Advocate Health
While only in the 8th month of the year, 2016 is already the biggest HIPAA enforcement year as tallied by the dollar amount of fines, which exceed $19 Million. Here is a roundup of enforcement actions this year:
Advocate Health Care, $5.55 Million. Advocate Health Care Network, the largest health system in Illinois with 12 hospitals and 250 treatment locations, settled regarding allegations of widespread and non-compliance, in some cases, for more than a decade. OCR stated that they failed to conduct an appropriate risk analysis, limit physical access to their large data center, to obtain BAAs and to safeguard unencrypted laptop PCs. More details at Advocate Settlement.
University of Mississippi Medical Center, $2.75 Million. University of Mississippi Medical Center (UMMC) is the state’s sole public academic medical facility. An investigation was triggered by a breach affecting approximately 10,000 individuals. OCR determined that UMMC was aware of risks and vulnerabilities since April 2005, yet failed to implement corrections. During 2013, a laptop was stolen from their ICU. By using a generic username and password, it was possible to access 67,000 files on the hospital’s network. More details at UMMC Settlement.
Oregon Health & Science University, $2.7 Million. Oregon Health & Science University (OHSU) submitted multiple breach reports affecting thousands of individuals, including two reports involving unencrypted laptops and an unencrypted thumb drive. OCR determined that while OSHU performed risk analyses in 2003, 2005, 2006, 2008, 2010 and 2013, these risk analyses were not comprehensive and did not identify all ePHI. Further, OSHU failed to implement appropriate risk management for issues that they did identify. OCR found evidence of widespread unmitigated vulnerabilities. More details at Oregon Health Settlement.
Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS), $650,000. The CHCS case began with the theft of a single iPhone with information on 412 individuals. The iPhone was neither encrypted nor password protected. It included extensive information including social security numbers, diagnosis and treatment information, family member names and medication information. CHCS had no risk analysis, no risk management plan, and no policies regarding removing mobile devices from its facility and no security incident procedure. This was the first case involving a HIPAA Business Associate. OCR indicated that because the Diocese provided a significant amount of charity care and took care of an underserved population, it was lenient with only a $650,000 settlement. More details at CHCS Settlement.
New York Presbyterian Hospital (NYP), $2.2 Million. On April 28, 2011, NYP allowed the film crew for the TV show “NY Med” to film at the hospital. They were provided access to treatment areas and even filmed a patient who was dying. Patients did not consent and in some cases caregivers objected to the filming crew presence. OCR created new guidance, Media Access for those interested. More details at NYP Settlement.
Northwell Health, $3.9 Million. On September 2, 2012, the research arm of NorthWell Health, Feinstein Institute for Medical Research, filed a breach report regarding the theft of a laptop computer. The computer was stolen from an employee’s car and included information on 13,000 patient and research participants with extensive medical information. OCR determined that Feinstein’s security management process was deficient. More details at Northwell Settlement.
North Memorial Health Care of Minnesota, $1.55 Million. North Memorial is a comprehensive, not-for-profit health system that serves the Twin Cities. OCR found that they failed to enter into a HIPAA Business Associate Agreement with a major contractor, and failed to complete an organization-wide risk analysis. This enforcement action began with the breach report of their contractor, Accretive Health, who reported the theft of a computing device from a rental car. The wheels of justice grind slowly — a related case (against the contractor) was first reported on this blog in Wake-up Call for Business Associates more than 4 years ago! More details at North Memorial Settlement.
Complete P.T., Pool & Land Physical Therapy, Inc., $25,000. Complete PT is a small physical therapy practice in the Los Angeles area. This settlement arose from a complaint that they put patient photographs on their website as part of their marketing effort. This action shows that OCR will take action against small organizations as well as large. Note that this settlement is the smallest ever in dollar terms. More details at Complete PT Settlement.
A review of these enforcement actions include the usual themes:
- A comprehensive risk analysis is essential. The risk analysis must be organization wide and must be thorough. Of particular note for hospitals and physician practices is that while the meaningful use program requires an annual risk analysis regarding only the security of the data in the EHR, HIPAA requires that the risk analysis must include all ePHI.
- An effective security management process is necessary. Not only must the organization complete a risk analysis, it must act on it in a comprehensive manner. This includes creating policies and procedures, implementing security capabilities and providing training.
- Mobile device management and encryption remains a hot button. Many of these actions arose from the loss or theft of unencrypted mobile devices. First and foremost, mobile devices need to be encrypted. Other mobile device management safeguards are also important, including proper access controls and enforcement of other security features.
- Business Associate management is essential. Many HIPAA Security Officers focus exclusively on internal IT issues but miss the big risks involved with HIPAA Business Associates. Compliance — the HIPAA Business Associate agreement matters.
- HIPAA Privacy still matters. While the vast majority of enforcement cases over the last few years have been related to HIPAA Security, the HIPAA Privacy rule still matters as is illustrated by two of these enforcement cases.
Editor’s Note: Subsequent to the publication of this article, CMS has renamed the “Meaningful Use” programs and MIPS “Advancing Care Information” category to “Promoting Interoperability”.
