Healthcare Breach

What Happens When You Don’t …

In this week’s Know The Rules! I present a case study on what happens when you don’t perform your Business Associates Due Diligence.     Do you know the expression …     What you don’t know WILL hurt you!! That is what Advanced Care Hospitalists (ACH), a contractor physician group in West Florida, found out the hard way after a Business Associate (BA) of theirs had a healthcare data breach in 2014. Here Is What Happened Between November 2011 and June 2012, ACH engaged the services of an individual who claimed to be a representative of Doctor’s First Choice billings Inc., a Florida-based provider of medical billing services. That individual used First Choice’s company name and website, but according to the owner of First Choice, those services were provided without the knowledge or permission of First Choice. A local hospital notified ACH on February 11, 2014 that some patient information – including names, birth dates, Social Security numbers, and some clinical information – was viewable on the First Choice website. The website was shut down the following day. In April 2014, ACH submitted a breach report to OCR about the impermissible disclosure of patients’ protected health information (PHI). Its initial breach report stated the PHI of 400 patients had been impermissibly disclosed, but later amended the breach report after it was discovered a further 8,855 patients’ PHI had also been impermissibly disclosed. What the OCR Investigation Revealed OCR investigated the breach and discovered that despite having been in operation since 2005, ACH DID NOT implement ANY HIPAA Privacy, Security, and Breach Notification Rule policies and procedures before April 1, 2014, and had failed to implement appropriate security measures. ACH also failed to conduct a complete and thorough risk analysis until March 4, 2014. All though PHI had been disclosed to the individual providing medical billing services, ACH failed to enter into a Business Associate Agreement (BAA). As a result of the lack of a BAA, ACH impermissibly disclosed the PHI of 9,255 patients to a third party for billing processing services – PHI that was subsequently exposed online. As OCR Director Roger Severino said: “This case is especially troubling because the practice allowed the names and social security numbers of thousands of its patients to be exposed on the Internet after it failed to follow basic security requirements under HIPAA” Settlement Time Advanced Care Hospitalists PL (ACH) agreed to pay $500,000 to the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) In addition to paying the fine, ACH has agreed to implement a robust 2 year Corrective Action Plan (CAP) to correct all HIPAA compliance failures … AND You know what that means don’t you – that means that the government is going to be in their business for at least the next two years. Not a place I’d like to be!! This organization could have saved themselves a whole lot of sleepless nights, financial expense and lost revenue before they signed the Business Associate Agreement. Don’t let this happen to your organization. Know that your Business Associates have performed ALL of the HIPAA compliance activities. Now I ask you … Have YOU done YOUR Business Associates Due Diligence? Do you need help getting started or with managing your Business Associate clients?   Schedule a call, I’m here to help!!

2018 Third-Party Healthcare Data Breaches – Update

Business Associate Healthcare Data Breaches In “Episode 63: Know The Rules!”, I reported what I thought were all of the healthcare data breaches reported on the Health & Human Services (HHS) Office of Civil Rights (OCR) Breach Portal website by Business Associates (BAs) in 2018. This is what I reported last week: The year 2018 was very bad for healthcare data breaches reported by BAs. Between January – December 2018, there were 39 different BA healthcare breaches added to the OCR ‘Wall of Shame’, potentially compromising the health information of 5,487,456 individuals. Seems I was wrong! Why is this and how did it happen? On January 9, 2019, after a quick review of the Breach Protocol website, I noticed a new breach affecting a health plan. Nothing new, but I knew this breach was a phishing attack on their BAs. In last week’s episode, I only reported the breaches identified as “Business Associate” under the Covered Entity Type report column. However, there were many more breaches hiding in the wings. This caused me to dig deeper into the report, and this is what I found: An Even Worse Year for Business Associates and Their Clients It turns out, 2018, was worse than I thought! During 2018, there were a total of 74 different healthcare breaches on the wall. Here are the numbers: Unauthorized Access/Disclosure = 34 Hacking/IT Incident = 33 Loss = 5 Theft = 2 That’s 71 new Business Associate breaches added to the ‘Wall of Shame’ and who now could have OCR in their business affairs – this is NOT a place you EVER want YOUR business to be in. But wait, didn’t I just tell you there were 74 different BA healthcare breaches? Clearly, you were paying attention; that is because 3 different organizations had already made the list in 2018!! Remember: Keeping your PHI secured and maintaining HIPAA compliance is YOUR responsibility! Covered Entities and Business Associates need to understand your patients are entrusting YOU with their most private and intimate details, they expect it to remain secure. Besides, it is YOUR practice, YOUR patients, YOUR reputation and YOUR legacy! Why are you leaving yourself wide open to such risks?       Request your copy today of the ‘2018 Business Associate Healthcare Data Breach Report’ and find out who made the list.

