HIPAA Enforcement Update (January 1 –December 11, 2018)‎

Privacy & Cybersecurity Newsletter
January 2019

Throughout 2018, the Department of Health and Human Services, Office for Civil Rights (OCR) has announced seven settle‎ment agreements and one civil monetary penalty to resolve allegations of Health Insurance Portability and Accountability Act ‎‎(HIPAA) violations. As with past enforcement, much enforcement activity has centered around risks resulting from cybersecu‎rity incidents and improper internal processes, including failure to undergo comprehensive security risk assessments, having ‎insufficient HIPAA policies and procedures, and disclosing Protected Health Information (PHI) to vendors without a business ‎associate agreement in place. From January 1, 2018 through December 11, 2018, OCR announced the following enforcement ‎actions:‎

  • On December 11, 2018, OCR announced a $111,400 settlement with Pagosa Springs Medical Center (PSMC), which is a critical ‎access hospital located in Colorado. The settlement resulted from a complaint alleging that a former PSMC employee ‎continued to have remote access to PSMC’s web-based scheduling calendar, which contained patients’ electronic pro-‎tected health information (ePHI), after separation of employment. As a result, OCR determined that ePHI of 557 individu‎als was impermissibly disclosed to the former employee. OCR also found that PSMC failed to enter into a business associ‎ate agreement with the web-based scheduling calendar vendor.‎
  • On December 4, 2018, OCR announced a $500,000 settlement with Advanced Care Hospitalists PL (ACH), which provides con‎tracted internal medicine physicians to hospitals and nursing homes in west central Florida. Between November 2011 and ‎June 2012, ACH engaged the services of an individual providing medical billing services under the name Doctor’s First ‎Choice Billing, Inc. (First Choice). A breach involving 400 individuals was reported to OCR when it was discovered that ‎these individuals’ names, Social Security numbers, and dates of birth were publicly viewable on First Choice’s website. ‎OCR’s investigation revealed that ACH never obtained a business associate agreement with First Choice and failed to ‎adopt any policy requiring business associate agreements until April 2014. OCR’s investigation also revealed that ACH had ‎not conducted a risk analysis or implemented security measures or written HIPAA policies and procedures before 2014.‎
  • On November 26, 2018, OCR announced a $125,000 settlement with Allergy Associates, a health care practice that specializes ‎in treating individuals with allergies. The practice is comprised of three doctors at four locations across Connecticut. OCR ‎reported that Allergy Associates contacted a local television station to speak about a dispute that had occurred between a ‎patient and an Allergy Associates’ doctor. When the reporter subsequently contacted the doctor involved, the doctor ‎impermissibly disclosed the patient’s PHI to the reporter. OCR found that the doctor’s discussion demonstrated a reckless ‎disregard for the patient’s privacy rights. After the disclosure, OCR concluded that the practice failed to take disciplinary ‎action against the doctor or take any corrective action, even though the doctor was advised by the practice’s privacy of‎ficer not to speak to reporters. ‎
  • On October 15, 2018, OCR announced a $16 million settlement with Anthem, Inc. (Anthem) to resolve the largest U.S. health ‎data breach to date. It is reported that cyber-attackers gained access to Anthem’s IT system and stole ePHI of nearly 79 ‎million people, including names, Social Security numbers, medical identification numbers, addresses, and dates of birth. ‎OCR alleged that Anthem failed to implement appropriate measures for detecting hackers, failed to conduct an enter-‎prise-wide risk analysis, had insufficient procedures to regularly review information system activity, failed to identify and ‎respond to suspected or known security incidents, and failed to implement adequate minimum access controls to prevent ‎the cyber-attackers from accessing sensitive ePHI. ‎
  • On September 20, 2018, OCR announced settlements totaling $999,000 with three different hospitals in the Boston, Massa‎chusetts area for the hospitals’ actions that compromised the privacy of patients’ PHI. According to the OCR press release, ‎Boston Medical Center, Brigham and Women’s Hospital, and Massachusetts General Hospital allowed film crews on ‎premises for an ABC television network documentary series without first obtaining patients’ consent. In addition to the ‎settlements, each hospital agreed to provide workforce training that will include OCR’s guidance on disclosures to film ‎and media. ‎
  • On June 18, 2018, OCR announced that an Administrative Law judge granted summary judgment in favor of OCR ordering ‎The University of Texas MD Anderson Cancer Center (MD Anderson) to pay $4,348,000 in civil monetary penalties to re-‎solve HIPAA violations. OCR investigated MD Anderson following three separate data breach reports in 2012 and 2013 in‎volving the theft of an unencrypted laptop from the residence of an MD Anderson employee and the loss of two unen‎crypted thumb drives containing the ePHI of over 33,500 individuals. Through its investigation, OCR determined that MD ‎Anderson disregarded its written encryption policies and, prior to the breaches at issue, had previously identified that the ‎lack of device-level encryption posed a high risk to the security of ePHI.‎
  • On February 13, 2018, OCR announced a $100,000 settlement for Filefax, Inc.’s (Filefax) HIPAA violations, stressing that con-‎sequences for HIPAA violations do not cease after a business closes. Prior to closing its business operation in 2016, Filefax ‎provided storage, maintenance and delivery of medical records for covered entities. Upon receiving an anonymous com-‎plaint, OCR launched an investigation that revealed Filefax kept the PHI of approximately 2,150 patients in an unlocked ‎truck in its parking lot and allowed an unauthorized person to remove the PHI from Filefax, Inc. A receiver appointed to ‎liquidate Filefax’s assets agreed to pay the $100,000 settlement to OCR from the receivership estate. ‎
  • On February 1, 2018, OCR announced a $3.5 million settlement with Fresenius Medical Care North America (FMCNA) resulting ‎from breach reports at five FMCNA owned facilities occurring between February 23, 2012 and July 18, 2012. The OCR ‎press release indicates that five of FMCNA’s facilities provided unauthorized access to patients’ ePHI. The press release ‎underscores the need for an enterprise-wide risk analysis, and that covered entities must undertake a thorough examina-‎tion of their internal policies and procedures to ensure patients’ health information is adequately protected in conformity ‎with federal law.‎

