Risk Management Programs: What The Latest Wave of HIPAA Fines Mean

The Department of Health and Human Services (HHS) hit hospitals and other healthcare delivery networks hard in the pocketbook with a wave of big fines zeroing in on security risk management issues between July and October. Is this the end of the fine tsunami? Don’t bet on it. In the most recent example, St. Joseph Health (SJH) agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules following reports that files containing electronically protected health information (ePHI) were publicly accessible through internet search engines for over a year, ending in 2012. SJH, a nonprofit integrated Catholic health care delivery system sponsored by the St. Joseph Health Ministry, will pay a settlement amount of $2.14 million and adopt a comprehensive corrective action plan.

Identifying the Problem Isn’t Enough

“Entities must not only conduct a comprehensive risk analysis but must also evaluate and address potential security risks when implementing enterprise changes impacting ePHI,” said HHS’ Office for Civil Rights (OCR) Director Jocelyn Samuels in an October 18 HHS press release. “The HIPAA Security Rule’s specific requirements to address environmental and operational changes are critical for the protection of patient information.” Clearly, HHS and OCR are stepping up enforcement on a number of document protection and eData security issues. It’s probably time for some hospitals to step up their game. Likewise, drug and medical device manufacturers face some of the same challenges in terms of data management, so it’s no stretch to imagine OCR will turn its enforcement flashlight on them one of these days, too. It’s important to note that no vendor (or “business associate”) can accurately declare itself as “HIPAA Compliant.” However, the ones that demonstrate an understanding of the act’s requirements should be able to assure drug and device makers that they’re in safe hands. Returning to OCR’s most recent activity, in addition to the $2.14 million settlement, SJH must implement a corrective action plan that requires the organization to conduct an enterprise-wide risk analysis, and develop and implement a risk management plan. Once that’s complete, the hospital network must revise its policies and procedures, and train its staff on these policies and procedures. The Resolution Agreement and Corrective Action Plan may be found on the OCR website.

HHS Had a Busy Summer

HHS was active this summer, too. In July, The University of Mississippi Medical Center (UMMC) agreed to settle multiple alleged violations of HIPAA. OCR’s investigation of UMMC was triggered by a breach of unsecured electronic protected ePHI that potentially exposed approximately 10,000 individuals. During the investigation, OCR concluded that UMMC was aware of various risks and vulnerabilities to its systems as far back as April 2005, yet no significant HIPAA risk management activity occurred until after the breach, due largely to organizational deficiencies and insufficient institutional oversight. That kind of action, or lack thereof, doesn’t exactly make OCR think one is acting in good faith. UMMC was told to pay a resolution amount of $2.76 million and adopt a corrective action plan to help assure future compliance with HIPAA Privacy, Security, and Breach Notification Rules. Also in July, Oregon Health & Science University (OHSU) settled potential HIPAA violations. OCR reported that it found widespread and diverse problems at OHSU, which will be addressed through a comprehensive three-year corrective action plan. The settlement includes a monetary payment by OHSU to the Department for $2,700,000. OCR’s investigation began after OHSU submitted multiple breach reports affecting thousands, including two reports involving unencrypted laptops and another large breach involving a stolen unencrypted thumb drive. As if the fines weren’t enough, OSHU’s problems were broadcast far and wide in local and national press coverage. OCR’s investigation uncovered evidence of widespread vulnerabilities, including the storage of ePHI of over 3,000 individuals on a cloud-based server without a business associate agreement. OCR found a significant risk of harm to 1,361 of these individuals due to the sensitive nature of their diagnoses. OHSU performed risk analyses in 2003, 2005, 2006, 2008, 2010, and 2013, but OCR concluded that these analyses did not cover all ePHI in OHSU’s enterprise, as required by the Security Rule. While the analyses identified vulnerabilities and risks to ePHI located in many areas of the organization, OHSU did not act in a timely manner to implement measures to address these documented risks and vulnerabilities to a reasonable and appropriate level.

Are Life Sciences Firms Next?

In other words, identifying a potential problem is never enough. HHS, like the Food and Drug Administration, always expects to see a clear Corrective and Preventative Action (CAPA) plan with clear documentation that shows life science or healthcare organization has a vise-like grip on eData security. According to OCR, OHSU also lacked policies and procedures to prevent, detect, contain, and correct security violations and failed to implement a mechanism to encrypt and decrypt ePHI or an equivalent alternative measure for ePHI maintained on its workstations, despite having identified this lack of encryption as a risk. As mentioned earlier the OCR will likely one day focus on medical devices and pharmaceutical manufacturers. Learn how implementing an automated quality management system like AssurX can add an additional layer of protection against a potential multimillion fine against your company.

Best Practices for developing and managing an automated CAPA process that improves your products and complies with industry regulations.