We already have the first HIPAA settlements of 2017. As always, we review them so we can learn from the mistakes of others. OCR continues releasing new settlement agreements on their new pace. There have been two announced in January 2017. We have no idea what will happen now but since these two brought in over $2.6 million there may not be a reason we will see them stop their pace.
As always, we believe in learning from other’s mistakes (not Schadenfreude, though). Time to learn what these two can teach us….
First resolution = Breach notifications MUST be done on time
First HIPAA enforcement action for lack of timely breach notification settles for $475,000
Presence Health Network and all of Its subsidiaries that are covered
entities. Presence Health Is a comprehensive, not-for-profit health
care system in Illinois consisting of more than 150 locations within the
“Covered entities need to have a clear policy and procedures in place to respond to the Breach Notification Rule’s timeliness requirements” said OCR Director Jocelyn Samuels. “Individuals need prompt notice of a breach of their unsecured PHI so they can take action that could help mitigate any potential harm caused by the breach.”
The facts, just the facts
- Jan 31, 2014 HHS breach notification prompted an investigation
- The notification at that time related to an incident that occurred Oct 22, 2013 where paper copies of OR schedules went missing.
- There were 836 patients printed on the reports.
- They said the reason the report of the breach to patients and HHS was beyond 60 days was due to a “miscommunication between its workforce members”
- OCR looked into smaller breaches to see if there had been prompt notification.
- Entries submitted in 2015 and 2016 also had failed to meet timely notifications
- Original issue findings relating to Oct incident
- Patients weren’t notified until Feb 3 = 104 days = 44 days
- Media wasn’t notified until Feb 5 = 106 days = 46 days
- HHS wasn’t notified until Jan 31 = 101 days = 41 days
- Each of those notifications were in violation for every day beyond 60 days. 3 times a violation every single day. Total those days and you get 131 violations.
- $475,000 settlement amount ($3,626 per violation)
- 2 year CAP that focuses on developing proper P&P for notifications plus training
Second resolution = Just saying you will do it isn’t enough
MAPFRE Life Insurance Company of Puerto Rico. MAPFRE is a subsidiary company of MAPFRE S.A., a global multinational insurance company headquartered in Spain. MAPFRE underwriters and administers of a variety of insurance products and services in Puerto Rico, including personal and group health insurance plans.
“Covered entities must not only make assessments to safeguard ePHI, they must act on those assessments as well” said OCR Director Jocelyn Samuels. “OCR works tirelessly and collaboratively with covered entities to set clear expectations and consequences.”
The facts, just the facts #2
- Sept 29, 2011 HHS breach notification prompted an investigation
- The notification at that time related to an incident that occurred Aug 5, 2011 where a USB storage device was stolen from THE IT DEPARTMENT.
- There were 2,209 patients on the device.
Investigation findings #2
- Impermissible disclosure of PHI for the 2,209 beneficiaries in the breach.
- Failed to conduct an accurate and thorough risk assessment
- Failed to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.
- Failed to implement a security awareness and training program for all workforce members
- Failed to implement encryption mechanisms
- Failed to implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications or requirements to safeguard ePHI.
Resolution agreement #2
- Pay $2,204,182 to HHS
- 3 year CAP
- 220 days to do a SRA – interesting number of days
- must include the entire workforce
- must include a complete inventory of all electronic equipment including portable media, data systems, apps that contain or store ePHI
- Associate Risk Management plan once SRA is approved
- Shall annually (it is underlined in the agreement) conduct SRAs
- Implement process for evaluating environmental and operation changes within 120 days
- Mini SRAs for any changes
- Review, update, etc. all policies and procedures for privacy and security
- Once approved by OCR, they will distribute them to the workforce within 30 days (and as applicable to BAs)
- List of minimum content in the P&Ps
- Submit all training material for review and approval
- 220 days to do a SRA – interesting number of days
What do these settlements tell us?
- The biggest issue seems to be that there was a pattern of failure to notify. This wasn’t a one time thing.
- A lack of communication could be cured with a proper incident response plan that assigns duties clearly to specific teams and individuals.
- They said they would start reviewing smaller breaches looking for patterns and this one clearly did find them.
- It isn’t always about a SRA – just usually about one
- It is the first time the lack of notification within 60 days was the violation. They did not hit them with a gentle slap on the wrist for it either.
- Do your SRA but don’t just put it in a closet or a folder somewhere until it is time to do it again
- Do your SRA regularly
- If it moves (or can move) – encrypt it
- If OCR suggests you do something and you say that you are going to do it, you should actually do it now. They are going to start looking at the older ones based on the findings in last years reports. It will certainly give them a huge list of easy pickins’ for quick settlements.