Picture this: you are leaving your medical office after a long day of work. You take your laptop with you so that you can finish some remaining tasks at home. On the way, you stop off at the grocery to pick up a few items. You lock your car. When you return, you discover that your car has been broken into and your laptop stolen. Although your laptop didn’t contain electronic Protected Health Information (“PHI”), your laptop bag did include an unencrypted thumb drive which held names, Social Security numbers and other identifying information for thousands of current and former patients.
Now, fast-forward 3 years after the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) completes its investigation of this security breach. In addition to the theft of unencrypted information, OCR’s investigation reveals that the practice failed to conduct a risk analysis in line with the HIPAA Security Rule (which may have prevented the breach in the first instance).
Cancer Care Group, P.C., a large radiation oncology practice, found itself in the above factual setting. As a result of the theft in light of the absent risk analysis, this medical practice recently entered into a settlement with OCR which involved a $750,000 payment and 3-year Corrective Action Plan. A copy of the Resolution and Corrective Action Plan is here.
And the settlements are getting larger. On August 4, 2016, OCR announced a $5.5 million settlement with Advocate Health Care Network, an Illinois health care system, stemming from three breaches involving theft of desktop computers and a laptop as well as a breach involving a business associate. The Resolution and Corrective Action Plan is here.
While the above two settlements involved the PHI of 500 or more individuals, OCR very recently announced that it will increase investigations into smaller HIPAA breaches, specifically, those involving the PHI of fewer than 500 individuals. OCR will consider the following in selecting those subject to investigation:
- The size of the breach;
- Theft of, or improper disposal of, unencrypted PHI;
- Breaches that involve unwanted intrusions into IT systems (i.e., hacking);
- The amount, nature, sensitivity of the PHI involved; or
- Instances where numerous breach reports from a particular covered entity or business associate raise similar issues.
The take-away here: if you are a HIPAA covered entity or an entity that has executed a Business Associate Agreement with a covered entity, HIPAA’s Privacy and Security Rules impose upon you an obligation to undertake a documented risk analysis designed to assess and identify potential risks and vulnerabilities to PHI and from that, to develop robust procedures for protecting the security of PHI and handling and mitigating breach and security incidents.
Conducting an effective risk assessment will vary depending on the specific entity so there is no single template or best practice. At its basic form, it involves consideration of the following:
- Identifying all electronic PHI in your workplace. Where is it, where does it move and how is it stored and backed up?
- What are the vulnerabilities to the electronic PHI? What are the various scenarios which could potentially result in inappropriate access or disclosure?
- After having identified the vulnerabilities, how can you protect the electronic PHI? What procedures can you put in place to prevent breaches from occurring in the first place?
HHS published a security risk assessment tool, available here, to assist providers with HIPAA compliance. The results of the risk analysis must then form the basis of organization-wide procedures to safeguard PHI and mitigate breaches, with regular workforce training the icing on the cake. Then, periodically update your risk analysis process (perhaps every three years), as it is not a “one and done” thing.
All breaches of PHI must be reported to HHS, whether the breach involves one individual’s PHI or 500. If that breach triggers an OCR investigation, OCR will request to see the risk analysis (and any updates) completed by the covered entity as part of the investigation.
In light of the recent OCR investigation and enforcement activity, the fact that many of the recently published settlements center on the importance of risk analysis and that OCR is now making a concerted push towards investigating smaller breaches, the time to address HIPAA Security Rule compliance is now.
For questions involving this post or the HIPAA Privacy and Security Rules, please contact Kimberly Blankenship or Dean Spina at 319-363-0101 or firstname.lastname@example.org and Dspina@bradleyriley.com .