Health care provider pays $100,000 settlement to OCR for failing to implement HIPAA Security Rule requirements

The practice of Steven A. Porter, M.D., has agreed to pay $100,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) and to adopt a corrective action plan to settle a potential violation of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.  Dr. Porter’s medical practice provides gastroenterological services to over 3,000 patients per year in Ogden, Utah.

OCR began investigating Dr. Porter’s medical practice after it filed a breach report with OCR related to a dispute with a business associate.  OCR’s investigation determined that Dr. Porter had never conducted a risk analysis at the time of the breach report, and despite significant technical assistance throughout the investigation, had failed to complete an accurate and thorough risk analysis after the breach and failed to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.

 

“All health care providers, large and small, need to take their HIPAA obligations seriously,” said OCR Director Roger Severino.  “The failure to implement basic HIPAA requirements, such as an accurate and thorough risk analysis and risk management plan, continues to be an unacceptable and disturbing trend within the health care industry.” 

 

In addition to the monetary settlement, Dr. Porter will undertake a corrective action plan that includes two years of monitoring.  The resolution agreement and corrective action plan may be found at:  http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/porter/index.html.

Top 5 Trends in Cybersecurity in 2020

Cybersecurity Trends in 2020
Cybersecurity Trends in 2020

In 2017, the UK’s National Health Service (NHS) experienced a severe ransomware attack. This incident resulted in the cancellation of nearly 20,000 medical appointments, including rerouting of cancer patients in emergency care to other destinations. The attack cost NHS trusts nearly $93 million.  Proper cybersecurity compliance could have prevented this attack.

Concerns of the cyber-threats have reached the United States as well. According to the secretary of the Department of Homeland Security, cyber weapons and sophisticated hacking currently pose the greatest threat to the United States and the private companies involved . 

According to a recently published report from Verizon, 43% of all cyber-threats are aimed at small businesses, with 39% of the total attacks carried out by organized criminal groups. Small and medium scale enterprises remain most vulnerable, due to a lack of awareness and resources  . According to the National Cybersecurity Alliance report, over 60% of the small enterprises go out of business within six months of experiencing a cyber-attack. 

Although these statistics are frightening, there is some good news. For instance, according to the Verizon report, the incidences of attack to steal credit and debit card information is on the decline. The new chip and pin technology have made these attacks more redundant for hackers. Here are some other innovative trends in cybesecurity worth watching out for in 2020: 

  1. The ultimate battle over internet dominance will continue

The incidents of cyberattacks in the recent years has coerced many countries to restrict internet traffic and take other stringent actions. In fact, Russia was one of the first countries that suggested filtering of internet traffic through Kremlin’s Roscomnadzor internet censor node with an aim to create the country’s very own internet “RuNet”, which might ward off cyberattacks. Moscow even tried to influence the BRICS nations (Brazil, Russia, India, China, and South Africa) to create a separate domain name in order to establish hegemony over the internet. Apart from Russia, China too has enforced many policies to establish itself as the thought leader of internet space. Many countries have even emulated China’s policies and formulated anti-privacy and surveillance laws. This has led to massive fragmentation of the Internet world, resulting in the Balkanization of sorts of the technology arena. However, the blame cannot just be placed on Russia and China alone. Even countries in the west have put stringent policies in place to establish dominance under the ambit of mitigating security risks. One such example is UK and the US snubbing Huawei technologies’ economical 5G services. While these fragmentations may create pockets of internet everywhere, it can be helpful in assuaging cybersecurity woes. However, it would lead to more confusion, less transparency, and perhaps strike down innovation. This dilemma is bound to worry the thought leaders even in 2020.

  1. Compliance Assessment To Take Centerstage

In June 2019, American Medical Collection Agency (AMCA) discovered that an unauthorized person had gained access to its web payment portal. Even more surprising was that the attacker had access to its system since August 2018, resulting in a major loss for the organization with 150,000 cases of the data breach. Under the 43% of all cyber-threats, the agency will have to report the breach to all the potential patients, which itself will require very numerous man-hours During such attacks, it is impossible to know the full extent of the breach within a short duration. Moreover, without adequate precautions, organizations can leave their consumers and themselves open to major risks, ranging from legal liabilities to financial  and personal loss. It’s easier to avoid such issues with quick response procedures that detect threats in time then pass on the message to concerned stakeholders at the earliest. This compliance procedure is not just mandatory by law, but can save enormous financial loss, and even lives. Hence, compliance assessment is likely to remain one of the highest priorities in fighting cyber-attacks.

  1. Attacks on Multiple Fronts

Cyber-attacks are becoming more sophisticated, and this is likely to continue as multi-vectored attacks like NotPetya, and WannaCry remain active. Using these ransomware executable files, hackers can simultaneously attack multiple fronts of digital infrastructure including mobile devices, network, and cloud systems. It is estimated that less than 5% of today’s systems are capable of handling these advanced attacks. With a widespread lack of awareness about security assessment, these attacks will continue to plague small businesses, large enterprises, and government entities. 

