By Matt Fisher, Healthcare Attorney
LinkedIn: Matthew Fisher
X: @matt_r_fisher
Host of Healthcare de Jure – #HCdeJure
The steady stream of settlements from the Office for Civil Rights continues. The underpinning to many of the recent settlements is notification following the occurrence of a data breach, often from some form of a cyber attack.
As the settlements keep piling up, the tallies are also increasing for the risk analysis and ransomware enforcement initiatives being run by OCR.
Mass Compromise of Email Accounts
The first of the recent settlements stemmed from a data breach report submitted by PIH Health, Inc. (PIH) on January 10, 2020. Once OCR received the notification and initiated an investigation, OCR found that the breach lasted from June 11, 2019 through June 21, 2019 (not an overly long period of time), but involved email accounts for 45 different PIH employees. The scope of the email compromise resulted in records of almost 190, 000 patients being impacted.
OCR found a number of issues after its investigation was completed. Two are not unexpected, namely that PHI was not appropriately protected and that the required risk analysis had not occurred. The last group of findings then related to not timely providing any of the three required breach notifications. Since the breach involved more than 500 people, then all of the individuals, OCR, and the media all had to be notified within 60 days of discovery.
As the timeline set out above shows, the breach was found in June 2019 with notification following in January 2020, again while not within the required time also not as bad as some other recent examples that have hit the headlines. Did OCR key in on those particular instance because the breach involved 45 accounts?
Lastly, the scope of conducted resulted in a settlement payment of $600,000 to OCR.
Protecting Against Ransomware
The second recent settlement also honed in on a lack of a risk analysis. The settlement was with Comprehensive Neurology, PC (Comprehensive). Comprehensive is a single physician practice with only a few staff. The ransomware issued was discovered when a Comprehensive staff member could not access the practice’s medical records. Once that issue was discovered, Comprehensive conducted an internal assessment that determined up to 6,800 patients may have been impacted.
Comprehensive discovered the issue on December 14, 2020. A breach report was submitted to OCR on December 17, 2020. A three day turnaround may be one of the quickest to show up in a settlement.
OCR kicked off its investigation following the breach report. As is so often the case, the investigation determined that Comprehensive did not conduct the risk analysis required by the Security Rule.
The conduct in this instance resulted in a settlement payment of $25,000.
The Takeaways
As is almost always the case, one of the key takeaways from the settlements it conduct the risk analysis that is a fundamental part of the Security Rule. No risk analysis means no understanding exists as to an organizations environment and how to go about complying with security requirements. Given the near universal appearance of the risk analysis finding, why are organizations still not conducting the risk analysis? It’s a good question that does not have a good answer.
Another takeaway is that OCR is pursuing settlements in a growing variety of instances. Comprehensive faced a settlement just because of the missing risk analysis despite reporting within 3 days to OCR. What made Comprehensive stick out? It is arguably the type of practice that would face more challenges with compliance given its small size and likely limited resources.
The settlement with PIH raises the issue of how did PIH become an example for delayed notification. There are arguably any number of such instances, but ost seem to go by without a second glance or any form of public action by OCR. Did the high number of email accounts involved bring greater attention or did something else occur? Those questions will not be answered, but not timely notifying of a breach is clearly an issue that can bring a settlement.
Focus on Compliance
Regardless of how, when, or why a breach occurs, one of the more important things any organization can do is to focus up front on compliance. While not all outside malicious actions can be stopped and internal mistakes can occur, not being prepared or even considering what could happen is sure to bring negative attention from OCR. HIPAA lays out some of the key foundational items to establish strong security that can help set up an organization to appropriately protect the sensitive patient data that it holds. Ignoring or not meaningfully engaging in those obligations is not a good course of action. Take the time and exert the effort to establish a culture of security and work to protect data.
This article was originally published on The Pulse blog and is republished here with permission.