Three High-Dollar OCR Settlements (Including Largest to Date Against Single Entity) Emphasize Importance of HIPAA Security Management Process
On August 4, 2016, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) announced the largest settlement against a single entity: $5.55 million with Advocate Health Care Network for multiple alleged HIPAA violations. This is the latest of three recent settlements that underscore the need for a robust security management process that includes both a Security Rule risk analysis to identify risks and vulnerabilities to electronic protected health information (ePHI), and a risk management plan in which the covered entity (CE) or business associate (BA) implements security measures sufficient to reduce those risks and vulnerabilities to reasonable levels.
OCR opened its investigation after receiving three breach reports from Advocate related to "separate and distinct" security incidents at Advocate Medical Group, a subsidiary:
The theft of four desktop computers from an administrative office, containing almost 4 million individuals' unsecured ePHI.
The unauthorized access of a billing service business associate's (BA) network, potentially compromising more than 2,000 individuals' unsecured ePHI.
The theft of an unencrypted laptop from a workforce member's vehicle, containing more than 2,000 individuals' unsecured ePHI.
OCR's investigation indicated the following conduct appears to have occurred:
Advocate agreed to pay a $5.55 million resolution amount and enter into a comprehensive corrective action plan (CAP) that includes: (1) inventorying all facilities, electronic equipment, data systems, and applications that contain or store ePHI; (2) modifying its existing Security Rule risk analysis to include all facilities and all electronic equipment, data systems, and applications; (3) developing and implementing a risk management plan based on the findings of the risk analysis; (4) implementing a process for evaluating environmental and operational changes affecting the security of ePHI; (5) developing an encryption report including the total number of all devices and equipment, the total number of devices and equipment that are encrypted, and an explanation for why any equipment or devices are not encrypted; (6) reviewing and revising policies and procedures on device and media controls, facility access controls, and business associates; and (7) developing an enhanced privacy and security awareness training program. Advocate also agreed to develop a plan to internally monitor its compliance with the CAP and engage an external, third-party monitor to periodically assess Advocate’s adherence to the CAP’s numerous requirements.
Failure to conduct an accurate and thorough risk analysis incorporating all of Advocate’s facilities, information technology equipment, applications and data systems utilizing ePHI.
Failure to implement policies and procedures to limit physical access to its electronic information systems housed within one of its buildings.
Failure to reasonably safeguard individuals' ePHI (with respect to the first breach).
Failure to obtain satisfactory assurances in the form of a written business associate contract from the billing services BA that the BA would reasonably safeguard all the CE's ePHI in its possession or control.
Impermissibly disclosing ePHI to the billing services BA when the CE failed to obtain satisfactory assurances in the form of a business associate contract that the BA would appropriately safeguard all ePHI in its possession or control.
Failure to reasonably safeguard ePHI when a workforce member left an unencrypted laptop in an unlocked vehicle overnight.
Commenting on the settlement, OCR Director Jocelyn Samuels emphasized: “We hope this settlement sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals’ ePHI is secure …. This includes implementing physical, technical, and administrative security measures sufficient to reduce the risks to ePHI in all physical locations and on all portable devices to a reasonable and appropriate level.”
The Advocate settlement is strongly tied to reported deficiencies in the CE's security management process
. The Security Rule mandates that CEs and BAs implement, as part of their administrative safeguards, "processes and procedures to prevent, detect, contain, and correct security violations" for ePHI.
These processes and procedures comprise the "security management process" standard for CEs and BAs. The standard has four required implementation specifications:
Risk analysis: An accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the CE or BA.
Risk management: Security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.
Sanction policy: Appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the CE or BA.
Information system activity review: Procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.
The sheer size of the Advocate resolution amount – and the comprehensive nature of the CAP – alone strongly telegraph OCR's interest in the security management process. If that is not convincing enough, consider that the Advocate settlement is the third in less than two weeks to address what have come to be known as the "cornerstones" of Security Rule compliance: risk analysis and risk management.
On July 21, 2016, OCR announced a $2.75 million settlement with the University of Mississippi Medical Center (UMMC), a CE, resulting from multiple alleged violations of the HIPAA Privacy Rule and Security Rule. OCR’s involvement began when UMMC reported that a password-protected laptop was missing from the hospital. UMMC’s internal investigation revealed that a visitor, who had asked about borrowing a laptop, had likely stolen it. OCR subsequently learned that ePHI stored on a hospital network drive was vulnerable to unauthorized access via the hospital’s wireless network: users could enter a generic username and password and access an active directory containing 67,000 files, some of which contained 10,000 patients’ ePHI.
