June 2, 2020 You might be aware that all practices need to complete a ‘Security Risk Analysis’ as a part of their HIPAA compliance program, but do you know exactly what this analysis covers? While this is the first step and among the most important aspects of a complete HIPAA program, it is often missed or not properly completed – in fact, during the latest round of OCR audits, 86% of covered entities could not show a properly documented Security Risk Analysis for their practice. The HIPAA Security Rule defines a Security Risk Analysis (SRA) as an “accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronically protected health information held by the covered entity or business associate.” In layman’s terms, the risk analysis is a systematic review of your processes and policies that is ultimately designed to shed light on any aspects of your practice that could be considered weaknesses in protecting the privacy and security of your practice and the protected health information (PHI) it holds. Not having a properly documented analysis leaves potential risks unidentified and is a huge red flag for your overall compliance efforts. What questions does an SRA need to include? There is no specific checklist to follow when it comes to performing a risk analysis for your practice. The OCR does however provide specific elements that should be included. Your assessment should: Completing a risk analysis for your organization is not just a one-time thing. Assessments should be reviewed periodically, especially as new work processes are implemented or technologies are updated. After events such as COVID-19, addressing any changes your practice made regarding remote operations, utilizing telehealth services, or receiving/providing more information electronically rather than in a physical exchange are all things that will need to be addressed for any additional vulnerabilities or threats they brought on. What’s the best way to tackle an SRA? If your organization hasn’t completed an SRA before or has done so in a more basic or incomplete manner, using an outside organization will help to ensure all areas of the SRA are fully completed and documented accordingly. A third party can also help add new areas and questions to the SRA that reflect changing regulations as well as technology enhancements that present new threats or vulnerabilities to your organization.
Missing Business Associate Agreement with EHR Vendor Leads to $100,000 Fine
March 3, 2020 Announced today, a medical practice in Utah has come to a $100,000 settlement with the OCR for their failure to meet HIPAA requirements under the Security Rule. The practice of Steven A. Porter, M.D. received the $100,000 monetary settlement in addition to submitting to a corrective action plan over the next two years after a breach report led to the OCR’s investigation of the practice’s HIPAA compliance program. The investigation began after the practice filed a breach report regarding a complaint against a Business Associate of the practice’s EHR company. The Business Associate (BA) was blocking access to the practices’ patient’s electronic protected health information in exchange for $50,000 to be paid by the practice. While the original complaint was against the BA, once the investigation was initiated by the Office for Civil Rights, it was the practice that found themselves in the government’s crosshairs. Within the compliance review, the OCR had found that the practice had failed to do the following: Unfortunately for the practice, their lack of proper safeguarding and documentation of compliance cost them a hefty fine and put their patient’s PHI at risk. This breach, and corresponding financial settlement, highlights that even when working with typical healthcare vendors, such as EHR providers, the right Business Associate Agreements and HIPAA-compliant policies are required to prevent impermissible safeguarding or access to PHI. OCR Director, Roger Severino, included a statement in the HHS press release regarding the incident. “All health care providers, large and small, need to take their HIPAA obligations seriously, the failure to implement basic HIPAA requirements, such as an accurate and thorough risk analysis and risk management plan, continues to be an unacceptable and disturbing trend within the healthcare industry.” This fine follows a recent article highlighting the OCR’s focus on “low hanging fruit” and commitment to address an ongoing lack of HIPAA compliance among covered entities. As these violations continue to see costly outcomes, it is more important now than ever to ensure your practice has a full HIPAA program in place.
Anthem Pays OCR $16 Million in Record HIPAA Settlement Following Largest U.S. Health Data Breach in History
October 16, 2018 Anthem, Inc. has agreed to pay $16 million to the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) and take substantial corrective action to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules after a series of cyberattacks led to the largest U.S. health data breach in history and exposed the electronic protected health information of almost 79 million people. The $16 million settlement eclipses the previous high of $5.55 million paid to OCR in 2016. Anthem is an independent licensee of the Blue Cross and Blue Shield Association operating throughout the United States and is one of the nation’s largest health benefits companies, providing medical care coverage to one in eight Americans through its affiliated health plans. This breach affected electronic protected health information (ePHI) that Anthem, Inc. maintained for its affiliated health plans and any other covered entity health plans. On March 13, 2015, Anthem filed a breach report with the HHS Office for Civil Rights detailing that, on January 29, 2015, they discovered cyber-attackers had gained access to their IT system via an undetected continuous and targeted cyberattack for the apparent purpose of extracting data, otherwise known as an advanced persistent threat attack. After filing their breach report, Anthem discovered cyber-attackers had infiltrated their system through spear phishing emails sent to an Anthem subsidiary after at least one employee responded to the malicious email and opened the door to further attacks. OCR’s investigation revealed that between December 2, 2014 and January 27, 2015, the cyber-attackers stole the ePHI of almost 79 million individuals, including names, social security numbers, medical identification numbers, addresses, dates of birth, email addresses, and employment information. In addition to the impermissible disclosure of ePHI, OCR’s investigation revealed that Anthem failed to conduct an enterprise-wide risk analysis, had insufficient procedures to regularly review information system activity, failed to identify and respond to suspected or known security incidents, and failed to implement adequate minimum access controls to prevent the cyber-attackers from accessing sensitive ePHI, beginning as early as February 18, 2014. In addition to the $16 million settlement, Anthem will undertake a robust corrective action plan to comply with the HIPAA Rules. The resolution agreement and corrective action plan may be found on the OCR website at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/anthem/index.html.