Throughout 2018, the Department of Health and Human Services, Office for Civil Rights (OCR) has announced seven settlement agreements and one civil monetary penalty to resolve allegations of Health Insurance Portability and Accountability Act (HIPAA) violations. As with past enforcement, much enforcement activity has centered around risks resulting from cybersecurity incidents and improper internal processes, including failure to undergo comprehensive security risk assessments, having insufficient HIPAA policies and procedures, and disclosing Protected Health Information (PHI) to vendors without a business associate agreement in place. From January 1, 2018 through December 11, 2018, OCR announced the following enforcement actions:
- On December 11, 2018, OCR announced a $111,400 settlement with Pagosa Springs Medical Center (PSMC), which is a critical access hospital located in Colorado. The settlement resulted from a complaint alleging that a former PSMC employee continued to have remote access to PSMC’s web-based scheduling calendar, which contained patients’ electronic pro-tected health information (ePHI), after separation of employment. As a result, OCR determined that ePHI of 557 individuals was impermissibly disclosed to the former employee. OCR also found that PSMC failed to enter into a business associate agreement with the web-based scheduling calendar vendor.
- On December 4, 2018, OCR announced a $500,000 settlement with Advanced Care Hospitalists PL (ACH), which provides contracted internal medicine physicians to hospitals and nursing homes in west central Florida. Between November 2011 and June 2012, ACH engaged the services of an individual providing medical billing services under the name Doctor’s First Choice Billing, Inc. (First Choice). A breach involving 400 individuals was reported to OCR when it was discovered that these individuals’ names, Social Security numbers, and dates of birth were publicly viewable on First Choice’s website. OCR’s investigation revealed that ACH never obtained a business associate agreement with First Choice and failed to adopt any policy requiring business associate agreements until April 2014. OCR’s investigation also revealed that ACH had not conducted a risk analysis or implemented security measures or written HIPAA policies and procedures before 2014.
- On November 26, 2018, OCR announced a $125,000 settlement with Allergy Associates, a health care practice that specializes in treating individuals with allergies. The practice is comprised of three doctors at four locations across Connecticut. OCR reported that Allergy Associates contacted a local television station to speak about a dispute that had occurred between a patient and an Allergy Associates’ doctor. When the reporter subsequently contacted the doctor involved, the doctor impermissibly disclosed the patient’s PHI to the reporter. OCR found that the doctor’s discussion demonstrated a reckless disregard for the patient’s privacy rights. After the disclosure, OCR concluded that the practice failed to take disciplinary action against the doctor or take any corrective action, even though the doctor was advised by the practice’s privacy officer not to speak to reporters.
- On October 15, 2018, OCR announced a $16 million settlement with Anthem, Inc. (Anthem) to resolve the largest U.S. health data breach to date. It is reported that cyber-attackers gained access to Anthem’s IT system and stole ePHI of nearly 79 million people, including names, Social Security numbers, medical identification numbers, addresses, and dates of birth. OCR alleged that Anthem failed to implement appropriate measures for detecting hackers, failed to conduct an enter-prise-wide risk analysis, had insufficient procedures to regularly review information system activity, failed to identify and respond to suspected or known security incidents, and failed to implement adequate minimum access controls to prevent the cyber-attackers from accessing sensitive ePHI.
- On September 20, 2018, OCR announced settlements totaling $999,000 with three different hospitals in the Boston, Massachusetts area for the hospitals’ actions that compromised the privacy of patients’ PHI. According to the OCR press release, Boston Medical Center, Brigham and Women’s Hospital, and Massachusetts General Hospital allowed film crews on premises for an ABC television network documentary series without first obtaining patients’ consent. In addition to the settlements, each hospital agreed to provide workforce training that will include OCR’s guidance on disclosures to film and media.
- On June 18, 2018, OCR announced that an Administrative Law judge granted summary judgment in favor of OCR ordering The University of Texas MD Anderson Cancer Center (MD Anderson) to pay $4,348,000 in civil monetary penalties to re-solve HIPAA violations. OCR investigated MD Anderson following three separate data breach reports in 2012 and 2013 involving the theft of an unencrypted laptop from the residence of an MD Anderson employee and the loss of two unencrypted thumb drives containing the ePHI of over 33,500 individuals. Through its investigation, OCR determined that MD Anderson disregarded its written encryption policies and, prior to the breaches at issue, had previously identified that the lack of device-level encryption posed a high risk to the security of ePHI.
- On February 13, 2018, OCR announced a $100,000 settlement for Filefax, Inc.’s (Filefax) HIPAA violations, stressing that con-sequences for HIPAA violations do not cease after a business closes. Prior to closing its business operation in 2016, Filefax provided storage, maintenance and delivery of medical records for covered entities. Upon receiving an anonymous com-plaint, OCR launched an investigation that revealed Filefax kept the PHI of approximately 2,150 patients in an unlocked truck in its parking lot and allowed an unauthorized person to remove the PHI from Filefax, Inc. A receiver appointed to liquidate Filefax’s assets agreed to pay the $100,000 settlement to OCR from the receivership estate.
- On February 1, 2018, OCR announced a $3.5 million settlement with Fresenius Medical Care North America (FMCNA) resulting from breach reports at five FMCNA owned facilities occurring between February 23, 2012 and July 18, 2012. The OCR press release indicates that five of FMCNA’s facilities provided unauthorized access to patients’ ePHI. The press release underscores the need for an enterprise-wide risk analysis, and that covered entities must undertake a thorough examina-tion of their internal policies and procedures to ensure patients’ health information is adequately protected in conformity with federal law.
OCR has also provided guidance throughout the year addressing various areas of concern. In January 2018, OCR issued its Cybersecurity Newsletter focusing on cyber extortion, which could include ransomware and Denial of Service and Distributed Denial of Service attacks. Malicious software for cyber extortion continues to develop and change to search for new vulnerabilities within organizations. To address the risk of cyber extortion, OCR’s guidance recommends activities such as:
- implementing a robust risk analysis and risk management program that identifies and addresses cyber risks holistically throughout the entire organization;
- implementing robust inventory and vulnerability identification processes to ensure accuracy and thoroughness of the risk analysis;
- training employees to identify suspicious emails and other messaging technologies that could introduce malicious software into the organization;
- deploying proactive anti-malware solutions;
- patching systems to fix known vulnerabilities;
- hardening internal network defenses and limiting internal network access to deny or slow the lateral movement of an attacker;
- implementing and testing robust contingency and disaster recovery plans to ensure the organization can recover from a cyber-attack;
- encrypting and backing up sensitive data;
- implementing robust audit logs and reviewing such logs regularly for suspicious activity; and
- remaining vigilant for new and emerging cyber threats and vulnerabilities.
On October 16, 2018, OCR and the HHS Office of the National Coordinator for Health Information Technology (ONC) announced that the agencies’ Security Risk Assessment (SRA) Tool was updated to make it easier to use and apply more broadly to the risks of health information. The tool is designed for use by small to medium-sized health practices and business associates to help them identify risks and vulnerabilities to ePHI. The efforts to update this SRA tool further emphasizes the significance OCR places on comprehensive and routine risk assessments and compliance with the SRA requirements of the HIPAA Security Rule.