On February 6, 2024, the US Department of Health and Human Services (HHS), Office for Civil Rights (OCR), announced a settlement with a non-profit hospital system based in New York City for several potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. The $4.75 million monetary settlement and corrective action resolves multiple potential failures by the hospital system relating to data security that enabled an employee to steal and sell patients’ protected health information (PHI) over a six-month period.
In May 2015, the New York Police Department informed the hospital system that there was evidence of theft of a specific patient’s medical information. The incident prompted the hospital system to conduct an internal investigation. It discovered that two years prior, one of their employees stole the electronic protected health information (ePHI) of 12,517 patients and sold the information to an identity theft ring. The hospital system filed a breach report with OCR.
OCR’s investigation revealed multiple potential violations of the HIPAA Security Rule, including failures by the hospital system to analyze and identify potential risks and vulnerabilities to PHI, to monitor and safeguard its health information systems’ activity, and to implement policies and procedures that record and examine activity in information systems containing or using PHI. Without these safeguards in place, the hospital system was unable to prevent the cyberattack or even detect the attack had happened until years later.
Under the terms of the settlement, the hospital system will pay $4,750,000 to OCR and implement a corrective action plan that identifies certain steps toward protecting and securing PHI. These actions include:
- Conducting an accurate and thorough assessment of the potential security risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI;
- Developing a written risk management plan to address and mitigate security risks and vulnerabilities identified in the Risk Analysis;
- Developing a plan to implement hardware, software, and/or other procedural mechanisms that record and examine activity in all information systems that contain or use ePHI;
- Reviewing and revising, if necessary, written policies and procedures to comply with the HIPAA Privacy and Security Rules; and
- Providing training to its workforce on HIPAA policies and procedures.
OCR will monitor the hospital system for two years to ensure compliance with the law.
The action is the latest step by HHS who released a Department-wide Cybersecurity strategy for the healthcare sector in December of 2023, and released voluntary performance goals to enhance cybersecurity across the health sector just last week.
Compliance Perspective
Issue
HIPAA requires that healthcare providers, insurers and others take steps to protect the privacy and security of patients’ PHI. OCR is responsible for administering and enforcing health information privacy, including enforcement of the HIPAA Privacy, Security, and Breach Notification Rules for the healthcare sector. In OCR’s breach reports, over 134 million individuals have been affected by large breaches in 2023, whereas 55 million were affected in 2022. OCR recommends that healthcare providers, health plans, clearinghouses, and business associates that are covered by HIPAA must implement safeguards to mitigate or prevent cyberthreats.
Discussion Points
- Review policies and procedures related to HIPAA, ePHI, and the Security Rule. Ensure that they address how to secure ePHI and how to avoid falling prey to security breach efforts by unauthorized individuals. Update these documents as new information becomes available.
- Train staff involved with the use and maintenance of the organization’s computer information systems regarding the HIPAA Security Rule, including the requirements for conducting risk assessments. Train all staff on HIPAA, PHI, and the Privacy Rule upon hire and annually. Providing training specific to organization and job responsibilities on a regular basis and reinforce staff members’ critical role in protecting privacy and security. Document that these trainings occurred and file the signed training document in the employees’ education files.
- Periodically audit to ensure that all vendor and contractor relationships to ensure business associate agreements are in place as appropriate and address breach/security incident reporting obligations. Also ensure audit controls are in place to record and examine information system activity.
*This news alert has been prepared by Med-Net Concepts, LLC for informational purposes only and is not intended to provide legal advice.*
