Home Health & Hospice Week

HIPAA:

Providers' Breach Reports Lead To Wide-Ranging HIPAA Investigations

Stolen laptop costs provider $850,000.

Under the law, you have to report HIPAA breaches to the HHS Office for Civil Rights. But such a report could bring a whole new level of HIPAA scrutiny to your organization. Learn some breach reporting dos and don’ts from these recent cases.

Case #1: Stolen Laptop

Background: In August 2011, a laptop was stolen from an unlocked treatment room at Lahey Hospital and Medical Center, a nonprofit teaching hospital affiliated with Tufts Medical School in Burlington, Mass., according to a Nov. 25 HHS Office for Civil Rights release. The laptop ran a portable CT scanner.

The laptop hard drive contained the PHI of 599 individuals. Lahey notified OCR of the theft and resulting HIPAA breach, and then OCR conducted an investigation.

Red flags: OCR’s investigation revealed “widespread noncompliance with the HIPAA Rules,” the release says. OCR found that Lahey:

  • Failed to conduct a thorough risk analysis of all its electronic PHI;
  • Did not physically safeguard a workstation that accessed ePHI;
  • Neglected to implement and maintain policies and procedures regarding the safeguarding of ePHI maintained on workstations utilized in connection with diagnostic/laboratory equipment;
  • Did not enforce the use of unique user names for identifying and tracking user identity with respect to the workstation at issue in the incident;
  • Failed to implement procedures that recorded and examined activity in the workstation at issue; and
  • Subsequently caused the impermissible disclosure of 599 individuals’ PHI.

In the settlement that OCR announced on Nov. 25, Lahey must pay $850,000 and adopt a “robust” Corrective Action Plan (CAP) to “address its history of noncompliance with the HIPAA Rules.” Lahey must provide OCR with a comprehensive, enterprise-wide risk analysis and corresponding risk management plan, as well as report certain events and provide evidence of compliance.

Insight: Unfortunately, Lahey’s case is not unique — a Dec. 1 analysis by attorneys Elizabeth Hodge and Thomas Range of Akerman pointed to Cancer care Group, P.C.’s recent settlement agreement, which involved the theft of unencrypted computer server backup media and yielded similar “robust” requirements in its CAP.

These cases “demonstrate the OCR’s focus on the importance of risk analysis and device and media control policies,” Hodge and Range cautioned. And in response, the CAP requires Lahey to:

  • Conduct an organization-wide risk analysis of its electronic media, workstations, and information systems and develop a risk management plan to address the risks and vulnerabilities that the risk analysis identifies. Lahey must submit its risk analysis methodology and risk management plan to OCR for approval.
  • Develop or revise its written policies and procedures to address compliance failures underlying the breach. OCR must pre-approve these policies and procedures, which must include procedures for:

* Recording the receipt, removal, and disposition (whether external or internal to Lahey’s facility) of hardware and electronic media that maintain ePHI;
* Ensuring workstations that maintain ePHI used in connection with diagnostic or laboratory equipment are registered with, and under the control of, Lahey’s Information Services Department; and
* Implementing mechanisms that record and examine activity in information systems of workstations that maintain ePHI used in connection with diagnostic or laboratory equipment.

  • Promptly report to OCR any workforce failures to comply with its policies and procedures.
  • Submit to OCR an implementation report that includes an attestation by an officer of the hospital that Lahey has implemented the policies and procedures, as well as an attestation by a hospital officer that, based on the officer’s review of the implementation report and reasonable inquiry regarding its content, the officer believes the information is accurate and truthful.

Case #2: Business Associate

Yet another “robust” Corrective Action Plan and a whopping $3.5 million payout arose from a recent settlement agreement between OCR and Triple-S Management Corporation, formerly American Health Medicare Inc., an insurance holding company based in San Juan, P.R. Triple-S made multiple breach notifications to HHS involving unsecured PHI, which triggered OCR to investigate, according to a Nov. 30 OCR announcement. After investigating the company’s compliance with the HIPAA Rules, OCR found “widespread noncompliance throughout the various subsidiaries of Triple-S.” The alleged HIPAA violations included:

  • Failure to implement appropriate administrative, physical, and technical safeguards to protect its beneficiaries’ PHI;
  • Impermissible disclosure of its beneficiaries’ PHI to an outside vendor with which it did not have an appropriate business associate agreement (BAA);
  • Use or disclosure of more PHI than was necessary to carry out mailings;
  • Failure to conduct an accurate and thorough risk analysis that incorporates all IT equipment, applications, and data systems utilizing ePHI; and
  • Failure to implement security measures sufficient to reduce the risks and vulnerabilities to its ePHI to a reasonable and appropriate level. In addition to the hefty $3.5 million payout, the settlement also involves a CAP that requires Triple-S to establish a comprehensive HIPAA compliance program, which includes:
  • A risk analysis and a risk management plan;
  • A process to evaluate and address any environmental or operational changes that affect the security of the ePHI it holds;
  • Policies and procedures to facilitate compliance with the HIPAA Rules’ requirements; and
  • A training program covering the HIPAA Privacy, Security, and Breach Notification Rules’ requirements, intended for all workforce members and business associates providing services on Triple-S premises.

Other Articles in this issue of

Home Health & Hospice Week

View All