Business Associate Breach

Today, I am presenting a case study on the chain of events after a Business Associate breach of electronic protected health information (ePHI). Business Associates (BAs) YOU may be directly liable for violations of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule and Breach Notification Rule as well as certain provisions of the Privacy Rule after experiencing such a breach. Liability may attach to BAs, even in situations in which the BA has not entered into the required Business Associate Agreement with the Covered Entity (CE). Breach History: On September 29, 2011, MAPFRE Life Insurance Company of Puerto Rico filed a breach report with Office oToday, I am presenting a case study on the chain of events after a Business Associate (BA) experienced a breach of electronic protected health information (ePHI). Civil Rights (OCR) after a USB data storage device was stolen from their IT department, affecting 2,209 patients. What OCR Found During Their Breach Investigation: OCR’s investigation revealed MAPFRE’s noncompliance with the HIPAA rules, specifically a failure to conduct its risk analysis and implement risk management plans, contrary to its prior representations, and a failure to deploy encryption or an equivalent alternative measure on its laptops and removable storage media until September 1, 2014 (approximately three years later). AND MAPFRE Life was found out-of-compliance in the following areas: Impermissible disclosures of PHI Failure to conduct a thorough risk analysis and implement security measures Failure to provide a security awareness and training program for all members of its workforce, including management Failure to implement encryption technologies for PHI Failure to implement appropriate policies and procedures to company with the HIPAA Security Rule HIPAA Enforcement On January 11, 2017, Health and Human Services (HHS) agreed to accept, and MAPFRE Life agreed to pay $2,204,182.00 settlement (Resolution Amount) AND MAPFRE Life was required to enter into a six year Corrective Action Plan (CAP) with OCR. Lessons Learned Don’t ignore YOUR need to be HIPAA compliant! Any device or media that has PHI needs to be properly protected – HIPAA is not system or hardware specific – it applies to all! Covered Entities and Business Associates need to understand patients are entrusting YOU with their most private and intimate details, they expect it to remain secure. Besides, it is YOUR practice, YOUR patients, YOUR reputation and YOUR legacy! Why are you leaving yourself wide open to such risks?   JOIN US!! Join HIPAA alli for our live webinar where we provide valuable information on a range of HIPAA compliance related topics and allow attendees to gain insider insight and learn industry best practices.  

Find Out What Happened After the Healthcare Breach

What Happens After A Healthcare Breach … These days the news is filled with story after story about another healthcare breach of electronic protected health information (ePHI). Over the last few weeks I shared with you the importance of securing PHI. Not Doing Their HIPAA Risk Analysis Cost Them $3.5 Million Last week, Fresenius Medical Care North America (FMCNA) agreed to pay $3.5 million to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR), and to adopt a comprehensive corrective action plan in order to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. Why, You Ask? Because on January 21, 2013, FMCNA filed five (5) separate breach reports for separate incidents occurring between February 23, 2012, and July 18, 2012, implicating the ePHI of five separate FMCNA owned Covered Entities (CEs). Anytime a healthcare breach occurs this automatically sends an invitation to HHS for which they DO NOT have to RSVP. This is not a position you want to find yourself! OCR’s Investigation The investigation revealed FMCNA CEs failed to conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of all of its ePHI. The FMCNA CEs impermissibly disclosed the ePHI of patients by providing unauthorized access for a purpose not permitted by the Privacy Rule. FMC Ak-Chin failed to implement policies and procedures to address security incidents. FMC Magnolia Grove failed to implement policies and procedures that govern the receipt and removal of hardware and electronic media containing ePHI into and out of a facility; and the movement of these items within the facility. FMC Duval and FMC Blue Island failed to implement policies and procedures to safeguard their facilities and equipment therein from unauthorized access, tampering, and theft, when it was reasonable and appropriate to do so under the circumstances. FMC Magnolia Grove and FVC Augusta failed to implement a mechanism to encrypt and decrypt ePHI, when it was reasonable and appropriate to do so under the circumstances. “The number of breaches, involving a variety of locations and vulnerabilities, highlights why there is no substitute for an enterprise-wide risk analysis for a covered entity,” said OCR Director Roger Severino. “CEs must take a thorough look at their internal policies and procedures to ensure they are protecting their patients’ health information in accordance with the law.” Wait! There is more in store for FMCNA! In addition to a $3.5 million monetary settlement, a corrective action plan requires the FMCNA CEs to: Complete a risk analysis and risk management plan Revise policies and procedures on device and media controls as well as facility access controls Develop an encryption report Educate its workforce on policies and procedures Covered Entities and Business Associates need to understand their patients are entrusting them with their most private and intimate details, they expect it to remain secure!         Don’t know where or how to start or update your HIPAA security compliance program? Let’s chat about your compliance program – schedule a call with HIPAA alli today!        

Third-Party Vendors – Don’t Let This Happen To You!

