On September 11, 2023, the US Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) announced a settlement of potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Rules with the nation’s largest publicly operated health plan that provides healthcare benefits and coverage through state, federal, and commercial programs. OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules that set the requirements that HIPAA-regulated entities must follow to protect the privacy and security of protected health information (PHI).
The settlement concludes two OCR investigations initiated from a large breach report and a media article regarding a separate security incident. Under the agreement, the company agreed to pay $1,300,000 and to implement a corrective action plan which identifies steps it will take to resolve these potential violations of the HIPAA Security Rule and protect the security of electronic protected health information (ePHI).
The potential violations included:
- failure to conduct an accurate and thorough risk analysis to determine risks and vulnerabilities to ePHI across the organization,
- failure to implement security measures sufficient to reduce risks and vulnerabilities to ePHI to a reasonable and appropriate level,
- failure to implement sufficient procedures to regularly review records of information system activity,
- failure to perform a periodic technical and nontechnical evaluation in response to environmental or operational changes affecting the security of ePHI, and
- failure to implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI.
OCR’s investigation found evidence of potential noncompliance with the HIPAA Privacy and Security Rules across the company’s organization. In addition to the monetary settlement, the company has agreed to take the following steps under a comprehensive corrective action plan that will be monitored for three years by OCR to ensure compliance with HIPAA. It will:
- Conduct an accurate and thorough risk analysis to determine risks and vulnerabilities to electronic patient/system data across the organization.
- Develop and implement a risk management plan to address identified risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.
- Develop, implement, and distribute policies and procedures for a risk analysis and risk management plan.
- Report to HHS when it conducts an evaluation due to an environmental and operational change that affects the security of ePHI in the company’s possession or control.
Report to HHS within thirty (30) days when workforce members fail to comply with the HIPAA Rules.
OCR and the Office of the National Coordinator for Health Information Technology (ONC) have recently updated and released the Security Risk Assessment Tool 3.4, which is available here. It is designed to help healthcare providers conduct a risk analysis as required by the HIPAA Security Rule. The downloadable SRA Tool is a desktop application that walks users through the security risk assessment process using multiple-choice questions, threat and vulnerability assessments, and asset and vendor management. References and additional guidance are given along the way. Reports are available to save and print after the assessment is completed.
Compliance Perspective
Issue
The HIPAA Security Rule requires appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of ePHI. It also requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting ePHI. Specifically, covered entities must:
- Ensure the confidentiality, integrity, and availability of all ePHI they create, receive, maintain or transmit;
- Identify and protect against reasonably anticipated threats to the security or integrity of the information;
- Protect against reasonably anticipated, impermissible uses or disclosures; and
- Ensure compliance by their workforce.
The Administrative Safeguards provisions in the Security Rule require covered entities to perform risk analysis as part of their security management processes. Risk analysis should be an ongoing process, in which a covered entity regularly reviews its records to track access to ePHI and detect security incidents, periodically evaluates the effectiveness of security measures put in place, and regularly reevaluates potential risks to ePHI.
Discussion Points
- Review policies and procedures related to HIPAA, ePHI, and the Security Rule. Ensure that they address how to secure ePHI and how to avoid falling prey to security breach efforts by unauthorized individuals. Update these documents as new information becomes available.
- Train staff involved with the use and maintenance of the organization’s computer information systems regarding the HIPAA Security Rule, including the requirements for conducting risk assessments. Train all staff on HIPAA, PHI, and the Privacy Rule upon hire and annually. Document that these trainings occurred and file the signed training document in the employees’ education files.
- Periodically audit to ensure that the facility’s policies and procedures for HIPAA, PHI, and the Security Rule are being followed by all staff, and that each person demonstrates understanding and competency. Also periodically audit to ensure ongoing risk analysis is being conducted.
*This news alert has been prepared by Med-Net Concepts, LLC for informational purposes only and is not intended to provide legal advice.*