By Matt Fisher, Healthcare Attorney
LinkedIn: Matthew Fisher
X: @matt_r_fisher
Host of Healthcare de Jure – #HCdeJure
The drumbeat of settlement agreements for alleged HIPAA violations by the Office for Civil Rights is continuing along with the consistent finding that the required risk analysis did not occur. The consistent announcement of settlements offers regular reminders to the healthcare industry that OCR is watching and expecting compliance to improve. The almost always present finding that a risk analysis did not occur is a reminder that this fundamental element of HIPAA Security Rule compliance is occurring too infrequently.
The Newest Settlement
The most recent settlement announcement from OCR came on July 7, 20225, and impacted Deer Oaks – The Behavioral Health Solution (Deer Oaks). Deer Oaks is an affiliated covered entity, which means a group of organizations agreed to collectively comply with HIPAA together. While OCR’s settlement describes the specific entities involved, the summary will just talk about Deer Oaks as a whole without getting into that nuance.
The problems with OCR for Deer Oaks started with a complaint submitted to OCR on December 6, 2021. The press announcement noted that OCR began its investigation in May 2023. The investigation started after OCR received a complaint that Deer Oaks was impermissibly disclosing protected health information. According to OCR’s factually summary, patient information was exposed online and cached by search engines because of a coding error in a patient portal pilot. As related by OCR, the exposure began at least in December 2021 and continued until May 19, 2023.
As noted above, OCR in the press announcement revealed that this investigation started in May 2023, which aligns with the time when the information was finally secured. If the settlement agreement is accurate that a complaint was submitted in December 2021, did OCR really wait about a year and a half before starting its investigation? If yes, why? Was there such a backlog of matters? Did this one slip through the cracks? It would be helpful to know why such a relatively important issue was allowed to rest for so long.
The next unfortunate event for Deer Oaks was suffering a cyberattack while OCR was in the middle of its investigation. Specifically, a threat actor gained access to Deer Oaks’ networks on August 29, 2023 and exfiltrated data. Not only was data exfiltrated, but the attacker threatened to post the stolen data on the dark web unless payment was made. A silver lining is at least Deer Oaks appeared send timely notice of the data breach by sending the notice in August 2023, the same month as the attack.
With all of those issues occurring, OCR’s findings of alleged non-compliance with HIPAA were pretty short. The only two listed in the settlement agreement are disclosing PHI in a way not permitted by the HIPAA Privacy Rule and, the now expected finding, that a risk analysis did not occur.
The result of all of that activity and the subsequent investigation was a settlement payment of $225,00.
What Does it Mean?
There is really only one primary takeaway from the settlement with Deer Oaks. OCR cares deeply about a risk analysis occurring (which has not been oft repeated) and any failure to conduct a risk analysis will increase the likelihood of an entity being made to pay a settlement.
Why is the risk analysis so often skipped? At this point in time, it is really hard to figure out an answer. As the commentary through the summary of the Deer Oaks settlement suggests, OCR consistently looks for a risk analysis as soon as an investigation starts since the analysis is the foundational block of complying with the requirements of the HIPAA Security Rule. When the risk analysis is missing, it becomes much easier for OCR to make a determination that the organization is not fully complying with the Security Rule.
Is the risk analysis viewed as overly burdensome? The risk analysis is intended to be a comprehensive assessment and inventory of an organization’s data, technology, and operations to produce a report that identifies where all protected health information can be found as well as risks or vulnerabilities to that information. That thorough and in-depth assessment involves a lot of hard work and a willingness to dive into many different operational areas. It is not a short or simple task, but it also cannot be skipped.
Given the importance, the risk analysis can be handled internally, but there is also value in bringing an outside party in to conduct the analysis on a periodic basis. A fresh set of eyes that is not unintentionally blinded by involvement in day to day operations is likely to find new vulnerabilities or offer different considerations that only an internal team. Each organization is free to determine an appropriate cadence when it handles the risk analysis internally, externally, or both. The only minimum requirement is that the analysis must occur at least annually.
While the regulations call for an annual analysis, the reality is that assessment of systems must occur more frequently. More frequent reviews are necessary because of the constant evolution of threats. Breaking down into chunks can also potentially make the risk analysis less intimidating and more manageable.
Conclusion
To avoid becoming the next public announcement from OCR, every organization must do its risk analysis. Do not continue the unfortunate trend where OCR is able to assert that a risk analysis is missing.
This article was originally published on The Pulse blog and is republished here with permission.