Several recent enforcement actions from the HHS Office of Civil Rights, along with OCR’s consistent messaging, have highlighted the importance of the HIPAA security risk analysis for healthcare organizations. Further, recent cases make it clear that a comprehensive inventory of hardware, software and PHI is an essential control.
Here are a few recent of examples of instances where organizations failed to realize and safeguard devices containing ePHI, resulting in enforcement actions by the OCR:
-
Adult & Pediatric Dermatology, P.C., a 12 physician practice, had ePHI of approximately 2,000 patients on an unencrypted thumb drive stolen from a staff member’s car. This HIPAA violation resulted in a settlement of $150,000. OCR cited that the practice had not “conducted an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality of ePHI” in their risk analysis. [This language comes directly from the HIPAA risk analysis regulation at 45 CFR 164.308(a)(1)(ii)(A).] Read the OCR press release here.
- An insurance company, Affinity Health Plan, returned a leased photocopy machine with a hard drive to their leasing company. The machine contained the ePHI of up to 344,579 individuals. This HIPAA violation resulted in a settlement totaling $1,215,780. OCR specifically cites that the company failed to identify this risk in their risk analysis. Read the OCR press release here.
- The state of Alaska Department of Health and Social Services (DHSS) reported that a USB hard drive possibly containing ePHI was stolen from a vehicle. They settled for $1,700,000. Among other findings, OCR cited that Alaska DHHS had not completed a risk analysis.
In addition to the hefty fines, both of the above organizations are required to implement a corrective action plan to take certain measures to safeguard all ePHI.
The bottom line is: You can’t protect the information it if you don’t know where it is.
Other security authorities such as the SANS Institute, in their Top 20 Critical Security Controls include inventory as their #1 and #2 control. These two controls specify that both devices and software be inventoried. Eagle further recommends identifying the location of any ePHI. Eagle does not always create an inventory as part of its risk analysis, except when dealing with small organizations. However, our risk analysis report will stress in its recommendations that an appropriate inventory is a foundational control.
In communications about these enforcement actions, OCR Director Leon Rodriquez reminds HIPAA covered entities that they “are required to undertake a careful risk analysisto understand the threats and vulnerabilities to individuals’ data, and have appropriate safeguards in place to protect this information.”