  1. Adoption of Data Harbours

According to the US Council of Economic Advisers, cyber-attacks cost the US economy nearly $109 billion in 2016, and pending on cyber-security reached over $120 billion in 2019 globally. Major stakeholders in many industries are threatened, especially in the healthcare and financial fields. On the other hand, cyber threats continue to become more intelligent, systematic, and operate over longer periods of time undetected. This has forced many to create external data harbours for their data, independent of their infrastructure.

  1. Data Privacy Regulation Goes Global 

In 2018, the European Union signed the General Data Protection Regulation, or GDPR law. This law has paved the way for more regulations concerning the use of personal data, such as the California Consumer Privacy Act (CCPA). These laws already affected enterprises worldwide due to the global nature of the internet. Moreover, the GDPR covers European citizen’s data access in all countries and promises to penalize breaches stringently. The growing regulation regarding data privacy holds a major implication for firms who do not have access to compliance assessment. 

Data regulations could also impact companies who host their data in clouds like Azure, Google, and AWS. The increasing data breaches and growing stringent regulatory environment will be worth monitoring in 2020, as cloud adoption and security plays an increasing role.  

In conclusion

If your company is looking for solutions including security assessment, data warehouses, and regulatory compliance, there is a variety of options available. Continuous employee training on cyber-attacks also should remain a high priority, as  prominent forms of attacks took place through phishing methods. If you want to protect your organization from bad actors, you have to perform adequate security assessment and training. 

In fact, security assessment and risk analysis is the first step towards mitigating cyberattacks. And if you are looking for a perfect partner that can help you keep threats at bay, Databrackets is your destination. Backed by a plethora of services including current trend analysis along with past risk assessment reports, awareness training, threat forecast, and more, Databrackets seamlessly alleviates the cybersecurity woes of your organization.

Reference links: 

https://www.clevelandfed.org/en/newsroom-and-events/speeches/sp-20190404-perspectives-on-cybersecurity-the-financial-system-and-the-federal-reserve.aspx

https://www.denverpost.com/2016/10/23/small-companies-cyber-attack-out-of-business/

https://compliancy-group.com/blog/

https://www.acronis.com/en-us/articles/nhs-cyber-attack/

https://www.us-cert.gov/ics/Downloading-and-Installing-CSET

Indiana Medical Records Service Pays $100,000 to Settle HIPAA Breach

23rd May 2019

Medical Informatics Engineering, Inc. (MIE) has paid $100,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services, and has agreed take corrective action to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. MIE is an Indiana company that provides software and electronic medical record services to healthcare providers.

 

On July 23, 2015, MIE filed a breach report with OCR following the discovery that hackers used a compromised user ID and password to access the electronic protected health information (ePHI) of approximately 3.5 million people. OCR’s investigation revealed that MIE did not conduct a comprehensive risk analysis prior to the breach. The HIPAA Rules require entities to perform an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of an entity’s electronic protected health information.

“Entities entrusted with medical records must be on guard against hackers,” said OCR Director Roger Severino. “The failure to identify potential risks and vulnerabilities to ePHI opens the door to breaches and violates HIPAA.”

In addition to the $100,000 settlement, MIE will undertake a corrective action plan to comply with the HIPAA Rules that includes a complete, enterprise-wide risk analysis.

The resolution agreement and corrective action plan may be found at https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/mie/index.html.

New HHS Fact Sheet on Direct Liability of Business Associates under HIPAA

24th May 2019

The HHS Office for Civil Rights (OCR) has issued a new fact sheet that provides a clear compilation of all provisions through which a business associate can be held directly liable for compliance with certain requirements of the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules (“HIPAA Rules”), in accordance with the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009.  In 2013, under the authority granted by the HITECH Act, OCR issued a final rule that, among other things, identified provisions of the HIPAA Rules that apply directly to business associates and for which business associates are directly liable. 

OCR has the authority to take enforcement action against business associates only for those requirements and prohibitions of the HIPAA Rules that appear on the following list. 

