On December 10, the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced a settlement with a healthcare clearinghouse for violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The settlement follows a complaint revealing that protected health information (PHI) was accessible to search engines like Google.
In 2018, OCR received a complaint about unsecured PHI on the internet, which prompted an investigation. The investigation found that from May 2016 to January 2019, the PHI of 1,565,338 individuals was made publicly available online. The disclosed PHI included sensitive information such as patient names, dates of birth, home addresses, Social Security numbers, claims data, diagnoses, and other treatment information. These impermissible disclosures raised concerns about potential violations of the HIPAA Privacy Rule.
Additionally, OCR identified several potential violations of the HIPAA Security Rule. These included the healthcare clearinghouse’s failure to conduct a compliant risk analysis to assess vulnerabilities in its ePHI systems and its failure to regularly monitor and review activity in those systems.
Under the terms of the settlement, the healthcare clearinghouse agreed to pay $250,000 to resolve the matter. OCR determined that a corrective action plan was not necessary, as the clearinghouse had previously settled with 33 states, agreeing to corrective actions that addressed OCR’s findings.
“Healthcare entities must ensure that patient health information is not left accessible online to anyone with an internet connection,” said OCR Director Melanie Fontes Rainer. “Effective cybersecurity requires proactive vigilance in identifying risks and preventing unauthorized access to health data.”
Compliance Perspective
Issue
OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules, which sets forth the requirements that health plans, healthcare clearinghouses, and most healthcare providers, and their business associates must follow to protect the privacy and security of PHI. Covered entities are required to notify affected individuals when a breach of unsecured PHI is discovered. This notice must be provided without unreasonable delay and no later than 60 days from the discovery of the breach. The notification should include details such as a brief description of the breach, the types of information involved, steps individuals should take to protect themselves, and contact information for follow-up. If the covered entity cannot reach at least 10 individuals due to outdated or insufficient contact information, they must provide substitute notice by posting the breach information on their website or through major media outlets for at least 90 days. For fewer than 10 individuals, alternative methods such as written notice, phone calls, or other means can be used. The notice must also include a toll-free phone number to allow individuals to inquire whether their information was affected.
Discussion Points
- Review policies and procedures related to HIPAA and PHI regularly to ensure they reflect current regulatory requirements and best practices, including data security and breach notification processes.
- Train all relevant staff on HIPAA compliance, PHI handling, and data security. This should include instruction on preventing phishing schemes, malware threats, unauthorized PHI disclosures, detecting malicious software, and reporting security issues. Provide refresher training at least annually and whenever new security threats or procedures are introduced. Document all training sessions and maintain signed documentation in each employee’s education file.
- Conduct periodic audits of security practices and ensure that staff adhere to data integrity and security measures. Random spot checks, in addition to scheduled audits, can help identify vulnerabilities. Also, regularly audit to ensure that the facility’s policies and procedures for HIPAA and PHI are being followed, and address any noncompliance promptly.
*This news alert has been prepared by Med-Net Concepts, Inc. for informational purposes only and is not intended to provide legal advice.*
