Home Health & Hospice Week

Learn a valuable lesson from this $2.3 million HIPAA settlement.

If you skimp on risk management or other HIPAA core duties, you may have to pay big when a breach occurs. That's what one health care provider has recently discovered.

Background: The Federal Bureau of Investigation warned physician practice 21st Century Oncology Inc. twice about a cyber invasion of its systems in 2015, resulting in large-scale HIPAAviolations for failing to adequately secure its patients' electronic protected health information (ePHI) against an "unauthorized third party," says an HHS Office for Civil Rights release.

The Fort Myers, Florida, cancer treatment and oncology specialist with 179 locations in both the U.S. and Latin America left more than 2.2 million individuals exposed after internal investigations determined illegal access of its network SQL database through "remote desktop protocol from an exchange server within 21CO's network," the OCR says. The report suggested evidence obtained from an FBI informant is what originally alerted the feds that the files with "names, social security numbers, physicians' names, diagnoses, treatment, and insurance information" had been breached.

OCR levied a $2.3 million monetary settlement against 21CO for its HIPAA violations and required the organization to put together a corrective action plan. "People need to trust that their private health information will remain exactly that; private," says OCR Director Roger Severino. "It's not just my hope that covered entities will learn from this example and proactively find and address their security risks, it's what the law requires."

The OCR's biggest complaint pointed to repeated compliance basics blunders by 21CO. The provider missed opportunities to better assess and manage its risk. And with large-scale settlements like this one becoming the norm, providers cannot be too careful when devising their HIPAA protocols. It remains evident that a strong compliance foundation, which promotes and outlines in writing the HIPAA Privacy and Security rules, provides some insulation against steeper penalties.

"Covered entities and business associates must insulate their businesses with a comprehensive compliance plan and risk analysis addressing and mitigating any applicable privacy and security risks," advises attorney John E. Morrone, a partner at Frier Levitt Attorneys at Law in Pine Brook, New Jersey. "Through recent settlements, OCR has demonstrated its propensity to impose significant fines on entities that fail to implement appropriate safeguards, independent of the number of affected individuals or the content of the protected health information included in a particular breach."

Do this: If your agency is due for a HIPAA compliance plan update, consider adding these priorities that 21CO failed to implement - but that the OCR looks for after a breach occurs:

• Evaluate thoroughly the "potential risks and vulnerabilities to the confidentiality, integrity, and availability" of your patients' ePHI, OCR says.
• Integrate the federally required security measures necessary after the risk assessment to reduce the chance of the loss of ePHI.
• Manage and review your protocols often to ensure that the safeguards are working.
• Utilize such tools as audit logs, multi-factor authentication, systems controls, certified vendors and software, and tracking devices and reports that show inconsistencies in your system.
• Use and insist upon business associate agreements (BAA) with all business partners, suppliers, and vendors.

Tip: After you assess your risk and as part of your HIPAA-plan implementation and management, it is a great idea to create a list of all business associates that provide services to your organization and update this annually as changes arise and your agency evolves. It's easy to forget to alert BAs, and some may feel uncomfortable insisting that business partners, suppliers, and vendors follow HIPAA.

Nonetheless, OCR insists your final steps include identifying BAs and setting up BAAs. They must understand what your 2018 initiative entails, why HIPAA is important to the integrity of your agency, and sign off on your principles in a BAA.