OCR’s investigation indicated that while UMMC had implemented HIPAA policies and procedures, and had been aware of risks and vulnerabilities to its systems as early as April 2005, “no significant risk management activity occurred until after the breach, due largely to organizational deficiencies and insufficient institutional oversight.” Specifically, OCR determined that the following conduct occurred:
Failure to implement policies and procedures to prevent, contain, and correct security violations, including conducting an accurate and thorough assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of all ePHI it holds (i.e., failure to conduct a Security Rule risk analysis), and implementing security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level (i.e., failure to conduct follow-up risk management).
Failure to implement physical safeguards for all workstations that access ePHI to restrict access to authorized users.
Failure to assign a unique user name and/or number for identifying and tracking user identity in information systems containing ePHI including, for example, allowing workforce members to access ePHI on a shared department network drive through a generic account, preventing the CE from tracking which specific users were accessing ePHI.
After discovering the breach of unsecured ePHI, failing to notify each individual whose unsecured ePHI was reasonably believed to have been accessed, acquired, used, or disclosed as a result of the breach (the CE had provided notification on its website and in local media outlets).
The CE agreed to pay a $2,750,000 RA and institute a CAP to help ensure future compliance. Addressing the settlement, OCR Director Jocelyn Samuels emphasized the importance of risk management: “In addition to identifying risks and vulnerabilities to their ePHI, entities must also implement reasonable and appropriate safeguards to address them within an appropriate time frame …. We at OCR remain particularly concerned with unaddressed risks that may lead to impermissible access to ePHI.”
Just three days before announcing the UMMC settlement, OCR publicized another multi-million dollar settlement against a CE, Oregon Health & Science University (OHSU), again relating to the security management process. OHSU agreed to pay a $2,700,000 RA, and enter into a comprehensive, 3-year CAP.
OHSU’s troubles began as so many do – with lost or stolen portable media devices. OHSU had submitted “multiple breach reports affecting thousands of individuals,” including two reports involving unencrypted laptops, and another large breach resulting from a stolen unencrypted thumb drive. OCR’s investigation revealed “widespread” issues with the OHSU’s HIPAA compliance program, including storing ePHI of more than 3,000 individuals on a cloud-based server without the benefit of a business associate agreement.
OCR found OHSU’s security management process lacking in several respects:
OHSU lacked the basic underpinnings of a security management process – policies and procedures to prevent, detect, contain, and correct security violations.
While OHSU had performed six (6) Security Rule risk analyses (a required implementation specification) going back several years, they did not cover all ePHI held by the OHSU, as the Security Rule requires.
Despite identifying risks and vulnerabilities in “many areas” of the organization, OHSU did not follow through with risk management (another required implementation specification) sufficient to reduce risks and vulnerabilities to an acceptable level.
Further, OCR determined that OHSU did not implement another important technical safeguard that has been at the root multiple OCR enforcements – encryption and decryption (or an equivalent alternative measure) for ePHI on workstations
– despite having identified this as a risk to ePHI.
Commenting on the settlement, OCR Director Samuels emphasized: “From well-publicized large scale breaches and findings in their own risk analyses, [the CE] had every opportunity to address security management processes that were insufficient. Furthermore, [the CE] should have addressed the lack of a business associate agreement before allowing a vendor to store ePHI …. This settlement underscores the importance of leadership engagement and why it is so critical for the C-suite to take HIPAA compliance seriously.”
These three most recent settlements are timely in light of the Phase 2 desk audits currently underway
for 167 covered entities. OCR recently announced
that the audits will address, among other compliance requirements, the security management process, including both risk analysis and risk management. While several recent enforcements have emphasized the dangers of a skimpy or nonexistent risk analysis
, equally important is the fact that implementing less than all components of the security management process leaves ePHI vulnerable to existing threats and risks. For example, OHSU had identified certain risks and vulnerabilities to ePHI vulnerabilities (risk analysis), but had not taken steps sufficient to reduce them (risk management). The security management process as a whole, therefore, was lacking, leaving ePHI vulnerable to identified threats.
Advocate, UMMC, and OHSU, notable for their recency, are but the latest OCR enforcements to address an organization’s need to conduct an enterprise-wide risk assessment, and follow through with appropriate risk management. While the Security Rule emphasis is always on what is “reasonable and appropriate” for a particular entity,
it is impossible to overstate the importance of the risk analysis as a foundational element of the CE’s or BA’s security management process. OCR enforcement bears this out – the following are just two examples:
The University of Washington Medicine – December 2015 (RA/CAP and $750,000 resolution amount)
UWM is an “affiliated covered entity” (ACE) composed of the University of Washington’s designated health care components. An affiliated covered entity is a group of legally separate CEs under common ownership and control that have designated themselves a single CE for purposes of the HIPAA Rules. ACEs must have policies and processes in place to ensure that each component entity complies with the HIPAA Rules.
OCR began its investigation after receiving a breach report indicating that approximately 90,000 individuals’ ePHI was accessed after an employee downloaded an email attachment containing malware. OCR’s investigation indicated that the CE failed to conduct an accurate and thorough risk assessment, as the Security Rule requires. Specifically, while the ACE’s policies and procedures required risk analyses and Security Rule compliance by each affiliated entity, it did not in fact ensure that each entity complied.
