2016: A Watershed Year for HIPAA EnforcementOCR Announces Ninth Action of the Year with Yet Another Hefty Fine
The nation's HIPAA enforcement agency has been dramatically ramping up its issuance of breach-related financial penalties this year, in addition to its recent kick-off of a new round of HIPAA compliance audits.
In its ninth enforcement action of 2016, the Department of Health and Human Services' Office for Civil Rights has slapped the University of Mississippi Medical Center with a $2.75 million penalty stemming from an investigation into a relatively small 2013 breach. The probe uncovered serious security issues.
This latest penalty follows eight HIPAA resolution agreements and one civil monetary penalty issued by OCR so far this year, for a total of almost $15 million in fines.
By comparison, in all of 2016, OCR announced six HIPAA resolution agreements with about $6.2 million in fines. And the totals in previous years were even lower. Since 2008, there have been 38 enforcement actions that involved OCR issuing a total of about $43.74 million in financial penalties.
"I am confident that we will look back at 2016 as the year of the blockbuster HIPAA enforcement settlements," says privacy attorney David Holtzman, vice president of compliance at the security consultancy CynergisTek.
In a statement provided to Information Security Media Group, an OCR spokesman says: "Since the enactment of the HITECH Act and the requirement for entities to report breaches to HHS, OCR has focused a greater number of enforcement resources on systemic compliance failures - for example, where compliance failures present ongoing threats to PHI, and where there are patterns of noncompliance that appear to be pervasive in the industry. OCR expects there to be more resolutions through the end of the fiscal and calendar year, given this continued focus."
OCR HIPAA Enforcement Actions So Far in 2016
|Feinstein Institute for Medical Research||$3.9 Million|
|University of Mississippi Medical Center||$2.75 Million|
|Oregon Health & Science University||$2.7 Million|
|New York Presbyterian||$2.2 Million|
|North Memorial Health Care||$1.55 Million|
|Raleigh Orthopaedic Clinic, P.A||$750,000|
|Catholic Health Care Services of the Archdiocese of Philadelphia||$650,000|
|Lincare, Inc.||$239,800||Complete P.T., Pool & Land Physical Therapy||$25,000|
Reasons for Ramping Up
Several issues are contributing to the apparent OCR enforcement ramp-up, says Dan Berger, CEO of security consulting firm Redspin.
"This is in response to several factors," he says. "First, the astounding number of healthcare records breached in 2015 - more than 100 million - and the emergent threat of ransomware has shaken confidence in the electronic health record system," he says. "Second, both Congress and HHS' Office of Inspector General have recently increased pressure on OCR to address the problem.
"Given OCR's relatively limited resources, the agency's new leadership looked at its two enforcement tools - investigative and audit - and decided to put their current emphasis on the investigative side," Berger says.
OCR officials have previously said that the HIPAA fines and settlements it collects are used to fund additional enforcement activities. And it appears that this year's increase in settlements fulfills a promise made by OCR leadership a few years back, says CynergisTek's Holtzman, a former OCR adviser.
Shortly after she became OCR director in July 2014, Jocelyn Samuels promised to vigorously enforce the HIPAA privacy and security rules "using the full power of the agency when covered entities and business associates are found to have failed in their duty to have adequately safeguarded protected health information," Holtzman notes. Then, in 2015, OCR hired well-known healthcare privacy and security attorney Deven McGraw as deputy director of health information privacy in yet another apparent signal of its commitment to an enforcement ramp-up.
"It is a fair assessment that Ms. Samuels and the OCR team are committed to keeping their promise to hold covered entities and business associates of every type and all sizes accountable," Holtzman says.
In addition to its more frequent announcements of HIPAA cases this year, OCR has launched the long-overdue phase two of its HIPAA compliance audit program, with "desk audits" now underway (see Organizations Facing HIPAA Audits Notified).
