Email Breach Leads to HIPAA Fine for Small ClinicHHS Finds Provider Neglected to Follow Security Requirements - Even After Breach
Federal regulators have slapped a small provider of discounted medical and dental services to underserved patients in rural North Carolina with a $25,000 HIPAA settlement in a case involving an email breach that occurred nearly a decade ago. It's only the second HIPAA settlement that the Department of Health and Human Services has announced this year.
The HHS resolution agreement is with Washington, N.C.-based Metropolitan Community Health Services Inc., a federally qualified health center that does business as Agape Health Services.
In the only other HIPAA settlement this year, HHS' Office for Civil Rights announced in March a $100,000 settlement with the Utah medical practice of Steven A. Porter, M.D. in a case related to a business associate dispute (see: Big HIPAA Fine for Solo Doctor Practice.)
In 2019, OCR announced 13 HIPAA enforcement actions totaling about $15.3 million. That includes three HIPAA settlements announced by mid-year 2019 totaling $6.1 million.
Breach Details Are Sketchy
In a statement, OCR says that in June 2011, Metropolitan Community Health Services filed a breach report "regarding the impermissible disclosure of protected health information to an unknown email account."
Neither OCR's statement nor the resolution agreement in the case describe the circumstances of the email-related breach, which affected nearly 1,300 individuals. But OCR says its investigation into the incident revealed "longstanding, systemic noncompliance with the HIPAA Security Rule."
Metropolitan Community Health Services failed to conduct any risk analyses, failed to implement any HIPAA Security Rule policies and procedures and neglected to provide workforce members with security awareness training until 2016, OCR says.
"Healthcare providers owe it to their patients to comply with the HIPAA rules," OCR Director Roger Severino said. "When informed of potential HIPAA violations, providers owe it to their patients to quickly address problem areas to safeguard individuals' health information."
OCR and Metropolitan Community Health Services did not immediately respond to an Information Security Media Group request for additional details about the case.
Data breaches involving email frequently appear on the HHS HIPAA Breach Reporting Tool website listing breaches impacting 500 or more individuals.
So far this year, 128 incidents - or nearly half of the data breaches added to the tally - involve email. Those incidents, which include phishing attacks, affected a total of 3.3 million individuals.
Corrective Action Plan
As part of the settlement with OCR, Metropolitan Community Health Services has agreed to a corrective action plan that requires it to:
- Conduct and complete a thorough enterprise-wide analysis of security risks and vulnerabilities that incorporates all electronic equipment, data systems, programs and applications;
- Develop a risk management plan to address and mitigate any security risks and vulnerabilities;
- Review and revise its written policies and procedures to comply with the HIPAA privacy, security, and breach notification rules;
- Provide training to all workforce members in accordance with its approved procedures and policies.
Questioning OCR's Strategy
Privacy attorney David Holtzman, principal of the consultancy HITprivacy, questions whether OCR's pursuit of an enforcement action against a small, community healthcare provider that suffered a breach over nine years ago is "an appropriate use of its resources."
"OCR would be justified to ensure an organization complies with the requirements of the HIPAA Security Rule to safeguard the PHI of the patients they serve," he says. "However, it is disheartening to witness the agency unleash the full brunt of its enforcement power on a small, underfunded health clinic when in the years since this incident. we have seen reports of thousands of larger, serious breaches reported by HIPAA covered entities and business associates."
Holtzman adds: "With scores of reported breaches that appear to have been caused by larger HIPAA covered entities or business associates that have not implemented reasonable security safeguards ... it would seem that OCR would have many opportunities to pursue meaningful enforcement actions."
With only two HIPAA settlements so far this year, could the COVID-19 pandemic be affecting OCR's HIPAA enforcement activities?
Privacy attorney Iliana Peters of the law firm Polsinelli notes that while OCR has signaled a willingness to work with regulated entities on time frames associated with HIPAA investigations, "there has been no moratorium on such work by OCR due to the COVID-19 public health emergency, and many of OCR's investigations take several years to complete, particularly if OCR considers those investigations to be appropriate for settlements or civil monetary penalties."
What other insights can covered entities and business associates learn from this settlement?
"The investigation and resolution confirms OCR determination to enforce HIPAA even when providers are small, nonprofit and making heroic efforts to provide care to underserved populations, notes independent HIPAA attorney Paul Hales.
In the meantime, "HHS has more than a full plate in dealing with urgent health emergencies. It's no surprise that we are seeing fewer HIPAA investigations," he notes.
"However, we also see much higher risks to the privacy of health information caused by opportunistic criminals and the rapid increase of telehealth by inexperienced providers using unsecure platforms. When things settle down I expect OCR will have an enormous backload of breaches and alleged HIPAA violations to investigate."