OCR Director Samuels commented: “All too often we see covered entities with a limited risk analysis that focuses on a specific system such as the electronic medical record or that fails to provide appropriate oversight and accountability for all parts of the enterprise …. An effective risk analysis is one that is comprehensive in scope and is conducted across the organization to sufficiently address the risks and vulnerabilities to patient data.”
Idaho State University – May 2013 (RA/CAP and $400,000 resolution amount)
OCR opened its investigation after the CE reported a breach of 17,500 patients’ ePHI due to the disabling of firewall protections at the CE’s servers. OCRs investigation indicated the following conduct occurred:
Failure to conduct an analysis of the risk to the confidentiality of ePHI as part of its security management process.
Failure to adequately implement security measures sufficient to reduce vulnerabilities of and risks to ePHI to a reasonable and appropriate level.
Failure to adequately implement procedures to regularly review records of information system activity to determine if ePHI was inappropriately used or disclosed.
Addressing the settlement, former OCR Director Leon Rodriguez emphasized: “Risk analysis, ongoing risk management, and routine information system reviews are the cornerstones of an effective HIPAA security compliance program …. Proper security measures and policies help mitigate potential risk to patient information.”
While a risk analysis is a “cornerstone” of the security management process, it does not stand alone. Identifying risks and vulnerabilities to ePHI is only part of the task: the CE or BA must also take steps to reduce and manage those risks.
Concentra Health Services – April 2014 (RA/CAP and $1,725,220 resolution amount)
OCR opened a compliance review of the CE after receiving a breach report that an unencrypted laptop had been stolen from one of its facilities. According to HHS, the CE had previously recognized in “multiple risk analyses” that lack of encryption for devices containing ePHI was a critical risk. While the CE had taken steps to begin encryption, OCR described its efforts as “incomplete and inconsistent over time leaving patient PHI vulnerable throughout the organization.”
OCR’s investigation indicated the following conduct occurred:
Failure to adequately remediate and manage its identified lack of encryption or, alternatively, document why encryption was not reasonable and appropriate and implement an equivalent alternative measure to encryption, if reasonable and appropriate.
Failure to sufficiently implement policies and procedures to detect, contain, and correct security violations under the security management process standard. Specifically, the CE did not adequately execute risk management measures to reduce its identified lack of encryption to a reasonable and appropriate level.
Commenting on this enforcement, former OCR Deputy Director of Health Information Privacy Susan McAndrew focused on the importance of encryption to mobile device security. While this is certainly an important lesson, perhaps a stronger message to take from Concentra is to avoid letting your Security Rule risk analysis gather dust. The risk analysis should be an active, living document that guides timely corrective action. Only then can it truly be part of a security management process, as the Security Rule intends.
The Security Rule requires covered entities and business associates to ensure the confidentiality, integrity, and availability of all ePHI they create, receive, maintain, or transmit.
This includes protecting against reasonably anticipated threats or hazards to security or integrity.
To accomplish these goals, CEs and BAs must implement administrative, physical, and technical safeguards – including a security management process
consisting of policies and procedures to prevent, detect, contain, and correct security violations.
Conducting a risk analysis is an important and high-profile component of the security management process. While CEs and BAs may take a flexible approach to risk assessment, the assessment must be accurate, thorough, and enterprise-wide. Further, CEs and BAs must follow the risk analysis with a risk management
process designed to reduce risks and vulnerabilities to a reasonable and appropriate level.
Risk analysis and risk management are interactive processes that grow and change with the organization and its threat environment. Neither security management component can stand alone. As OCR’s three most recent RA/CAPs illustrate, both are necessary (along with other security management implementation specifications) to appropriately manage risks and vulnerabilities to ePHI.
For more information on HIPAA risk management, contact Kim Metzger
, Deepali Doddi,
or a member of our Data Security and Privacy group
This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.
45 CFR 164.308(a)(1)(ii)(A)
45 CFR 160.103 and 164.502(a)
45 CFR 164.308(a)(1)(i)
45 CFR 164.308(a)(1)(ii)
45 CFR 164.308(a)(1)(i)
45 CFR 164.312(a)(2)(i)
45 CFR 164.312(a)(2)(iv)
As with all Security Rule requirements, CEs and BAs can take a flexible approach to risk analysis, considering – among other things – their size, complexity, and capabilities as well as the probability and criticality of potential risks to ePHI. (45 CFR 164.306(b)).
45 CFR 164.105(b)(1)
45 CFR 164.308(a)(1)(ii)(A)
45 CFR 164.308(a)(1)(ii)(B)
45 CFR 164.312(a)(2)(iv)
45 CFR 164.308(a)(1)(i)
45 CFR 164.306(a)(1)
45 CFR 164.306(a)(2)