Covered entities need to know who can access protected health information in their custody at all times. No one should have to worry about their private health information being discoverable through a Google search.Roger Severino, OCR Director

Seriously, no one should have to worry about private healthcare information being out there showing up on a Google search.

In Sept 2017, this department was abolished and rolled into the Texas Health and Human Services Commission who is taking the punishment.  Those who are out there acquiring organizations covered under HIPAA should make note of this case.  It isn’t the first and certainly won’t be the last where problems are inherited and leave you paying the bill.  This is not a settlement but a civil money penalty of $1,600,000.

The details in the determination tell us that this involved an internal reporting application that they used to complete reports required by CMS.   When the server migration took place something opened it up.  They realized it had been “allowing an undetermined number of unauthorized users to view the ePHI without verifying user credentials.”  The real kicker is they found out about it from a user that accessed the information with any login and reported it.  They never found it themselves.

A couple of specific findings included in the list of things done wrong were a couple interesting ones:

HHSC failed to implement access controls on all of its systems and applications throughout its enterprise.

HHSC provided no evidence that the application was capable of auditing user access after it was moved to the unsecure public server.

There were others but I thought it was interesting that they point out there were no controls on anything. I don’t know if there weren’t other apps or this was widespread.

With the CMP we get to see what makes up the amount they paid.  Here is how they documented how the amounts were determined.

Number of individuals whose ePHI was impermissibly disclosed in 2015 due to placing a web application on its public server that permitted unauthorized users to view ePHI without verifying user credentials – 6,617 (maximum penalty of $100,000 for reasonable cause).

HHSC failed to implement access controls also reasonable cause but this applies to all years.  They did the maximum of $100,000 for each documented year 2013 – 2017.  This was done two more times.  First for the lack of access controls and then again for the lack of audit controls at the same time.  Then, it was done for the lack of a proper risk analysis for the same time frame.

The lack of a proper risk analysis rears its ugly head again and again.  As we discussed last week with Erik, maybe we should start a list of all the things that are NOT a proper risk analysis.  It is very hard to say what specifically is one because they are going to be a bit different each time.  However, we do have plenty of cases of what they did that was inadequate.

As we get closer to the end of the year, it is likely that we will see at least one or two more of these OCR enforcement actions either settlements of CMPs.  The fact that there are still thousands open means they have plenty to choose from but who knows when we will see them.  I know there are some very close to being resolved one way or another that have a great chance of being on this list.  It may be 2020 but there are going to be more now that we are finally in the time frame when data breaches in healthcare started to explode.  Ironically, that was also when HITECH rules were supposed to be the standard.

Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word.  As always, send in your questions and ideas!

HIPAA is not about compliance,

it’s about patient care.TM

Special thanks to our sponsors Security First IT and Kardon.