Digital Debut

HIPAA Biannual Update

January to June 2019

BY ALEX TAIRA | JULY 2019

Since ASCA’s last update at the beginning of the year, healthcare organizations across the country posted 216 breaches of protected health information (PHI) affecting 500 or more individuals. This is the greatest number of breaches reported in a six-month span in the past two years. Consistent with previous time periods, most of the breaches (88 percent) were caused by unauthorized access or hacking. The percentage of breach investigations due to theft decreased (from 15 percent to 9 percent), although given the large increase in overall breaches the total number of breaches due to theft actually increased from 12 in the second half of 2018 to 19 in the first half of 2019.

Within the US Department of Health and Human Services (HHS) the OCR is the enforcement agency responsible for protecting rights related to health information privacy. This includes enforcement actions for violations of the Health Insurance Portability and Accountability Act (HIPAA), which delineates who can view or receive an individual’s PHI and sets standards for security of PHI when being stored or transferred electronically.

ASCs can take important steps to help prevent breaches and limit their liability. They can review and update policies and procedures frequently to help prevent unauthorized access, improper disposal, loss and theft of PHI. ASCs also can review the OCR website to review enforcement actions and consider how they can avoid the mistakes made by others.

Below are selected enforcement actions that highlight some precautions ASCs can take.

Cottage Health

What Happened: Cottage Health, a multi-hospital system in California, experienced multiple security breaches as the result of improper permissions and access. In the first instance, the security settings had not been configured correctly and allowed electronic PHI (ePHI), including patient names, diagnoses and lab results to be available to anyone on the Cottage Health server. In another breach, an IT troubleshooting ticket exposed ePHI to the internet. Cottage Health paid a $3 million settlement.

Takeaway for ASCs: This was a serious breach, affecting more than 62,500 individuals, all as a result of improper security permission configuration. OCR’s investigation found that Cottage Health “failed to perform periodic technical and non-technical evaluations in response to environmental or operational changes.” It is imperative that ASCs monitor the security settings of any system that could contain patient PHI, especially, while undergoing any system changes. Even if no system changes are on the cards, it is good policy to periodically review protocols and ensure that all ePHI is safely secured.

Touchstone Medical Imaging

What Happened: Touchstone, a diagnostic medical imaging service, was notified by OCR and the Federal Bureau of Investigation (FBI) that one if its servers was allowing uncontrolled access to patient PHI. Touchstone initially claimed that no PHI was exposed and failed to thoroughly investigate the incident until months after the notice. In the end, the PHI of more than 300,000 patients was exposed and Touchstone paid a $3 million settlement.

Takeaway for ASCs: This was a failure on many levels and ASCs could take a number of lessons from this incident. As with many other incidents, ASCs must have risk-analysis procedures in place that thoroughly and accurately assess vulnerabilities to confidential PHI. ASCs also must also have business associate agreements in place with any vendor, especially information technology (IT) support services and/or data centers that may have access to PHI. If a breach occurs, OCR Director Roger Servino stated in the press release announcing the enforcement action any health entity must respond “with the seriousness they are due, especially after being notified by … law enforcement agencies.”

Medical Informatics Engineering

What Happened: Medical Informatics Engineering (MIE), a company that provides software services to providers, filed a breach report in 2015 after hackers used a compromised user ID and password to access the PHI of more than 3 million patients. MIE paid $100,000 in fines and will undertake a corrective action plan that includes an enterprise-wide risk analysis.

Takeaway for ASCs: As more ASCs procure third-party vendors that transmit and store patient PHI, it is imperative that policies regarding proper permissions are closely scrutinized. It is worth considering which systems carry PHI, who can access them and where they are stored. ASCs should be vigilant in ensuring that devices are encrypted and password-protected and should prepare policies and procedures in the event of hackers obtaining a user ID and password combination.

ASCA provides many resources to help ASCs remain compliant with HIPAA. The page dedicated to HIPAA Resources can be found in the Federal Regulations section of the main site. It provides background on the act itself, as well as the four key provisions: privacy, security, breach notification and enforcement. ASCA’s facility and corporate members also have free access to the HIPAA Workbook for ASCs, a comprehensive resource for designing, updating and evaluating HIPAA compliance programs.

For more information or for questions and concerns, write Alex Taira.