At the beginning of 2017, OCR announced several settlements. Then, the settlement announcements stopped in May as there were leadership changes that continue to happen. In fact, the only reason this announcement seemed to come out was that it was included in a bankruptcy court filing earlier this month.
As is our custom here on HMWH we review these settlements and use them as guidance for how OCR expects you to manage your compliance program.
21st Century Oncology, Inc. (21CO) is headquartered in Ft Myers, FL and are providers cancer care and radiation services. They aren’t just operating in FL though, they have centers in 17 states and 7 Latin American countries. A total of 179 centers in total with 36 in Latin America.
They have settled with OCR by paying $2.3 million and a 2 year CAP. Interestingly enough the payment is part of the Chapter 11 bankruptcy protection that 21CO filed for on May 25, 2017. The settlement with OCR was approved by the Bankruptcy Court on December 11, 2017. That issue alone is a topic for discussion. We often hear those who refuse to do HIPAA compliance work defiantly announce that they will simply declare bankruptcy if anyone ever tries to fine them for not doing it. Here you have it right in the middle of the bankruptcy agreement so the fine is still being paid.
Their cyber insurance is apparently covering the costs. Which is another case we often hear is that I don’t have to do the work because I have insurance. I have seen some articles that say their coverage will take care of this but not something that I have researched in detail. We do know that most insurance policies today require applications that include commitments to performing the privacy and security requirements. It will be interesting to see how things progress in the courts as people have been less than honest on their applications. As they experience data breaches that make their deception clear, insurance companies will not find it amusing as they get a request for 2, 3, or 4 million dollars.
In both of these cases, I do have to point out that the business owners making these two statements are doing so without any regard for their patients or their staff. The patients are a major concern – it is about patient care after all. But, the stress it puts on your staff is way more than most of those business owners understand as they make those statements.
So, back to the case of 21CO. It is important to note that this group is settling a bunch of different lawsuits and regulatory cases. They even admitted to falsifying attestation for their MU money. Many millions of dollars in settlements in fact. An older data breach in 2012 resulted in lawsuits also in the mix.
What happened to get us to this point with OCR? First, it goes back to 2015. As we mentioned in our educated guesses we are starting to see cases that originated in 2015.
On two separate occasions (yes TWO) in 2015, the FBI notified 21CO that patient information was illegally obtained by an unauthorized third party and produced 21CO patient files purchased by an FBI informant. As part of its internal investigation, 21CO determined that the attacker may have accessed 21CO’s network SQL database as early as October 3, 2015, through the remote desktop protocol from an exchange server within 21CO’s network.
So, the FBI notified them on both on November 13, and December 13, 2015, that an informant was buying their patient information. 21CO hired a third-party forensic auditing firm in November 2015 to figure out what was going on.
OCR’s subsequent investigation revealed that 21CO failed to:
- conduct an accurate and thorough risk analysis/assessment
- implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level
- implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports
- have a written business associate agreement with third party vendors with whom they had disclosed protected health information (PHI)
In addition to a $2.3 million monetary settlement, a 2-year corrective action plan requires 21CO to:
- complete a risk analysis and risk management plan,
- revise policies and procedures,
- educate its workforce on policies and procedures,
- provide all maintained business associate agreements to OCR,
- submit an internal monitoring plan
That appears to be the last one announced for 2017. That makes them still on a pace that is beyond where they have been prior to last year from an enforcement standpoint. As of this settlement, 2017 included 10 resolutions totaling $19,393,000.
Over the last two years, we had a total of 23 resolutions for a total of $42,898,300. That is an average of $1,865,143 per settlement. Prior to last year, there were settlements each year from 2012 – 2015. The total for those 4 years included 22 cases totally $20,949,180 with an average of $952,235 each.
Keep in mind, that most of the cases settled so far involve things that happened in those 4 years of 2012 – 2015. There are a plethora of cases for OCR to choose from in 2016 and 2017 as well as others in 2015. Between breach reports and complaints there is no shortage of cases.
Since the compliance date of the Privacy Rule in April 2003, OCR has received over 167,321 HIPAA complaints and has initiated over 857 compliance reviews. We have resolved ninety-seven percent of these cases (162,564).
There continues to be a steady stream of settlements that are announced so that OCR can do their best to get their point across. We all agree completely with Servino when he says “It’s not just my hope that covered entities will learn from this example and proactively find and address their security risks, it’s what the law requires.”
Please remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!