Legal perspectives on compliance in general and HIPAA in particular

10 Companies That Lost Millions For These Avoidable HIPAA Violations

As Telehealth grows and becomes more relevant to healthcare, so too are the protections around it. Through Telehealth, medical providers are creating, storing, exchanging and deleting Electronic Protected Health Information (ePHI) all the time; but is this safe? Can video streams be tapped without their knowing? Is the information that’s stored online secure? Will PHI end up in the public view? HIPAA regulations have standards to prevent these, but are providers and their associates following them? Here’s what happened to 10 that didn’t.

(These 10 are not in any order and were chosen only to outline the various reasons and amounts for which one can be penalized)

new-york-presbyterian-hospital-cornell-medical-center

 

banner-1

 

 


1) $4.8 Million – New York-Presbyterian Hospital and Columbia University Medical Center
The largest HIPAA settlement at the time, however the OCR had been investigating large scale violations since before this incident in early 2014. The reason this case is so special is because it was a joint breach between NYP and CU by the actions of one CU physician. According to HHS’ report: “The investigation revealed that the breach was caused when a physician employed by CU who developed applications for both NYP and CU attempted to deactivate a personally-owned computer server on the network containing NYP patient ePHI. Because of a lack of technical safeguards, deactivation of the server resulted in ePHI being accessible on internet search engines.” 6,800 people’s sensitive health information released to the internet; this is definitely cause for a hefty fine. After a full investigation sparked by this incident, OCR found these other violations:

  1. Failure to conduct an accurate and thorough risk assessment
  2. (As a result ->) Missing risk management and contingency plans
  3. No implemented policies and procedures for authorizing access to its databases

Print

 

 


2) $445,000 – Presence Health

A significantly smaller fine than the last but still not small, the U.S. Department of Health and Human Services has fined Presence Health for lack of a timely breach notification. (According to the HIPAA Breach Notification Rule, Covered Entities are to notify the affected individuals within 60 days of discovery.)

 

St_Josephs_Hospital_1385486

 

 

 

3) $2.14 Million – St. Joseph Health
A nonprofit yet large network, SJH was served a hefty fine along with a comprehensive corrective action plan. They were reported to have ePHI that was publicly accessible through internet search engines. Other violations include:

  1. Vulnerabilities to the PHI of 31,800 individuals
  2. Implementation of a new server without proper evaluation on environmental and operational changes
  3. While hiring a number of contractors to assess risk, as required by the HIPAA security rule, it was “conducted in a patchwork fashion and did not result in an enterprise-wide risk analysis”.

ummc_logo

 

 

 

4) $2.75 Million – University of Mississippi Medical Center
While aware of the vulnerabilities to its system since 2005, UMMC did nothing and an investigation was sprung when approximately 10,000 individuals ePHI was breached via a stolen laptop. It contained easy access to thousands of patient files. Other violations found include:

  1. Did not implement policies to prevent, detect, contain and correct security violations
  2. Lacked policies on physical safeguards (i.e: for workstations, restricting access to ePHI)
  3. Did not assign unique user information to track and identify identity in information systems
  4. Did not notify individuals of the breach

 

Header_DHSS

 

 

5) $1.7 Million – Alaska Department of Health and Social Services
Choosing this one to show that even a state health division must be careful following HIPAA regulations. There are no exceptions; if you are investigated by the OCR, you are not immune to penalty. In this incident, an unencrypted hard drive containing PHI was stolen from an employee’s car. This sparked an investigation which found violations of:

  1. No risk assessment
  2. Did not implement security measures
  3. Neglected to have security training

 

cbk

6) $4.3 Million – Cignet Health Center
OCR had investigated Cignet for refusing 41 patient requests for their medical records. A violation that resulted in a $1.3 Million fine. This wasn’t the only one Cignet committed. They were also in violation of refusing OCR’s request for records / refusing to cooperate overall. (Fined $3 million for this)

 

 

imgres

 

 

7) $650,000 – Catholic Health Care Services of the Archdiocese of Philadelphia
Due to the theft of an employee’s mobile device containing PHI of nursing home residents, CHCS was fined over half a million dollars. The company is a provider to six nursing facilities but it had neglected to cover these HIPAA rules:

  1. Encrypt any ePHI that is created, received, maintained, etc.
  2. Conduct an enterprise-wide risk analysis
  3. Have a contingency plan
  4. Train staff on security measures

 

raleigh-orthopaedic-new

 

 


8) $750,000 – Raleigh Orthopedic Clinic, P.A. of North Carolina
This hefty fine was simply the result of not having a Business Associate Agreement (BAA). This is a section of HIPAA that many are finding they cannot disregard. Raleigh Orthopedic had disclosed the information of over 17,000 patients to a potential partner without signing a BAA / without protecting their patients’ information from misuse and improper disclosure. While it may seem easy to overlook, its consequences are no light matter.

