For many of us, the thought of a Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security breach is a distant forgettable nightmare. We follow our healthcare facility policies and procedures because it is part of our job, not fully understanding the potential repercussions associated with noncompliance.
There Are Repercussions
We might scan over the penalties and legal fees and quickly skim new policies and procedures released by the higher-ups, but do we really comprehend what could happen if we are found noncompliant or a breach occurs? This article was not written to scare you, but to offer a warning. Don’t let this be your healthcare facility.
The Cost of Failing to Protect Health Records
On December 28, 2017 as we wrapped up the end of the year, the U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) issued a press release and sent an email to thousands of their news subscribers. The title of the email: “Failure to protect the health records of millions of people costs entity millions of dollars.” You might have seen the email and maybe you skimmed over it, but it did not concern you so you moved on. For 21st Century Oncology, Inc. this was not a “skimming” matter, this has effected hundreds of facilities, thousands of employees, and hundreds of thousands of patients.
In 2015, on two separate occasions, the Federal Bureau of investigation (FBI) had notified 21CO of the purchase of patient file by an FBI informant. These files held patient information and had been illegally obtained by an unauthorized third party. After launching an internal investigation, 21CO discovered they had been hacked. They determined that the attacker may have accessed their network SQL database as early as October 3, 2015 and that 2,213,597 individuals were affected by the impermissible access to their names, social security numbers, physicians’ names, diagnoses, treatment, and insurance information. The attacker gained access through the remote desktop protocol from an exchange server within 21CO’s network.
The OCR issued these findings after their own investigation:
21CO failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of the electronic protected health information (ePHI); failed to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level; failed to implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports; and disclosed protected health information (PHI) to third party vendors without a written business associate agreement.OCR Director, Roger Severino said, “People need to trust that their private health information will remain exactly that; private. It’s not just my hope that covered entities will learn from this example and proactively find and address their security risks, it’s what the law requires.”
More than Just a Fine
In addition to a $2.3 million monetary settlement, 21CO is required to follow a corrective action plan. If you think the fine was a steep price, the corrective action plan will send the final cost of this breach even higher.
1. Designate a Compliance Representative
a. 21CO must designate an individual to serve as their Compliance Representative. The CR is responsible for assuring that 21CO complies with the Corrective Action Plan, as well as having sufficient knowledge of HIPAA rules, can institute/provide policies, procedures, training, and internal monitoring services.
2. Complete a Risk Analysis and Risk Management Plan
3. Revision of Policies and Procedures
a. Within 90 days of completing the Risk Analysis and Risk Management Plan, 21CO must revise its policies and procedures.
4. Adoption and Distribution of Policies and Procedures
a. Within 30 days of obtaining the (HHS approved) policies and procedures, 21CO must distribute the policies and procedures to their workforce.
5. Business Associate Agreements
a. Within 120 days 21CO has to provide an accounting of their business associates and copies of their agreements.
6. Internal Monitoring
a. Within 60 days 21CO shall submit a written plan for internal monitoring system. 21CO must gain approval before implementing the internal monitoring system.
7. External Assessments
a. Within 60 days 21Co must engage a qualified, objective, independent third-party assessor to review its compliance.
b. The External Assessment includes
i. Assessor’s Plan
ii. Description of Assessor’s Reviews
iii. Assessor’s Reports and Response
iv. Retention of Records
v. Validation Review
c. The Assessor may NOT be terminated without the HHS’s consent
8. Procedure for Internal Reporting
9. Annual Reports
a. 21CO must submit an annual report regarding their compliance to the Corrective Action Plan.
10. Document Retention
a. All documents and records related to compliance must be maintained for 6 years