Did you know? In 2013, the Final Omnibus Rule updated the HIPAA Security Rule and Breach Notification clauses of the HITECH Act. As a result every Business Associate (BA) that creates, receives, maintains, or transmits electronic Protected Health Information (ePHI) is required to perform a comprehensive enterprise-wide HIPAA Security Risk Analysis (Per: §164.308(a)(1)(ii)(A)). This means it must include more than your electronic health record (EHR) system. And don’t forget to include any Internet of Thing (IoT) devices you have connected, HHS looks at those too! Don’t let this happen to YOUR organization! On February 2014, after Health and Human Services (HHS) Office for Civil Rights (OCR) received separate notifications from each of the six nursing homes regarding a breach of unsecured ePHI by Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS). CHCS provided management and information technology services as a BA. On April 17, 2014, OCR notified CHCS of OCR’s investigation regarding CHCS’s compliance with the HIPAA Rules. OCR’s investigation indicated that the following occurred: CHCS failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by CHCS (See 45 C.F.R. § 164.308(a)(1)(ii)(A)); CHCS failed to implement appropriate security measures sufficient to reduce the risks and vulnerabilities to a reasonable and appropriate level to comply with § 164.306(a) of the Security Rule. (See 45 C.F.R. §164.308(a)(1)(ii)(B)). In addition to several other provisions identified in the HHS Resolution Agreement, CHCS agreed to pay the Resolution Amount of $650,000 and implement a Corrective Action Plan (CAP). Covered Entities and Business Associates need to understand patients are entrusting them with their most private and intimate details, they expect it to remain secure. Besides, it is YOUR practice, YOUR patient’s, YOUR reputation and YOUR legacy! Why are you leaving yourself wide open to such risks?         Don’t know where or how to start or update your HIPAA security compliance training? Let’s chat about your compliance program – schedule a call with HIPAA alli today!

Security Incident

What’s a Security Incident? When is it a Breach?

When a security incident happens and when they do, effective response planning can be a major factor of how significant an organization suffers operational or reputational harm or legal liability. Being able to respond to incidents in a systematic way ensures appropriate response steps are taken each time to help minimize the impact of breaches. The HIPAA Security Rule defines a security incident as an attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system. (See the definition of security incident at 45 CFR 164.304.) The HIPAA Breach Notification Rule defines a breach as, generally, an impermissible acquisition, access, use, or disclosure under the HIPAA Privacy Rule that compromises the security or privacy of the protected health information. (See the definition of breach at 45 CFR 164.402.) On August 16, 2017, there were a total of 2,022 healthcare data breaches reported on the HHS “Wall of Shame”. Those breaches have resulted in the theft/exposure of 174,993,734 individuals’ protected health information. Source: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf Covered Entities (CEs) and their Business Associates (BAs) are expected to provide security controls that ensure the confidentiality, integrity, and availability (CIA) of protected health information (PHI). However, having robust and fairly resilient systems will not eliminate the possibility that a cybersecurity incident could occur in your organization. Despite the requirements of HIPAA, not only do a large percentage of CEs believe they will not be notified of security incidents or cyberattacks by their BAs, they also think it is difficult to manage security incidents involving BAs, and impossible to determine if data safeguards and security policies and procedures at their business associates are adequate to respond effectively to a data breach. CEs and BAs should train all workforce members, including management, on incident reporting and may wish to conduct security audits and enterprise-wide risk analysis to evaluate the BAs’ or subcontractors’ security and privacy practices. If not, ePHI or the systems that contains ePHI may be at significant risk. Over the past years, the healthcare sector has been one of the biggest targets of cybercrimes resulting in breaches due to weak authentication. Covered Entities and Business Associates need to understand patients are entrusting them with their most private and intimate details, they expect it to remain secure. Besides, it is YOUR practice, YOUR patient’s, YOUR reputation and YOUR legacy! Why are you leaving yourself wide open to such risks?         Don’t know where or how to start or update your HIPAA security compliance training? Let’s chat about your compliance program – schedule a call with HIPAA alli today!

Security Incident

Are YOU Prepared for a Security Incident?

What if your Business Associates Had A Security Incident? Covered Entities (CEs) believe its impossible to determine whether the policies and procedures of their Business Associates (BAs) are adequate to respond effectively to a security incident. To complicate matters a large more believes their Business Associates would NOT notify them in the event of a security incident. It is crucial that BAs notify CEs in the event of inappropriate use or disclosure of Protected Health Information (PHI) not provided for in its contract. This includes any breaches of unsecured PHI, as well as any security incidents. The Business Associate Agreement (BAA) should specify how and for what purpose the PHI will be used or by each BA or subcontractor. HIPAA defines security incidents as attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system. (See the definition of security incident at 45 CFR 164.304). HIPAA also identifies breaches as access, use, or disclosure under the HIPAA Privacy Rule that compromises the security or privacy of PHI. (See the definition of breach at 45 CFR 164.402). Covered Entities and Business Associates need to understand patients are entrusting them with their most private and intimate details, they expect it to remain secure. Besides, it is YOUR practice, YOUR patient’s, YOUR reputation and YOUR legacy! Why are you leaving yourself wide open to such risks?       For tips like this and more request your copy of “HIPAA Security Rule – Know The Rules!” Newsletter Today.