The Latest Settlement
OCR's latest enforcement action, like many others announced this year, came after the investigation of a relatively small breach yielded evidence of bigger security issues.
University of Mississippi Medical Center agreed to settle multiple alleged HIPAA violations dating back as far as 2005 that were discovered during OCR's investigation into a 2013 breach involving an unencrypted laptop stolen from an UMMC's intensive care unit. That breach affected 500 individuals, according to HHS' "wall of shame" tally of major health data breaches.
"During the investigation, OCR determined that UMMC was aware of risks and vulnerabilities to its systems as far back as April 2005, yet no significant risk management activity occurred until after the breach, due largely to organizational deficiencies and insufficient institutional oversight," OCR says in a statement.
"In addition to identifying risks and vulnerabilities to their electronic protected health information, entities must also implement reasonable and appropriate safeguards to address them within an appropriate time frame," OCR's Samuels says in the statement. "We at OCR remain particularly concerned with unaddressed risks that may lead to impermissible access to ePHI."
OCR says it was notified in March 2013 of a breach after UMMC's privacy officer discovered that a laptop was missing from UMMC's medical intensive care unit. UMMC's investigation concluded that the computer had likely been stolen by a visitor who had inquired about borrowing one of the laptops.
OCR says that during its investigation into that breach, it found that electronic PHI stored on a UMMC network drive was vulnerable to unauthorized access via UMMC's wireless network "because users could access an active directory containing 67,000 files after entering a generic username and password." The directory included 328 files containing the ePHI of an estimated 10,000 patients dating back to 2008, OCR says.
The OCR breach investigation also revealed a number of other security shortcomings, including UMMC's failure to implement its policies and procedures to prevent, detect, contain and correct security violations; and a lack of physical safeguards for all workstations that access ePHI to restrict access to authorized users.
In addition to those issues, OCR also says UMMC failed to assign a unique user name and/or number for identifying and tracking user identity in information systems containing ePHI. It also failed to notify each individual whose unsecured ePHI was reasonably believed to have been accessed, acquired, used or disclosed as a result of the stolen laptop breach.
UMMC said in a statement says there is no evidence that PHI on the stolen laptop was accessed or disclosed.
At the time of the incident, UMMC administrators issued a news release and placed a public notice on the medical center's websites about the potential breach of confidential patient data, UMMC notes in the statement. However, UMMC admits it did not directly notify each individual impacted by the incident.
Corrective Action Plan
Under the OCR resolution agreement, UMMC has agreed to a corrective action plan that requires the medical center to:
- Draft an enterprisewide risk analysis and risk management plan;
- Update and implement its information security policies and procedures;
- Revise its current breach notification policy;
- Implement a plan requiring a unique name and/or number identifying and tracking users of all systems containing ePHI, including shared network drives;
- Provide a security awareness training program for all workforce members.
In its statement, UMMC says that over the last several years, it has initiated "substantial improvements in its information security program." Among other initiatives, UMMC says it's requiring that all laptop computers be encrypted; has restructured the role and reporting relationships of its CISO; and brought in an outside firm for a complete assessment and overhaul of its IT security program.
"We have learned from this experience and are working hard to ensure that our information security program meets or exceeds the highest standard," LouAnn Woodward, M.D., UMMC vice chancellor for health affairs says in the statement.
While the penalty UMMC received appears high relative to the small number of records breached, "the transgressions were many, including insufficient access controls and failure to notify patients whose personal health information had been compromised, Berger notes.
The lessons emerging from OCR's latest settlement with UMMC are the same as for many of the agency's previous enforcement actions, Holtzman notes.
"The take-aways from findings from the investigation of UMMC are predictably similar," he says. "Perform an enterprisewide information security risk assessment of where PHI is vulnerable to unauthorized access or loss of data. Encrypt PHI when stored on portable devices, tablets and smartphones. Put into place monitoring solutions and services to assist in recognizing when an information system is under attack. And [implement] technologies to help stop the exfiltration of data."