Digital Debut

HIPAA Biannual Update

July to December 2018

BY ALEX TAIRA | JANUARY 2019

Since ASCA’s last update in July, health care organizations across the country posted 163 breaches of protected health information (PHI) affecting 500 or more individuals. For the first time in two years a single type of breach, hacking or information technology (IT) incident, accounted for a majority (53 percent) of all breaches reported by the Office of Civil Rights (OCR). Hacking and the next most common breach cause, unauthorized access (33 percent), accounted for 86 percent of all PHI breaches between July and December 2018.

Within the US Department of Health and Human Services (HHS) the OCR is the enforcement agency responsible for protecting rights related to health information privacy. This includes enforcement actions for violations of the Health Insurance Portability and Accountability Act (HIPAA), which delineates who can view or receive an individual’s PHI and sets standards for security of PHI when being stored or transferred electronically.

When a significant health information breach occurs, OCR often establishes a resolution agreement with the health care entity at fault. The resolution agreement generally involves a monetary penalty, as well as a series of mandatory corrective actions that the entity must undertake to prevent a future breach from occurring. This was a momentous six-month period for OCR, as it announced a landmark $16 million settlement with Anthem Inc. for the 2015 data breach that caused an estimated 79 million people to have their PHI exposed. The settlement figure far exceeded OCR’s previous highest settlement payment of $5.5 million.

ASCs can take important steps to help prevent these sorts of breaches and limit their liability. While most OCR settlements do not reach the amount of the Anthem settlement, they can easily reach into the hundreds of thousands or millions depending on the extent of the data exposure. To help prevent unauthorized access, improper disposal, loss and theft of PHI, ASCs need to review and update policies and procedures frequently. ASCs also can also review the enforcement actions on the OCR website and consider how they can avoid the mistakes made by others.

Below are selected OCR enforcement actions from the past six months and the precautionary takeaways for ASCs.

Anthem Inc.

What Happened: In January 2015, Anthem discovered that cyber-attackers had gained access to its system via phishing emails. At least one employee of an Anthem subsidiary responded to a malicious email, thus opening the entire IT system to hacker access. In less than two months via their targeted and undetected attack, the hackers managed to steal the electronic protected health information (ePHI) of roughly 79 million individuals, the largest health data breach in US history. Anthem agreed to the aforementioned $16 million settlement and a robust corrective action plan.

Takeaway for ASCs: This attack represents a startling illumination of how small incidence of lax cybersecurity and access detection can have devastating effects. The hackers were targeting ePHI, and it took only one response to a phishing email to expose the whole health IT infrastructure. Furthermore, Anthem was not able to detect the intrusion and allowed the hackers time to mine the system for the maximum amount of ePHI. It is vital for all health care entities, including ASCs, to train their employees on the risks of phishing emails and other common nefarious data attack vehicles. In addition, ASCs should have access detection mechanisms in place and regularly evaluate their data security policies to ensure the elimination of any possible vulnerabilities.

Advanced Care Hospitalists

What Happened: Advanced Care Hospitalists (ACH), a company that provides contracted internal medicine physicians to hospitals and nursing homes, allowed a fraudulent contractor to access and display patient information under the guise of a medical billing contract. The contractor had no connection with any medical billing agencies and displayed ePHI—including names, dates of birth, and social security numbers—of potentially thousands of patients in public view on the ACH website. ACH agreed to a $500,000 settlement and a substantial corrective action plan.

Takeaway for ASCs: As ASCs contract with several outside entities for various business and technology processes, they must have a stringent contractor vetting policy and sound business associate agreements. When an ASC gives an external individual or organization access to its patient information, it must consider that external agent to be a potential vulnerability as part of a HIPAA risk analysis.

Allergy Associates

What Happened: Allergy Associates, a small (three doctor) practice in Connecticut, specializes in treating patients with allergies. A former patient contacted a local television about a dispute with an Allergy Associates’ doctor, and the reporter then contacted the doctor for comment. In the discussion with the reporter, the doctor impermissibly disclosed the patient’s PHI. Allergy Associates agreed to pay a $125,000 settlement and undertake a corrective action plan that included two years of monitoring for HIPAA compliance.

Takeaway for ASCs: As with any medical entity, there is always the chance that a news organization might come to an ASC enquiring about a specific patient or interaction. ASCs should always place the highest priority on patient privacy rights, regardless of how disclosing information might affect the news story. In the case of Allergy Associates, the company’s privacy officer had specifically instructed the doctor to not respond to the media or say, “no comment.” Furthermore, no disciplinary or corrective action was taken after the doctor had impermissibly disclosed information to local news. ASCs should take care to write and enact internal policies regarding contact with the media and provide regular training to all clinical staff about the impropriety of any PHI disclosure regardless of the news story.

ASCA provides many resources to help ASCs remain compliant with HIPAA. The page dedicated to HIPAA Resource can be found in the Federal Regulations section of the main site. It provides background on the act itself, as well as the four key provisions: privacy, security, breach notification and enforcement. ASCA’s facility and corporate members also have free access to the HIPAA Workbook for ASCs, a comprehensive resource for designing, updating and evaluating HIPAA compliance programs.

For more information or for questions and concerns, write Alex Taira.