On June 28, 2023, the US Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) announced a settlement of potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules with a Kentucky-based business associate that provides coding, billing, and onsite information technology services to healthcare providers. The settlement involved a data breach, where a network server containing the protected health information (PHI) of 267 individuals was left unsecure on the internet.
In August 2017, OCR initiated an investigation of the company following the receipt of a breach report stating that the company had experienced an unauthorized transfer of PHI, known as exfiltration, from its unsecured server. The PHI included patient names, dates of birth, addresses, Social Security numbers, email addresses, diagnoses, treatment information, medical procedures, and medical histories. In addition to the impermissible disclosure of PHI, OCR’s investigation found evidence of the potential failure by the company to have in place an analysis to determine risks and vulnerabilities to electronic protected health information (ePHI) across the organization.
The company has paid $75,000 to OCR and agreed to implement a corrective action plan, which identifies steps it will take to resolve potential violations of the HIPAA Privacy and Security Rules and protect the security of ePHI. Under the terms of the settlement agreement, the company will be monitored by OCR for two years to ensure compliance with the HIPAA Security Rule. The company has agreed to take the following steps:
- Conduct an accurate and thorough analysis of its organization to determine the possible risks and vulnerabilities to the ePHI it holds;
- Develop and implement a risk management plan to address and mitigate identified security risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI;
- Implement a process to evaluate environmental and operational changes that affect the security of ePHI; and
- Develop, maintain, and revise, as necessary, its written HIPAA policies and procedures.
Compliance Perspective
Issue
The Health Information Technology for Economic and Clinical Health Act or HITECH Rule expands the HIPAA Privacy Rule by extending the same confidentiality requirements to business associates of a facility. A business associate is any organization or person working with or providing services to a facility who handles or discloses PHI or Personal Health Records (PHR). The HIPAA Security Rule requires that covered entities and their business associates conduct a risk assessment of their healthcare organization. When a facility contracts with a business associate, such as the company that shreds confidential documents for the facility, a company that provides billing services, or a contract therapy or medical supply company, there must be a business associate agreement that addresses HIPAA.
Discussion Points
- Review policies and procedures related to HIPAA, PHI, the Privacy and Security rules, data integrity, and business associate agreements. Ensure that they address risk analysis and how to avoid falling prey to security breach efforts by unauthorized individuals. Update as new information becomes available.
- Train staff involved with the use and maintenance of the organization’s computer information systems regarding the HIPAA Security Rule, including the requirements for conducting risk assessments.
- Periodically audit to ensure that the facility is updating and implementing security policies and procedures appropriately in response to environmental or organizational changes that affect the security of ePHI.
*This news alert has been prepared by Med-Net Concepts, LLC for informational purposes only and is not intended to provide legal advice.*
