On May 16, 2023, the US Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) announced a settlement of potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Rules with a business associate that provides practice management, revenue cycle management, and practice analytics software services to covered healthcare entities. The settlement concludes OCR’s investigation of a data breach, where a server containing the protected health information (PHI) of 230,572 individuals was left unsecure and accessible on the internet.
In July 2018, OCR initiated an investigation of the business associate following the receipt of a breach notification report stating that a File Transfer Protocol (FTP) server containing ePHI was openly accessible to the internet. The information included patient names, billing addresses, telephone numbers, primary health insurer and doctor’s office account numbers, and in some cases Social Security numbers.
The potential HIPAA violations in this case included the lack of an analysis to determine risks and vulnerabilities to electronic protected health information (ePHI) across the organization, and the failure to enter into a business associate agreement with a subcontractor. The HIPAA Rules require that covered entities and business associates (person or entity that has access to PHI as part of their relationship with a covered entity), enter into contracts—or business associate agreements—that generally document the permissible uses and disclosures of PHI, that appropriate safeguards will be implemented, and that the covered entity will be notified of any breaches. The business associate has paid a $350,000 monetary settlement to OCR and agreed to implement a corrective action plan which identifies steps that will be taken to resolve these potential violations and protect the security of ePHI.
As a result of the settlement agreement, the business associate will be monitored for two years by OCR to ensure compliance with the HIPAA Security Rule. The following steps will be undertaken:
- An accurate and thorough risk analysis will be conducted to determine risks and vulnerabilities to electronic patient/system data across the organization;
- A risk management plan will be developed and implemented to address and mitigate identified security risks and vulnerabilities identified in the risk analysis;
- Written policies and procedures will be developed, maintained, and revised as necessary to comply with the HIPAA Privacy and Security Rules;
- The existing HIPAA and Security Training Program for all of the business associate’s workforce members who have access to PHI will be augmented; and
- When workforce members fail to comply with the business associate’s written policies and procedures to comply with the HIPAA Privacy and Security Rules, it will be reported to HHS within sixty (60) days.
“Ensuring that security measures are in place to protect electronic protected health information where it is stored is an integral part of cybersecurity and the protection of patient privacy,” said OCR Director Melanie Fontes Rainer. “HIPAA-regulated entities must ensure that they are not leaving patient health information unsecured on network servers available to the public via the internet.”
Compliance Perspective
Issue
The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of ePHI. Hacking/IT incidents were the most frequent (79 percent) type of large breach that was reported to OCR in 2022. Network servers are the largest category by location for breaches involving 500 or more individuals. It is critical that HIPAA-covered entities and their business associates improve their efforts to identify, deter, protect against, detect, and respond to cybersecurity threats and malicious actors.
Discussion Points
- Review policies and procedures related to HIPAA, PHI, and the Security Rule. Ensure that they address how to best safeguard patient data from cyberattacks. Update as new information becomes available.
- Train appropriate staff on HIPAA, PHI, and the Security Rule, including how to avoid phishing schemes, malware exposures, unauthorized release of PHI, and how to detect malicious software and report such detections. Provide additional training at least annually and when new threats and security information become known. Document that these trainings occurred, and file the signed training document in each employee’s education file.
- Periodically audit to ensure that recognized security practices are fully implemented, and that staff are adhering to data integrity security measures. Also audit to ensure that the facility’s policies and procedures for HIPAA, PHI, and the Security Rule are being followed.
*This news alert has been prepared by Med-Net Concepts, LLC for informational purposes only and is not intended to provide legal advice.*
