If a business has $1.5 million available, it’s a safe bet it would rather not spend that money paying to settle violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. So, taking a look at a September settlement by an orthopedic clinic, let us share six lessons to avoid noncompliance with the HIPAA Security Rule.
Athens Orthopedic Clinic PA (Athens Orthopedic) paid its $1.5 million to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS). The clinic, located in Georgia, provides orthopedic services to approximately 138,000 patients annually. In addition to the monetary settlement, Athens Orthopedic agreed to a robust corrective action plan that includes two years of monitoring.
It’s a big settlement to pay, and the years of legal fees were likely steep. Plus, the corrective action won’t come cheap. So, what happened?
A hacker used a vendor’s credentials to access Athens Orthopedic’s electronic medical record (EMR) system. Beginning on June 14, 2016, the hacker exfiltrated patient health data and continued to access patient protected health information (PHI) for over a month until July 16, 2016.
On July 29, 2016, Athens Orthopedic filed a breach report informing OCR that 208,557 individuals were affected by this breach. The PHI disclosed included patients' names, dates of birth, social security numbers, medical procedures, test results, and health insurance information.
That’s not good. But, why was the fine so large? Athens Orthopedic could easily have done more.
Consider this:
Just a reminder:
The settlement agreement notes that “AOC terminated the compromised credentials on June 27, 2016.” Yet “the Dark Overlord’s continued intrusion was not effectively blocked until July 16, 2016.”
In fact, “OCR's investigation discovered longstanding, systemic noncompliance” by Athens Orthopedic. This included failures to:
Considering the risk, these shortfalls were risky ones. "Hacking is the number one source of large health care data breaches. Health care providers that fail to follow the HIPAA Security Rule make their patients' health data a tempting target for hackers," stated OCR Director Roger Severino.
#1 Healthcare hacking is a real threat. In case you didn’t believe it before. Even though a gang calling itself “The Dark Overlord” might seem laughable, the breach of more than 208,000 individuals’ records is no joke.
#2 Review of vendor and third party service provider credentials needs to be ongoing. As part of its Corrective Action Obligations, Athens Orthopedics must now account for any of its business associates. It must also provide descriptions of the business associate’s handling of/interaction with PHI.
#3 Keep an accurate, thorough technology inventory. An enterprise-wide analysis of security risks and vulnerabilities is necessary. Incorporate all electronic equipment, data systems, programs and applications that contain, store, transmit or receive ePHI.
#4 Conduct risk analysis. Risk assessment is part of the HIPAA Security Ruling. Beyond assessing risk, it’s also critical to develop an enterprise-wide risk management plan to address and mitigate any security risks and vulnerabilities.
#5 Limit access. Athens Orthopedics is also required to revisit its access control procedures and policies. In particular, the agreement calls for:
#6 Train your humans. Creating and documenting workforce training is key to HIPAA Privacy Rule compliance. In the agreement, HHS calls for training new workforce members within 14 days of hiring. And, "in all cases before being provided access to PHI.”
More and more healthcare organizations are turning to managed service providers (MSP) for technology solutions. MSPs need to understand the HIPAA Security Rule and compliance best practices.
As the MSP for a healthcare organization, you’re a business associate the HHS can hold accountable. As a result, you need to comply with all aspects of HIPAA. Prioritize compliance and protecting your clients’ patient data.
A risk assessment to ensure compliance with HIPAA’s administrative, physical, and technical safeguards helps determine risks and identify methods to mitigate weaknesses. In fact, the Office of the National Coordinator for Health Information Technology (ONC) offers a Security Risk Assessment Tool.
HIPAA noncompliance is costly. In 2018, just 55 cases of noncompliance amounted to $79 million in penalties. So, recognize healthcare is a high risk area. Plus, encrypt everything. Also document proactive measures. And keep records of training and partnership agreements. Finally, always be looking to improve and keep up with the latest.
Ultimately, Calyptix Security can help. Our healthcare offering blocks threats such as hackers, malware, and spam. Plus, the simple interface makes it easy to manage your network at a budget-friendly price. AccessEnforcer provides advanced security for small and medium healthcare networks.
