Officials at the U.S. Department of Health and Human Services Office of Civil Rights (HHS OCR) have recently selected a vendor to conduct the second wave of HIPAA audits. These so-called “Phase 2 Audits” are set to commence on the heels of two important HHS OCR enforcement proceedings alleging violations of the HIPAA Security Rule:
- St. Elizabeth’s Medical Center, a tertiary care hospital in Massachusetts, allegedly failed to conduct a risk assessment before its employees used a cloud document-sharing application and failed to respond to a security incident in a timely manner, leading to a $218,400 fine and Corrective Action Plan (CAP). Orrick reported on this case in a previous alert.
- Cancer Care Group (CCG), one of the largest privately owned radiation oncology groups in the country, recently signed a $750,000 settlement and CAP stemming from the theft of PHI belonging to approximately 55,000 patients stored on a stolen laptop and unencrypted backup media. According to OCR, the investigation uncovered that prior to the security incident, CCG failed to conduct an enterprise-wide risk assessment, and failed to implement a policy addressing the removal of unencrypted devices containing ePHI from company facilities – two issues that OCR identified as key contributing factors to the data breach. The CAP requires CCG to conduct risk analysis regarding its handling of ePHI, to develop and implement a risk mitigation plan addressing certain identified risks, and to review and update security policies, procedures and employee training.
Last month, the U.S. Department of Health and Human Services Office for Civil Rights announced that it had entered into a settlement agreement with St. Elizabeth’s Medical Center (SEMC) in Brighton, Massachusetts. Pursuant to the nonadmission settlement, SEMC agreed to pay $218,400 and enter into a one-year corrective action plan (CAP) to settle allegations that its employees violated the HIPAA Security Rule by, among other things, storing electronic protected health information in a cloud document-sharing application.
Earlier this month, the U.S. Department of Health and Human Services Office for Civil Rights (HHS OCR) announced that it had entered into a settlement agreement with St. Elizabeth’s Medical Center (SEMC) in Brighton, Massachusetts. Pursuant to the non-admission settlement, SEMC agreed to pay $218,400 and enter into a one-year Corrective Action Plan (CAP) to settle allegations that its employees violated the HIPAA Security Rule by, among other things, storing electronic protected health information (ePHI) in a cloud document sharing application. Covered entities and business associates that increasingly leverage cloud services for storing and managing Electronic Health Records (EHR), and ePHI more generally, should take notice of this development for a number of reasons. First, it underscores the importance of conducting security assessments on, and evaluations of, cloud services before allowing employees to use them to manage ePHI and EHR. Second, it demonstrates the need to create and enforce clear policies prohibiting use of unapproved and untested cloud services. Finally, the settlement appears to have stemmed from an employee whistleblower and highlights how such whistleblowers will become more prominent considerations in cyber and data security investigations and enforcement actions.
The American health care industry is under attack by sophisticated hackers seeking access to electronic medical records. Since January, three health insurers have announced major data breaches involving millions of records, with the largest one at Anthem Inc., involving nearly 80 million records. There have been dozens of smaller breaches as well. According to statistics kept by the U.S. Department of Health and Human Services, in 2009 the health care sector experienced 18 data breaches involving 500 or more individuals. In the first three months of 2015, more than 50 such breaches were reported.