Tag Archives: OCR

Colorado Healthcare Provider Fined $111,000 For HIPAA Violations

It seems that the US Department of Health and Human Services Office of Civil Rights is increasing enforcement actions against health care providers and their vendors (known as business associates).  While one might have suspected that enforcement actions would be down under this administration, in fact, the opposite is true and fines are up.

In this case, the Pagosa Springs (Colorado) Medical Center paid $111,000 plus for failing to terminate the access of a former employee to a patient calendar program.

The calendar only contained information on 557 patients, so this is not a massive breach.

They also did not obtain a signed Business Associate Agreement from Google, who’s software they were using.

The former employee accessed (but didn’t appear to do anything evil with the data) the data twice, two months apart.

The medical center had to enter into a corrective action program that included a number of items including improved policies, training and other items.

OCR Director Roger Severino said that enforcement will increase under his watch.

Evidence of this is that this is the third enforcement action in the last month.

On December 4th, a Florida based physicians group paid a $500,000 fine for various HIPAA violations.

A week prior to that, OCR settled with a Hartford based practice for $125,000 for impermissible disclosure of protected health information.

Putting this all together, it would seem to lend some credence to OCR’s claim that enforcements are up.

In the first case, only 557 records were involved.  That translates to a fine of $200 per record disclosed.

In addition, to fine someone for not having a BAA with a company like Google indicates that they definitely want people to obey the process, without regard to there being significant risk (on the part of Google).  After all, Google probably has as good a security as the best medical practices.

The HIPAA compliance process is complex and even daunting, but failing to follow it can be expensive.

It also appears that the Office of Civil Rights has a very long memory as one of these fines was for something that happened 7 years ago, in 2011.

Our recommendation is to follow the process and document what you have done.  Though that can be painful, so is writing a check to the government for $100,000 or even $500,000.

Information for this post came from Health IT Security.



Feds to Increase Audits Of Doctors’ Protection Of Your Information

The Inspector General in the Health and Human Services Office for Civil Rights (OIG, HHS OCR) reported that OCR is not effectively auditing HIPAA covered entities.  A covered entity includes doctors and hospitals that have primary ownership of your health records.  As a result, the OCR is establishing a permanent audit program and working to identity potential audit targets.

One place OCR is, apparently, going to be looking, is at business associates or BAs.  In HIPAA speak, BAs are those vendors that a doctor or hospital uses that have access to your information.  Under the rules, your doctor needs to not only have a written agreement with that vendor, but doctors have to use reasonable diligence to make sure that the security of your information is protected.

Also, the rules are changing regarding what is a breach.  It used to be that you only had to report a breach if there was significant risk of financial or reputational harm – as evaluated by the doctor or hospital.  Needless to say, most lost data did not present significant risk.  Now any breach has to be reported.

Unless the data is encrypted in a way that there is no reasonable way for the hacker to be able to read the data.

And, this includes mobile devices (PHONES!) that contain patient data, so just encrypt patient data wherever it lives.

A Massachusetts dermatology clinic discovered this the hard way when they lost a thumb drive.  Their wallet is now $150,000 lighter.

Doctors that use computerized record keeping systems called EHRs now need to provide copies of those records within 30 days of a request, down from the old 90 window.  That could challenge doctors and hospitals that don’t have a system in place to do that.

And, there are many other rules that both doctors and their service providers need to comply with.

Now that the OCR is finally going to have an active audit program, expect more violations.    Its not that the violations weren’t happening before, it is just that no one was looking.

Those doctors and hospitals that do not have an active program for monitoring their HIPAA compliance may find themselves with a problem.  HIPAA and its cousin HITECH have been around for years.  One of the goals of HITECH was to put teeth in the enforcement of HIPAA.  That goal may have just been accomplished.

If you are a doctor, hospital or service provider to one, don’t say you did not know.

Information for this post came from Family Practice News.

Office Of Civil Rights At HHS Starting Up Audits Again

The Office Of Civil Rights (OCR) has been pretty quiet these last couple of years regarding HIPAA audits, but that may be about to change.

OCR’s staff is small, so they have hired a contractor, FCI,  according to the Federal Register. In an interview, deputy director Deven McGraw says that they will be starting up random audits again early next year.

FCI’s contract for a little under a million dollars is very small by federal standards.  This means that they will be doing narrowly focused remote audits.

Recently, OCR fined a small Oncology clinic $750,000 for a laptop and server that were stolen but not encrypted.

Deven said that anything that is not nailed to the floor (her words) should be encrypted – laptops, storage devices, servers and desktops, for example.

She said that even though encryption is “addressable”, that does not mean that it is optional, even for the smallest health care providers and business associates.  We EXPECT you to address encryption of data at rest and if you don’t encrypt, you must implement an alternative option in it’s place as well as documenting the reasoning.

Illana Peters, senior advisor for compliance and enforcement at OCR said that there really aren’t any other great options besides encryption.

They also said that lost devices, even encrypted ones, that have to be reported are indicators of other problems at the organization.

Deven also said that it all starts with a HIPAA risk analysis.  I suspect that reviewing your risk analysis document is something that could easily be done remotely and lead to more questions if you do not have one or the one that you do have indicates more problems.  The message, regarding risk analysis is to stop procrastinating.

While it remains to be seen what OCR will do starting in 2016, this might be a good time for covered entities to make sure that their HIPAA house is in order as well as the house’s of their Business Associates, since CEs are now liable for the errors of their BAs.

Small providers – ones for whom a $750,000 fine for having two devices stolen out of an employees car would be devastating – should probably start looking now to see if they have their HIPAA security rule act in order.

Information for this post came from two articles at Data Breach Today, here and here.