 

NMHClogo294

 

 

9) $1.55M – North Memorial Health Care of Minnesota
Just to underscore the importance of a BAA, here is another fine issued by the OCR. This fine was particularly expensive because they had released the information of almost 300,000 patients. In the end they had overlooked two major cornerstones of HIPAA rules: a. BAA b. Enterprise-wide risk assessment.

 

uwmed

 

 

10) 750,000 – University of Washington Medical
Because an employee opened up an email containing malicious malware, the ePHI of 90,000 individuals was compromised. In addition to this, the OCR fined them for not having procedures to prevent, detect, contain and correct such violations. With this relatively miniature fine (though not at all miniature on its own), they must now include a corrective plan with annual reports on their compliance efforts.


The Takeaway

The main reason to follow HIPAA regulations so closely is to protect our patients, clients and ourselves. Privacy and confidentiality in this day is increasingly cherished and we have to work to secure that. For those of you that need another reason, these penalty examples are for you. For those that are genuinely concerned, don’t worry; just take action. The theme in these incidents is repetitive and preventable:

  • Have a signed BAA with anyone handling your PHI
  • Guard your mobile devices and encrypt them
  • Implement security policies and procedures

Click here for more information on BAAs

Click here for summaries on the HIPAA Security Rule

 

The Telehealth Resource You Need

screen-shot-2016-12-27-at-2-49-53-pm

Image from Telehealth Resource Centers

If you’ve been looking for information on Telehealth (what it’s about, reimbursement details, legal information, implementation strategies, etc.) Telehealth Resource Centers can help. TRC is a great resource because it stays up to date and addresses several fundamental questions that arise with this new technology. Examples include:

  • “What is the recommended process for introducing Telemedicine at a remote site?”
  • “How should the local community be informed of available Telemedicine services?”
  • “How do I know if a pilot test has been successful?”
  • “What needs to be included in a protocol for a live, interactive session?”

And these are just a few of many questions that they provide solutions on. As you know, different states can have varying laws; TRC covers that too. To find your own Telehealth Resource Center check here.

They also go above and beyond by conducting free webinars and posting the slides / recordings in case you missed it. It is really an excellent resource on all things Telehealth.

The 9 Standards for HIPAA’s Administrative Safeguards

HIPAA’s definition on Administrative Safeguards: “Administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.” HHS.gov Continue reading “The 9 Standards for HIPAA’s Administrative Safeguards” »

The First Major Mental Health Legislation in Nearly a Decade – Ready to be Signed by President Obama


Talks about how to improve mental health have long been swept under the rug and kept there, however earlier this year the House of Representatives changed that by introducing the 21st Century Cures Act. The bill emphasizes a parity between mental and physical health and has included grants to increase the number of existing mental health practitioners. Continue reading “The First Major Mental Health Legislation in Nearly a Decade – Ready to be Signed by President Obama” »

The 4 Standards for HIPAA’s Physical Safeguards

HIPAA’s definition on Physical Safeguards: “Administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.” HHS.gov

Read more

What You Should Know About Government Back Doors in Medical Videoconferencing

 

GovtCode

Yesterday, Apple CEO Tim Cook published a letter to Apple customers, in response to an order given by the United States Government directing Apple to provide technical assistance to federal agents attempting to unlock the contents of an iPhone 5C that had been used by Rizwan Farook, who along with his wife, Tashfeen Malik, killed 14 people and wounded 22 others on December 2 in San Bernardino, California.

A United States Magistrate judge in Los Angeles has upheld the government order, clearing the way for certain appeal by Apple to the 9th U.S. Circuit Court of Appeals, which is notoriously pro-privacy, and possible final appeal the the United States Supreme Court.

Cook’s primary concern is not around the technical assistance Apple might provide in decrypting information contained on that single phone (in fact, according to an Assistant United States Attorney Apple has already complied with over 70 such requests since 2008, see article here), but instead around the ensuing creation of legal and technical precedents which could require manufacturers to provide government agencies with encryption “back doors” in upcoming iOS releases. If upheld, the government’s order, which is argued using a rarely invoked 1789 congressional statute, could indeed provide legal precedent for the U.S. Government to require encryption back doors to be engineered into any product created by any manufacturer.

Reading Tim Cook’s letter immediately got me wondering: if the government prevails in its case, and these back doors become required, what would be the effect on the medical videoconferencing industry? As is so often the case, the devil is in the details.

To be feasible for a given videoconferencing product, encryption back doors would require three technical and operational conditions:

1) The creation by the product manufacturer of a master key which, when used, would provide to the holder of the master key the session key for an encrypted video session; and,
2) The provision of that master key by the manufacturer to a government agency upon proper request; and,
3) The possession of the encrypted data stream by the government agency.