  1. Failure to provide the Secretary with records and compliance reports; cooperate with complaint investigations and compliance reviews; and permit access by the Secretary to information, including protected health information (PHI), pertinent to determining compliance.
  2. Taking any retaliatory action against any individual or another person for filing a HIPAA complaint, participating in an investigation or other enforcement processes, or opposing an act or practice that is unlawful under the HIPAA Rules.
  3. Failure to comply with the requirements of the Security Rule.
  4. Failure to provide breach notification to a covered entity or another business associate.
  5. Impermissible uses and disclosures of PHI.
  6. Failure to disclose a copy of electronic PHI to either the covered entity, the individual, or the individual’s designee (whichever is specified in the business associate agreement) to satisfy a covered entity’s obligations regarding the form and format, and the time and manner of access under 45 C.F.R. §§ 164.524(c)(2)(ii) and 3(ii), respectively.
  7. Failure to make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.
  8. Failure, in certain circumstances, to provide an accounting of disclosures.
  9. Failure to enter into business associate agreements with subcontractors that create or receive PHI on their behalf, and failure to comply with the implementation specifications for such agreements.
  10. Failure to take reasonable steps to address a material breach or violation of the subcontractor’s business associate agreement.

“As part of the Department’s effort to fully protect patients’ health information and their rights under HIPAA, OCR has issued this important new fact sheet clearly explaining a business associate’s liability,” said OCR Director Roger Severino.  “We want to make it as easy as possible for regulated entities to understand, and comply with, their obligations under the law.”

The new fact sheet may be found at https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html along with OCR’s guidance on business associates.

Tennessee diagnostic medical imaging services company pays $3,000,000 to settle breach exposing over 300,000 patients’ protected health information

May 6, 2019

This image has an empty alt attribute; its file name is image.png


Touchstone Medical Imaging (“Touchstone”) has agreed to pay $3,000,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS), and to adopt a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Security and Breach Notification Rules. Touchstone, based in Franklin, Tennessee, provides diagnostic medical imaging services in Nebraska, Texas, Colorado, Florida, and Arkansas.

In May 2014, Touchstone was notified by the Federal Bureau of Investigation (FBI) and OCR that one of its FTP servers allowed uncontrolled access to protected health information (PHI).  This uncontrolled access permitted search engines to index the PHI of Touchstone’s patients, which remained visible on the Internet even after the server was taken offline. 

Touchstone initially claimed that no patient PHI was exposed.  However, during OCR’s investigation, Touchstone subsequently admitted that the PHI of more than 300,000 patients was exposed including, names, birth dates, social security numbers, and addresses.  OCR’s investigation found that Touchstone did not thoroughly investigate the security incident until several months after notice of the breach from both the FBI and OCR.  Consequently, Touchstone’s notification to individuals affected by the breach was also untimely.  OCR’s investigation further found that Touchstone failed to conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of all of its electronic PHI (ePHI), and failed to have business associate agreements in place with its vendors, including their IT support vendor and a third-party data center provider as required by HIPAA.

In addition to the monetary settlement, Touchstone will undertake a robust corrective action plan that includes the adoption of business associate agreements, completion of an enterprise-wide risk analysis, and comprehensive policies and procedures to comply with the HIPAA Rules. 

The resolution agreement and corrective action plan may be found at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/tmi/index.html.

HIPAA Fine for Lack of Timely Breach Notification

The U.S. Department of Health and Human Services, Office for Civil Rights (OCR), has announced the first Health Insurance Portability and Accountability Act (HIPAA) settlement of 2017 based on the untimely reporting of a breach of unsecured protected health information (PHI).  Presence Health has agreed to settle potential violations of the HIPAA Breach Notification Rule by paying $475,000 and implementing a corrective action plan. Presence Health is one of the largest health care networks serving Illinois and consists of approximately 150 locations, including 11 hospitals and 27 long-term care and senior living facilities. Presence Health also has multiple physicians’ offices and health care centers in its system and offers home care, hospice care, and behavioral health services. With this settlement amount, OCR balanced the need to emphasize the importance of timely breach reporting with the desire not to disincentivize breach reporting altogether.

On January 31, 2014, OCR received a breach notification report from Presence indicating that on October 22, 2013, Presence discovered that paper-based operating room schedules, which contained the PHI of 836 individuals, were missing from the Presence Surgery Center at the Presence St. Joseph Medical Center in Joliet, Illinois.  The information consisted of the affected individuals’ names, dates of birth, medical record numbers, dates of procedures, types of procedures, surgeon names, and types of anesthesia.  OCR’s investigation revealed that Presence Health failed to notify, without unreasonable delay and within 60 days of discovering the breach, each of the 836 individuals affected by the breach, prominent media outlets (as required for breaches affecting 500 or more individuals), and OCR.

“Covered entities need to have a clear policy and procedures in place to respond to the Breach Notification Rule’s timeliness requirements” said OCR Director Jocelyn Samuels. “Individuals need prompt notice of a breach of their unsecured PHI so they can take action that could help mitigate any potential harm caused by the breach.”

The Resolution Agreement and Corrective Action Plan is available for detail review below:

 

OCR’s guidance on breach notification may be found at http://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html

Learn more on how to comply with HIPAA privacy, security and breach notification rules at https://ehr20.com/services/hipaa-hitech-compliance-assurance/