By: Lyndsey Barnett and Michaela Taylor*
The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) has handed down their latest action against a medical center in Oklahoma for violations of HIPAA’s privacy, security, and breach notification rules. The health center will now pay $875,000 in fines to resolve a third part breach of a web server containing PHI dating back to March 2016 which resulted in disclosure of the PHI of more than 275,000 individuals, including their names, Medicaid numbers, health care provider names, dates of service, dates of birth, addresses, and treatment information.
When the medical center fist reported the incident to OCR in January of 2018, they originally stated that the breach occurred in November of 2017, but it was later revealed that the breach had been discovered as early as September 2016. As justification for their inaction, the medical center stated that they were not aware that the compromised server contained PHI. Following thorough investigation, OCR determined that the medical centers existing protocols did not meet the required standards for protection of PHI, and that their untimely notification allowed unauthorized use of unsecured patient data. As part of the settlement, the medical center was also entered into a corrective action plan (CAP) requiring them to submit reports to OCR detailing their compliance for two years.
Cases like these not only signal heightened scrutiny from OCR, but also serve as a warning to covered entities. As OCR Director Lisa J. Pino noted “HIPAA covered entities are vulnerable to cyber-attackers if they fail to understand where ePHI is stored in their information systems. Effective cybersecurity starts with an accurate and thorough risk analysis and implementing all of the Security Rule requirements.” Had the medical center reported the breach when they were first notified in 2016, or taken steps to make their data more secure, it is likely that the consequences they faced would have been less severe.
Health plans, health care providers and business associates that interact with PHI must take care to consistently monitor and audit their systems to ensure that they are aware of any and all locations of PHI, and who may be accessing it. If a breach is discovered, you are reminded that it is imperative to act quickly to prevent the escalation of the breach or harsh sanctions. We have a team of attorneys that assist clients when they have the unfortunate experience of a security breach. Should you have an incident and need assistance, please contact any of the Graydon employee benefits team.