Recorded during our first live broadcast, this episode covers several OCR announcements. We start with the OCR phishing alert. Followed by that we discuss OCR’s guidance that said you should consider multi-factor authentication in your risk analysis. The recorded video from the live broadcast of OCR Phishing episode is included below the show notes.
There have also been more resolution agreements that we haven’t covered on an episode so we hit those, as well.
OCR Phishing Warning About Fake HIPAA Audit Emails
- Saw another announcement from a vendor that they were officially HIPAA compliant.
- Client sent an email showing another vendor misspelled HIPAA in the subject line of a marketing email
- Mass mailing OCR phishing emails is probably not going to be a good thing for the firm that tried it.
OCR released a bulletin on considering 2SV, 2FA, MFA in your risk analysis
- Explains MFA a bit and suggests that you evaluate if it is best for you
More resolution agreements
- Another in Oct and one more in Nov. Total for the year is at 14 (no more than 6 before this year).
- Total $$ so far $23,723,700 – long ago exceeded the $6 million max before
Resolution agreement with St Joseph in Oct for $2,140,500
On February 14, 2012, SJH reported to the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) that certain files it created for its participation in the meaningful use program, which contained ePHI, were publicly accessible on the internet from February 1, 2011, until February 13, 2012, via Google and possibly other internet search engines. The server SJH purchased to store the files included a file sharing application whose default settings allowed anyone with an internet connection to access them. Upon implementation of this server and the file sharing application, SJH did not examine or modify it. As a result, the public had unrestricted access to PDF files containing the ePHI of 31,800 individuals, including patient names, health statuses, diagnoses, and demographic information.
- Impermissible disclosure of 31,800 patients for over 1 year
- No risk analysis when implementing new servers and solutions in their environment from July I, 2010 to July 10,2012
- From July I, 2010, to the present, SJH failed to satisfactorily conduct an
accurate and thorough analysis of the potential risks and vulnerabilities to the ePHI held by SJH
- Those violations could have resulted in at least 20 times more fines than the settlement
- CAP of 3 years with std stuff about Risk Analysis, Risk Mgmt, P&P and Training
Resolution agreement with UMASS in Nov for $650,000
On June 18, 2013, UMass reported to the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) that a workstation in its Center for Language, Speech, and Hearing (the “Center”) was infected with a malware program, which resulted in the impermissible disclosure of electronic protected health information (ePHI) of 1,670 individuals, including names, addresses, social security numbers, dates of birth, health insurance information, diagnoses and procedure codes. The University determined that the malware was a generic remote access Trojan that infiltrated their system, providing impermissible access to ePHI, because UMass did not have a firewall in place.
UMass had failed to designate all of its health care components when hybridizing, incorrectly determining that while its University Health Services was a covered health care component, other components, including the Center where the breach of ePHI occurred, were not covered components. Because UMass failed to designate the Center a health care component, UMass did not implement policies and procedures at the Center to ensure compliance with the HIPAA Privacy and Security Rules. (Note: The HIPAA Privacy Rule permits legal entities that have some functions that are covered by HIPAA and some that are not to elect to become a “hybrid entity.” To successfully “hybridize,” the entity must designate in writing the health care components that perform functions covered by HIPAA and assure HIPAA compliance for its covered health care components.)
- No technical security measures in place at the Center (no firewalls, etc)
- No Risk Analysis until Sept 2015
- Impermissible disclosure
- CAP for 2 years with standard requirements
What do we think will happen with HIPAA in 2017
- Audit program
- On site due to begin in 1st qtr and not likely to change
- BA audits appear to be happening now based on the info about the phishing email
- What politician will be the one to say they don’t want to enforce cybersecurity protections for patient information after all
- Expect changes in security requirements based on previous reports and criticisms from both parties