OCR has also provided guidance throughout the year addressing various areas of concern. In January 2018, OCR issued its ‎Cybersecurity Newsletter focusing on cyber extortion, which could include ransomware and Denial of Service and Distributed ‎Denial of Service attacks. Malicious software for cyber extortion continues to develop and change to search for new vulnera‎bilities within organizations. To address the risk of cyber extortion, OCR’s guidance recommends activities such as: 

  • implementing a robust risk analysis and risk management program that identifies and addresses cyber risks holistically ‎throughout the entire organization; ‎
  • implementing robust inventory and vulnerability identification processes to ensure accuracy and thoroughness of the risk ‎analysis; ‎
  • training employees to identify suspicious emails and other messaging technologies that could introduce malicious software ‎into the organization; ‎
  • deploying proactive anti-malware solutions; ‎
  • patching systems to fix known vulnerabilities; ‎
  • hardening internal network defenses and limiting internal network access to deny or slow the lateral movement of an attacker; ‎
  • implementing and testing robust contingency and disaster recovery plans to ensure the organization can recover from a ‎cyber-attack; ‎
  • encrypting and backing up sensitive data; ‎
  • implementing robust audit logs and reviewing such logs regularly for suspicious activity; and
  • remaining vigilant for new and emerging cyber threats and vulnerabilities.‎

On October 16, 2018, OCR and the HHS Office of the National Coordinator for Health Information Technology (ONC) an‎nounced that the agencies’ Security Risk Assessment (SRA) Tool was updated to make it easier to use and apply more broadly ‎to the risks of health information. The tool is designed for use by small to medium-sized health practices and business associ‎ates to help them identify risks and vulnerabilities to ePHI. The efforts to update this SRA tool further emphasizes the signifi‎cance OCR places on comprehensive and routine risk assessments and compliance with the SRA requirements of the HIPAA ‎Security Rule.‎