OCR recently announced four settlements in five weeks, each over $1 million. These four settlements show what OCR cares about and illustrate how to improve a HIPAA compliance program.
Some of the problems OCR found:
- failure to conduct a risk analysis
- failure to provide patient right of access
- failure to provide breach notifications
- lack of business associate agreements
- lack of access and audit controls
- failure to utilize device and media controls
- lack of encryption
- failure to restrict access to protected health information (PHI) to the minimum necessary
OCR Sounds Alarm About Noncompliance Crisis – Time to Wake Up
OCR is targeting multiple problems but a recent quote from Roger Severino, OCR Director, in a Right of Access settlement, sums up their stance.
“For too long, healthcare providers have slow-walked their duty to provide patients their medical records out of a sleepy bureaucratic inertia. We hope our shift to the imposition of corrective actions and settlements under our Right of Access Initiative will finally wake up healthcare providers to their obligations under the law”
Roger Severino, OCR Director, December 12, 2019 announcement of Korunda Medical Right of Access settlement*.
The four seven-figure settlements:
$2.175 Million for Failure to Properly Notify HHS of a Breach of Unsecured PHI
Sentara Hospitals sent hospital bills to the wrong 577 patients. OCR investigated when one of those patients alerted them about the misdirected bills. Sentara operates 10 acute care hospitals in Virginia and North Carolina. The hospital reported the breach of only eight of the patients’ PHI, because it mistakenly believed that PHI must include a diagnosis, treatment information, or other medical information. Even after OCR advised Sentara of its duty to report, the hospital failed to properly notify OCR of the breach.
Sentara also failed to have business associate agreements with subsidiary hospitals even though it provided business associate services to those subsidiaries.
Lesson 1: Learn the basics of the Breach Notification rule, and when OCR instructs, do what they ask.
$1.6 Million – Texas State Health Agency Slammed for No Access Controls or Risk Analysis
The Texas Health and Human Services Commission (TX HHSC) was fined because it permitted thousands of patients’ PHI to become public when it moved data from a private, secure server to a public server and a flaw in the software code allowed access to PHI without access credentials and without auditing capabilities.
OCR’s investigation uncovered that there were no access controls on any of TX HHSC’s systems or applications and TX HHSC failed to conduct an enterprise-wide risk analysis.
Lesson 2: Don’t shortchange your HIPAA Risk Analysis, and make sure it is site-specific.
$3 Million for University of Rochester Medical Center After Failing to Encrypt Mobile Devices
The University of Rochester Medical Center (URMC) agreed to pay $3 million to OCR, and take substantial corrective action to settle potential violations of the HIPAA Privacy and Security Rules. URMC is one of the largest health systems in New York State with over 26,000 employees.
A lost unencrypted flash drive in 2010, and a stolen unencrypted laptop in 2017 caused OCR to hit hard with one of the largest settlements this year. The laptop breach affected 43 patients, but because OCR had instructed URMC about the importance of encryption seven years earlier, and because URMC had failed to conduct a HIPAA Risk Analysis, OCR’s settlement was steep.
In addition to the $3 million, they imposed a corrective action plan requiring an enterprise-wide risk analysis, risk management plan, evaluating operational changes, updating and distribution of policies and procedures, training, and reports. Less publicized than money payments, the corrective action plans can be burdensome and last two to three years after the settlement.
Lesson 3: Encrypt mobile devices and when OCR instructs, do what they ask.
$2.154 Million Against Florida Health System Shows Importance of Risk Analysis Documentation and Risk Management Follow-Through
Jackson Health System (JHS) in Miami failed to do a good HIPAA Risk Analysis between 2009 and 2017. As part of its investigation, OCR evaluated several years of JHS’ Risk Analyses and noted they were “insufficient”.
JHS operates six major hospitals, a network of urgent care centers, multiple primary care and specialty care centers, long-term care nursing facilities, and corrections health services clinics. JHS provides health services to approximately 650,000 patients annually, and employs about 12,000 individuals.
JHS’ Risk Analysis-Risk Management insufficiencies:
- Analyses conducted before 2017 erroneously identified several provisions of the Security Rule as not applicable
- Multiple analyses were deficient in scope (i.e., failed to include all electronic PHI) and did not identify the totality of threats and vulnerabilities in its system
- JHS did not provide evidence or documentation of a response to third party recommendations from a 2014 analysis
- Certain portions of multiple analyses were left blank
- JHS did not remediate risks, threats, and vulnerabilities identified by the 2015 risk analysis to a reasonable and appropriate level
- A third party vendor identified high risk threats in 2014 that were still identified as high risk in 2015
Lesson 4: Don’t shortchange your Risk Analysis and be sure to document findings and follow through with Risk Management actions throughout the year.
The HIPAA E-Tool® Costs Less Than a Cellphone Bill but Protects Against Massive Fines
If only these four covered entities had used The HIPAA E-Tool® and completed its interactive Risk Analysis they wouldn’t have paid seven figures and been saddled with corrective action plans.
OCR is serious about enforcement. But HIPAA compliance is easy to follow step-by-step, if you know the steps.
We can show you.
* Korunda Medical LLC paid $85,000 for failing to provide right of access to a patient. Although smaller than others, it’s noteworthy as the second settlement under OCR’s HIPAA Right of Access Initiative. Korunda is a Florida covered entity providing primary care and interventional pain management to approximately 2,000 patients annually.