By Matt Fisher, Healthcare Attorney
LinkedIn: Matthew Fisher
X: @matt_r_fisher
Host of Healthcare de Jure – #HCdeJure
The risk to privacy and security of healthcare information, despite all of the headlines, does not only come from outside attackers. Inside threats are real and can go undetected for potentially longer periods of time. It has been a bit of time, but the Office for Civil Rights has turned its attention to an insider breach with its most recent settlement of alleged non-compliance with HIPAA.
The Factual Background
So what happened that caught OCR’s attention? It began with a complaint received by OCR on October 23, 2018. The complaint alleged that on October 8, 2018 an unknown individual accessed the complainant’s medical record at St. Joseph’s Hospital, which is operated by BayCare Health System (BayCare). The complainant learned about the alleged inappropriate access after receiving a message from an individual who had photos of the complainant’s medical records as well as a video showing another individual scrolling through the complainant’s electronic medical records.
Upon receiving the complaint, OCR, as is typical, launched an investigation. During the investigation, OCR determined that the inappropriate access occurred when login credentials of a non-clinical former staff member were used. The credentials belonged to an individual who worked at a physician practice that had access to BayCare’s electronic medical records to support continuity of care for shared patients.
The Findings and Impact
- Failure to implement policies and procedures governing access to electronic PHI, including not limiting access to the minimum necessary;
- Failure to implement sufficient security measures; and
- Failure to regularly review records of system activity.
Those three deficiencies and the situation resulted in a settlement payment of $800,000.
Gaps in the Findings?
The findings certainly reveal basic problems in BayCare’s compliance activities, but there are also some questions. Before getting to the questions, it is a relative positive that the findings do not include a failure to conduct the required risk analysis. The lack of a risk analysis is such a staple in resolution agreements with OCR that it is pleasantly surprising when it does not show up.
Now back to the questions. The summary of the factual background (at least in the press release) notes that access occurred with a former staff member’s login credentials and that former employee worked at a physician practice that could access BayCare’s electronic medical record. It is not stated whether the physician practice is owned by BayCare. If the practice is a separate entity, why did the practice escape enforcement activity?
Related to the relationship between BayCare and the physician practice, was an agreement in place to enable the EMR access for continuity of care? If yes, did the agreement include any form of indemnification or shifting of liability and responsibility?
Picking on the statement that the login credentials belonged to a former staff member, why was access not cut off for that set of login credentials? Did BayCare miss that step, or did the physician practice miss it? It is a bit puzzling why controlling access in that manner was not cited as an additional deficiency.
Lessons to be Learned
Numerous organizations likely enable EMR access to community physician practices and other organizations that jointly participate in the care of patients. Making continuity of care more efficient and coordinated is a necessary goal that aligns with many of the overarching policies in healthcare to drive value based care and team care. However, those connections require attention to details and introduce a number of moving parts. One of the more basic moving parts is that staff can and will turnover. As that occurs, it is essential to keep all parties updated on changes in access requirements. If an employee leaves, it must be a basic step to shut off the login credentials as soon as the individual is no longer employed. Leaving credentials active is an open invitation for an access issue to occur.
The connected lesson is that insiders still pose a big risk to privacy and security. The risk can be manyfold since access can occur in a number of different ways. However, regular system activity monitoring is one of the key ways to mitigate against the risk. That goes to the heart of one of OCR’s findings and is a requirement under the Security Rule. At the same time, it must be acknowledged that no individual can sufficiently review all of the logs and data that will result from monitoring of system activity. That makes the area ripe for the implementation of appropriate technological support. It is a ripe area because review of the data is something that AI models or other algorithmic based solutions can tackle because it may be looking for patterns, some of which may be minute and hard to see without support.
Conclusion
The latest OCR settlement breaks some of the recent patterns that focused on risk analysis deficiencies or failure to prepare for a cyberattack. The reminder about insiders is a good one. While it may feel like there are too many threats to manage, letting one dominate attention just creates exposure on other fronts that could be minimized. There is also the aspect of needing to understand interactions with outside practices and affiliated entities to keep on top of access. As always, it all comes back to having a solid compliance program in place and devoting sufficient resources to implementation of the program to keep an organization operating as smoothly as possible.
This article was originally published on The Pulse blog and is republished here with permission.