According to the most recent data provided by the U.S. Department of Health & Human Services, there are currently 3,427 open complaints regarding possible health information privacy violations. Below is a look back at four noteworthy HIPAA breaches that occurred in 2016.
Lack of Process Controls
St. Joseph Health reported to the Office for Civil Rights (OCR) that files containing protected health information (PHI) were publicly available from February 2011 until February 2012. Specifically, PHI was accessible through various search engines, including Google, because the file-sharing application used to store and accumulate the data was placed on a default setting that allowed all Internet users to gain access to the data. OCR found the following violations:
- the accidental disclosure of PHI for 31,800 people;
- the failure of St. Joseph to conduct an environmental and operational evaluation in the implementation of the subject server; and
- Joseph’s assessment of risks associated to the security of the PHI did not meet the standards set out by the HIPAA Security Rule.
On October 13, 2016, after four years of investigation and negotiation, St. Joseph Health and OCR agreed to a $2.14-million settlement. Furthermore, the parties established a corrective action plan, which set forth revised policies regarding implementation of risk analysis, management plans, and training procedures.
Hybrid Model Woes
On November 14, 2016, the University of Massachusetts (UMASS) Amherst Center for Language, Speech, and Hearing settled its dispute with OCR for $650,000. UMASS was the victim of a malware infection that resulted in the impermissible disclosure of PHI belonging to 1,761 people. Due to UMASS’ lack of firewall protection, the Trojan malware was able to gain remote access to UMass’ system and access sensitive information. This data included names of individuals, Social Security information, diagnoses, and procedure codes of those infected.
In addition to having inadequate firewall protection, OCR found HIPAA violations because:
- UMASS is an entity electing to use the hybrid model in order to limit the applicability of the HIPAA regulations to its department arms. However, UMass failed to recognize that its Center for Language, Speech, and Hearing (Center) was a covered healthcare component and subject to HIPAA Privacy and Security Rules. As such, the Center did not utilize the proper policies and procedures in order to be compliant; and
- UMASS did not conduct a sufficient risk analysis until September 2015, more than three years after UMASS reported its potential violations to OCR.
OCR Director Jocelyn Samuels stressed that entities using hybrid structures must label their healthcare components accurately in order to certify that all of their units are HIPAA compliant.
Business Associate Enforcement Actions
Upon receiving an April 2013 breach report, OCR began investigating Raleigh Orthopaedic Clinic, P.A. of North Carolina (Raleigh Orthopaedic) for allegedly releasing x-ray films and PHI to an entity that promised to transfer the films to an electronic media format. However, Raleigh Orthopaedic did not properly execute a Business Associate Agreement. In light of this investigation, Raleigh Orthopaedic reached a settlement agreement on April 19, 2016, which required a $750,000 payment and the creation of policies and procedures regarding Business Associate Agreements that include:
- a procedure to identify which future and current business partners are considered Business Associates for purposes of entering into Business Associate Agreements;
- assurance that a person on staff is responsible for putting Business Associate Agreements in place before PHI is disclosed to a Business Associate; and
- standard procedures guaranteeing the maintenance of documents for at least six years beyond the date of termination of the relationship between the Business Associate and Covered Entity.
The Largest HIPAA Breach Settlement
Advocate Health Care reached an agreement with OCR for $5.55 million in July 2016, which was the largest settlement made with a single entity concerning a HIPAA Breach to date. OCR began its investigation in 2013 when Advocate notified OCR of three breach reports involving its subsidiary that affected approximately 4 million people. The penalty took into consideration the sheer number of people affected and the duration of the noncompliance, which reports determined may have existed since the establishment of the Security Rule. OCR’s investigations found that PHI, including such information as patient names, credit card numbers, and clinical information, was put at risk because Advocate failed to:
- accurately review the potential vulnerabilities associated to its PHI, which included a failure to conduct a risk analysis of its facilities, information technology, and data systems;
- create policies that would control and limit physical access to electronic information located within the a support center;
- acquire assurances from a business associate that PHI would be protected while in the business associate’s possession; and
- protect an unencrypted laptop when an Advocate employee left the laptop in an unlocked vehicle.