An $875,000 HIPAA Lesson

“A stitch in time saves nine.” is a childhood phrase, reminding persons to act NOW when the issue arises; otherwise, to risk unknown FUTURE outcomes, often negative, costing more time and resources to make right.

The enforcement arm for HIPAA compliance, the Office of Civil Rights (OCR) announced in a recent press release the $875,000 settlement fee payable by a university medical center for potential violations of HIPAA’s breach notification rules. A saga that started in 2016 was reported in 2018. Why? The medical center wasn’t aware that protected health information (PHI) was stored on the compromised server accessed by the hacker (who installed malware (AKA, a virus) enabling access to 275,000 persons’ PHI).

HIPAA Covered Entities (CE – health plans, healthcare providers, and healthcare clearinghouses) are required to comply with HIPAA Security Rule specifications regarding protections for electronic PHI (ePHI). A key element for CEs in protecting ePHI is to conduct a HIPAA Security Risk analysis, including identification of ePHI within business systems; assessment of vulnerable areas open to threat; implement safeguards to protect ePHI; and maintain such safeguards.

The OCR report outlined the center’s failures (once again cautioning CEs) and remediation process, a costly and extensive one that could have been prevented with a thorough security risk analysis and maintenance program.

“OCR determined that the medical center had allowed unauthorized uses and disclosures of PHI and had not (1) implemented adequate security incident response and reporting protocols; (2) conducted an adequate risk analysis or evaluation; (3) adopted adequate audit controls; or (4) provided timely breach notification to individuals or HHS.*”

Besides the penalty, the center must implement an extensive corrective action plan (CAP) that includes the following:

  • Creation of an enterprise-wide risk analysis and corresponding risk management plan, subject to OCR review and approval.
  • Revising its privacy, security, and breach notification policies and procedures consistent with the risk analysis and risk management plan.
  • Distributing the OCR-approved policies and procedures (P&Ps) to workforce members
  • Incorporating such P&Ps into training materials that must be included in training sessions for all workforce members.
  • Training workforce members within 15 days after start date
  • Engaging an OCR-approved independent monitor to analyze and assist with the medical center’s compliance with the CAP
  • Submitting periodic reports to OCR describing compliance with the CAP for two years.*

*Source: EBIA’s Checkpoint

Leave a Reply

Your email address will not be published. Required fields are marked *