The first condition is not terribly difficult to meet. Private session keys are required for every encrypted session, and thus the provision of those keys based on an authenticated master key is, at most, an implementation detail.

The second condition would require, one hopes, some detailed legal prophylaxis to ensure that the master key is used only in certain clearly defined, and relatively rare, circumstances. Of greater concern, however, would be the safeguarding of the master key. If one criminal, foreign agent, or manufacturer or government employee gained access to the master key for a device, the security for that device would be compromised until the master key could be changed. If the unauthorized access was obtained without the manufacturer’s awareness of the breach, then the security for that device would be compromised for an indefinite period of time.

The third condition requires that the data stream be accessible by the manufacturer, or the customer to whom the manufacturer has sold or leased the product. Of the three conditions, this is the trickiest for the government, because access to the encrypted data stream will differ for each product, deployment model, and customer. Gaining access to a video stream from an MCU hosted in the cloud by Manufacturer A is as simple as gaining network access to the Manufacturer A data center, which Manufacturer A would presumably be required to grant. However, gaining access to a peer-to-peer stream being transmitted directly from one computer to another would require foreknowledge of the internet routes to be taken by the video packets, which ranges from unlikely to impossible depending on the specifics of the connection.

If the government prevails in its case, it is possible that every large videoconferencing vendor using a Multi-point Control Unit (MCU) would be required to construct a back door, thus eliminating the possibility of absolute privacy in MCU-based videoconferencing systems, except those hosted in data centers to which the United States Government cannot demand access, or those manufactured by smaller vendors to whom the government has not applied the requirement (due to oversight, undue burden, or lack of volume). The vast majority of videoconferencing providers use some kind of MCU technology, and so it is not difficult to imagine these vendors eventually offering offshore cloud-based MCUs, or customers with On Premise deployments deciding to host part of the infrastructure offshore. Cloud customers would have the option of paying less for optimal performance where video streams would be subject to government capture and decryption, or paying more for sub-optimal performance where video streams would not be subject to government capture and decryption.

Customers of peer-to-peer systems such as SecureVideo/VSee, on the other hand, would not be affected by MCU access, because there is no MCU in a peer-to-peer system. While the government could require the provision of a master key, the government in most cases would not be able to capture the encrypted packets, and could therefore not gain access to the encrypted video streams.

As to the likely market reactions, your guess is as good as mine. Videoconferencing customers generally may not care about possible government decryption of their video streams. It is possible that most videoconferencing customers won’t care, but medical videoconferencing customers will care deeply, based on the possibility of a master key breach putting massive percentages of protected health information into unauthorized hands. If this happens, I would expect many of them to explore peer-to-peer technologies such as ours. At the very least, depending on what happens with Apple’s appeals process, this is a very important development for medical privacy professionals to keep an eye on, with respect to both videoconferencing as well as other affected technologies such as mobile devices, full disk encryption, cloud storage, secure web transactions, and whatever else you can think of that has encryption as a security underpinning.

American Bar Association Webinar: HIPAA Applies to Lawyers?

The full title of the webinar is actually much catchier: You Mean HIPAA Applies to Lawyers? Keeping Data Safe, Clients Happy and Your License Secure.

Hosted by the American Bar Association, this webinar discusses how the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act may affect practicing lawyers that may now fall under the definition of “business associate”.

From the webinar description:

It is imperative for lawyers to determine: (1) whether they are a business associate under HIPAA (or, how they might inadvertently become one); and (2) if they are a business associate, what steps must be taken in order to assure their compliance with the new HIPAA requirements under HITECH.

This program provides a foundational background of HIPAA and HITECH and provides an overview of the following:

  • How law firms become business associates (intentionally or inadvertently)
  • What HIPAA requires of law firm business associates
  • How to properly safeguard client data
  • Unauthorized uses and disclosures
  • What constitutes a “breach”
  • Business associate requirements in case of a breach
  • Penalties, criminal, and civil liability associated with HIPAA
  • Potential other ethical conflicts caused by HIPAA as you are forced to execute contractual agreements with clients

While the live webinar already took place on April 21, 2014, an on-demand recording is freely available to American Bar Association members for the next three months. As a bonus, this webinar provides 1.5 credits for Continuing Legal Education (CLE).

If you already have an understanding of how HIPAA may regulate your interaction with your client’s data, and are looking for a HIPAA-compliant way to remotely communicate with your clients, check out how SecureVideo.com provides HIPAA-compliant videoconferencing services. You can also test our services by creating a free account, read more about us in our Support Center, or e-mail your questions to info[at]securevideo.com.