HIPAA Covered Entities and Business Associates Must Manage Risk to Electronic Protected Health Information
On October 17, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) announced its latest settlement
with a covered entity for alleged violations of the HIPAA Privacy and Security Rules. The resolution amount is one of the agency’s largest – $2.14 million. The settlement underscores the need for covered entities (CE) and business associates (BA) to implement a robust security management process for electronic protected health information (ePHI) to prevent, detect, contain, and correct security violations.
The settlement results from an investigation of St. Joseph Health (SJH), an integrated health care delivery system consisting of acute care hospitals, home health agencies, hospice care, outpatient services, skilled nursing facilities, community clinics, and physician organizations in California, Texas, and New Mexico. In 2012, SJH reported that certain files created for participation in HHS’ meaningful use program were publicly accessible on the internet, via various search engines for a 1-year period. The server SJH purchased to store the files included a file-sharing application with default settings allowing “anyone with an internet connection” to access the files. SJH did not examine or modify the server or file-sharing application’s default settings before implementing them, allowing the public “unrestricted access” to 31,800 individuals’ ePHI.
OCR’s investigation indicated the following conduct occurred:
SJH impermissibly disclosed 31,800 individuals’ ePHI, in violation of the Privacy Rule;
SJH failed to perform a technical and nontechnical evaluation in response to an operational change affecting the security of ePHI in violation of the Security Rule; and
SJH failed to satisfactorily conduct an accurate and thorough analysis of the potential risks and vulnerabilities to the ePHI held by its enterprise, in violation of the Security Rule.
SJH agreed to pay a $2,140,500 resolution amount, and enter into a 3-year corrective action plan that requires it to, among other things:
Conduct an enterprise-wide analysis of the security risks and vulnerabilities to ePHI, which includes developing a “complete inventory of all electronic equipment, data systems, and applications that contain or store ePHI,” submit the risk analysis to OCR, and revise it according to OCR’s recommendations (repeating this cycle until OCR approves the final risk analysis);
Develop and implement a risk management plan to address and mitigate any security risks and vulnerabilities identified in the risk analysis, submit the risk analysis to OCR, revise it according to OCR’s recommendations (again, repeating the cycle until OCR approves the final risk management plan), and officially adopt and immediately begin implementing the approved risk management plan;
Revise its policies and procedures to comply with the Privacy Rule’s provisions regarding permitted uses and disclosures of PHI, submit the policies and procedures to OCR, revise according to agency recommendations (repeating until OCR approves), and officially adopt the approved policies and procedures; and
Obtain OCR approval of proposed training materials for the new policies and procedures, and train appropriate workforce members.
OCR Director Jocelyn Samuels emphasized, “Entities must not only conduct a comprehensive risk analysis, but must also evaluate and address potential security risks when implementing enterprise changes impacting ePHI. The HIPAA Security Rule’s specific requirements to address environmental and operational changes are critical for the protection of patient information.”
Significance of the SJH Settlement
The Security Rule charges all CEs and BAs with four mandates regarding the ePHI they create, receive, maintain, or transmit:
Ensure the confidentiality, integrity, and availability of ePHI;
Protect ePHI against reasonably-anticipated threats or hazards to security or integrity;
Protect ePHI against reasonably-anticipated uses or disclosures not permitted or required by the Privacy Rule; and
Ensure workforce compliance with the policies and measures in place to protect ePHI.
To do so, the Security Rule requires that CEs and BAs implement various administrative, physical, and technical safeguards, which include both standards and implementation specifications. One foundational administrative safeguard for ePHI is the security management process
– policies and procedures to prevent, detect, contain, and correct security violations.
As part of the security management process, CEs and BAs must implement:
A risk analysis, which is an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI, and
A risk management plan – security measures sufficient to reduce identified risks and vulnerabilities to a reasonable and appropriate level.
While the Security Rule mandates a risk analysis, it does not tell CEs and BAs how to conduct one, recognizing that one size will not fit all regulated entities. Rather, the Security Rule permits flexibility in this and other security measures: CEs and BAs can design a risk analysis that suits their size, complexity, and capabilities; their technical infrastructure and hardware and software capabilities; the cost of the security measure; and the likelihood of potential risks to ePHI, as well as the damage the risk would do if they materialized (the “probability and criticality” of potential risks).
CEs and BAs must take reasonable and appropriate security measures to reduce risks and vulnerabilities to a reasonable and appropriate level. However, OCR’s enforcement activities make several things clear: the risk analysis must be enterprise-wide
and consider less conventional or traditional
ePHI repositories (such as photocopiers, applications, and the cloud). Further, regulated entities must follow up
on their risk analysis by implementing an informed risk management plan designed to reduce identified risks and vulnerabilities to a reasonable and appropriate level. Together, risk analysis and risk management form the cornerstone
of a CE's or BA's compliance program.
The risk analysis and risk management plan are not one-time endeavors. As the SJH settlement makes clear, regulated entities must also periodically perform a technical and nontechnical re-evaluation of the risk analysis and risk management plan in response to “environmental or operational changes affecting the security of [ePHI],” to establish the extent to which their security policies and procedures comply with the Security Rule.
It is on that last requirement where SJH appears to have faltered. When SJH introduced a new server to store files containing ePHI for its participation in the meaningful use program, the Security Rule required it to evaluate the accompanying risks to ePHI and update its risk analysis, risk management plan, and policies and procedures to ensure it managed those risks to a reasonable and appropriate level.
With OCR Phase 2 compliance audits underway, and OCR enforcement activities on the rise, now is the time for covered entities and business associates to ensure they have in place an accurate and thorough, enterprise-wide risk analysis. Taking a lesson from SJH, organizations should incorporate into the risk analysis inventory of all electronic equipment, data systems, and applications that contain or store ePHI. Regulated entities should follow the risk analysis with a risk management plan to address identified risks and vulnerabilities, and perform a technical and nontechnical re-evaluation of their security management process in response to environmental or operational changes, such as the introduction of new IT assets, that may affect the security of ePHI.
If you have further questions on HIPAA compliance and Phase 2 audits, contact Kim Metzger
or Deepali Doddi
. Also, see our HIPAA Audit Guide
for more information.
This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.
45 CFR 164.308(a)(1)(ii)(A)
45 CFR 164.308(a)(1).
45 CFR 164.308(a)(1)(ii)(A)
45 CFR 164.308(a)(1)(ii)(B)