On May 23, 2019, the Office for Civil Rights (OCR) published a Resolution Agreement (RA) with an Indiana based electronic medical record service business associate. This is the first settlement announced since the Office for Civil Rights reduced the HIPAA violation maximum civil penalties. This RA reported Medical Informatics Engineering (MIE) was serving as a business associate and did not conduct a comprehensive Security Risk Analysis (SRA), which posed a vulnerability to its servers. The RA resulted in the company agreeing to pay the Department of Health and Human Services (HHS) $100,000 while entering into a Corrective Action Plan (CAP). According to OCR Director, Roger Severino, “Entities entrusted with medical records must be on guard against hackers.”
Let’s review the background of the security incident. On May 26, 2015, MIE discovered suspicious activity on its servers. After further investigation, it was determined the unauthorized access to the network started on May 5, 2015. The servers, under attack, contained approximately 3.5 million individuals’ names, addresses, dates of birth, Social Security numbers, email addresses, clinical information and health insurance information. Upon completion of the investigation, HHS reported that MIE had not conducted an accurate and thorough HIPAA Security Risk Analysis to determine all vulnerabilities to the confidentiality, integrity, and availability to the ePHI. Thus, the cyber attack resulted in the impermissible disclosure of ePHI for 3.5 million individuals.
What MUST Occur?
MIE is also entering into a CAP with OCR which is directing MIE to conduct a complete risk analysis, develop a risk management plan and ensure a process is in place to investigate reportable events. The first step is for MIE to create an inventory of all facilities and categories of electronic equipment, data systems, and applications which create, transmit, receive, or maintain ePHI. After completion of the inventory, MIE must evaluate the risk to the ePHI on its electronic equipment, data systems, and applications in which MIE creates, transmits, receives or maintains ePHI. MIE must assess whether their existing security measures are sufficient to protect its ePHI, while revising its Security Risk Management Plan (SRMP). This is to be submitted to OCR within 30 days of the effective date for OCR approval.
Once the Security Risk Analysis has been approved by OCR, MIE must initiate implementation of its SRMP to address and mitigate any security risks and vulnerabilities identified in the OCR approved SRA. MIE must report its SRMP to OCR for approval within 30 days. The RA also reports MIE is required to investigate incidents where a workforce member potentially fails to comply with the company’s security policies. If MIE investigations determine a workforce member violated company policies and procedures, MIE shall report such events to HHS/OCR as “Reportable Events.”
What Should You do?
- Begin conducting your Security Risk Analysis annually, if you are not already doing so, to ensure you are continually managing the risks related to your company’s current systems.
- Ensure processes and technologies are in place to both detect and prevent system intrusions. Many only focus on detection but implementing intrusion prevention systems can drastically help reduce or completely negate the impact of attacks.
- Establish a routine HIPAA security audit process to monitor system and network activity for possible attacks or unauthorized data access from external threats.
- Review staff training materials to confirm that it reflects the workforce roles, rights and access levels to reduce insider threats. Insider threats continue to remain one of highest threats to our data systems.
- Institute a sanction process to take disciplinary steps when workforce privacy and security violations occur.
LW Consulting, Inc. is partnering with Binary Decisions to host a complimentary lunch & learn, “HIPAA Security Best Practices – Insider Threats,” to provide more information on how to reduce the risk of insider threats. LWCI also offers a comprehensive HIPAA Security product, “HIPAA SP3 - Security Policies & Procedures Package,” which contains 50 fully functional HIPAA security policies and procedures, designed to guide practices through a systematic approach to safeguarding ePHI .
Unsure if your data systems are protected? Looking for an experienced professional to conduct a technical review of your systems? LW Consulting, Inc. has HIPAA security experts available to talk with you and assist with the process.
For more information, contact Deborah Alexander at 717-213-3122 or email DAlexander@LW-Consult.com.