HIPAA Privacy & Security Updates—From Dorothy Cociu, COIN Editor and HIPAA Privacy & Security Consultant & Trainer, November 2019
There were some HIPAA Privacy & Security settlements since the last issue, and I’ll be updating you on the NIST/HHS/OCR annual Safeguarding Health Information: Building Assurance Through HIPAA Security conference in Washington, DC October 16 & 17, 2019. I was of course in attendance.
In the most recent case, OCR imposed a $2.5 million civil monetary Penalty (CMP) against Jackson Health System for HIPAA violations, security and breach notification rules between 2013 and 2016. JHS is a nonprofit academic medical system based in Miami, Florida, which operates six major hospitals, a network of urgent care centers, multiple primary care and specialty care centers, longterm care nursing facilities, and corrections health services clinics. JHS provides health services to approximately 650,000 patients annually, and employs about 12,000 individuals.
On August 22, 2013, JHS submitted a breach report to OCR stating that it’s Health Management Department had lost paper records containing the PHI of 756 patients in January, 2013. JHS’s internal investigation determined that an additional three boxes of patient records were also lost in December, 2012; however, JHS did not report the additional loss or the increased number of individuals affected to 1,436, until June, 2016.
In July, 2015, OCR initiated an investigation following a media report that disclosed the PHI of a JHS patient. A reporter had shared a photograph of a JHS operating room screen containing the patient’s medical information on social media. JHS subsequently determined that two employees had accessed this patient’s electronic medical record without a job related purpose.
On February 19, 2016, JHS submitted a breach report to OCR reporting had been selling patient PHI. The employee had inappropriately accessed over 24,000 patients’ records since 2011.
OCR’s investigation revealed that JHS failed to provide timely and accurate breach notification to the Secretary of HHS, conduct enterprise-wide risk analyses, manage identified risks to a reasonable and appropriate level, regularly review information system activity records, and restrict authorization of its workforce members’ access to patient ePHI to the minimum necessary to accomplish their job duties.
JHS waived its right to a hearing and did not contest the findings of OCR’s Noticed of Proposed Determination. Accordingly, OCR issued a Notice of Final Determination and JHS paid the full civil monetary penalty.
“OCR’s investigation revealed a HIPAA compliance program that had been in disarray for a number of years,” said OCR Director Roger Sererino “This hospital system’s compliance program failed to detect and stop an employee who stole and sold thousands of patient records; lost patient files without notifying OCR as required by law; and failed to properly secure PHI that was leaked to the media.”
SOCIAL MEDIA PENALTY… On another case, reported by HHS/OCR on October 2, 2019, a dental practice, Elite Dental Associates, Dallas, has agreed to pay $10,000 to the Office of Civil Rights (OCR) and adopt a corrective action plan to settle potential violations of the HIPAA Privacy Rule. Elite is a privately owned dental practice providing general, implant, and cosmetic dentistry.
On June 5, 2016, OCR received a complaint from an Elite patient alleging that Elite had responded to a social media review by disclosing the patient’s last name and details of the patient’s health information. OCR’s investigation found that Elite had impermissibly disclosed the PHI of multiple patients in response to patient reviews on the Elite Yelp review page. Additionally, Elite did not have a policy and procedure regarding disclosures of PHI to ensure that its social media interactions protect the PHI of its patients or a Notice of Privacy Practices that complied with the HIPAA Privacy Rule. OCR accepted a substantially reduced settlement amount in consideration of Elite’s size, financial circumstances, and cooperation with OCR’s investigation.
“Social Media is not the place for providers to discuss a patient’s care,:” said Roger Severino, OCR Director. “Doctors and dentists must think carefully about patient privacy before they respond to online reviews.”
In addition to the monetary settlement, Elite will undertake a corrective action plan that includes two years of monitoring by OCR for compliance with the HIPAA rules.
On September 9, 2019, HHS/OCR reported that OCR settled it’s first case in HIPAA Right of Access Initiative. Earlier this year, OCR announced this initiative promising to vigorously enforce the rights of patients to receive copies of their medical records promptly and without being overcharged.
Bayfront Health St. Petersburg (Bayfront) has paid $85,000 to OCR and has adopted a corrective action plan to settle potential violation of the right of access provision of HIPAA rules after Bayfront failed to provide a mother timely access to records about her unborn child. Bayfront is a Level II trauma and tertiary care center licensed as a 480-bed hospital with over 550 affiliated physicians.
OCR initiated its investigation based on a compliant from the mother. As a result, Bayfront directly provided the requested health information more than nine months after the initial request. The HIPAA rules require that health care providers provide such records generally with 30 days of the request, and can only charge a reasonable cost-base fee.
In addition to the monetary settlement, Bayfront will undertake a corrective action plan that includes one year of monitoring by OCR.
As an update from the HIPAA Security conference on Oct. 16 & 17, 2019, it was reported that the percentage of 500+ breaches by type of breach changed significantly, with hacking/IT increasing considerably in the past year, which is no surprise.
From January 1, 2018– December 31, 2018, OCR reported that Hacking/IT was 43% of all breaches, theft and loss 15%, unauthorized use and disclosure 40%, and improper disposal 2%. January 1, 2019—September 30, 2019 shows Hacking/IT increasing from 43% to 61%, and theft and loss decreasing from 15% to 10%, likely because more devices are now encrypted. Unauthorized disclosure went from 40% own to 27%, and improper disposal went down from 2% to 1%.
Looking at locations of the 500+ breaches, Email was 29% for 2018, and increased to 40% for the first 9 months of 2019. Network servers increased from 18% in 2018 to 25% in 2019.
The primary concerns of OCR currently are cybersecurity concerns and trends… This includes ransomware, phishing attacks, remote desktop protocol vulnerabilities, weak authentication (single factor, poor password rules), and access controls (current and former workforce members). I will provide more information as space permits in the next issue of the COIN! ##