In the past two years, recent HIPAA judgment/settlements totaling $3 million and over reveal a requirement that comes up short with many covered entities. A summary of the judgment/settlements $3 million and over in the 2018-19 timeframe and a summary of the associated HIPAA compliance gaps are identified. The most common HIPAA compliance gap is the performance of a comprehensive enterprise-wide risk analysis. Risk analysis is further broken down by discussing a HIPAA gap analysis and why it does not measure up to adequately address the security rule requirement for the performance of a HIPAA risk analysis.
Who are HIPAA-Covered Entities?
Covered entities include healthcare providers, healthcare clearinghouses, healthcare insurance providers, and many other service providers to the healthcare industry that create, receive, maintain, or transmit protected health information (PHI). They must be able to evidence their compliance with the Health Insurance Portability and Accountability Act (HIPAA) as it relates to the security and privacy rules. Business associates who encounter protected health information in the course of the services that they are contracted to provide to the covered entity are also required to be in compliance with HIPAA regulations.
Who Governs HIPAA?
The U.S. Department of Health and Human Services (HHS) developed regulations protecting the privacy and security of protected health information by establishing national standards over the privacy of individually identifiable health information and security of electronic protected health information (ePHI).
The Office of Civil Rights (OCR), under HHS, enforces the privacy and security rules through compliance activities and enforces monetary penalties assessed for non-compliance. Seeking compliance and establishing a culture of compliance are key to avoiding monetary enforcement penalties because they help to demonstrate that your organization takes its HIPAA compliance obligations seriously.
What are Recent OCR HIPAA Judgment/Settlements?
OCR settled a record year in 2018 with over $28.5 million in HIPAA enforcement actions. In 2018, OCR settled the largest judgment to date with Anthem for $16 million. Below is a summary of all the 2018-2019 judgment/settlements $3 million and over that will highlight what went wrong and some thoughts for how it may have been avoided. See the HHS Resolution Agreements page for more details on these judgment/settlements.
October 2018 – Anthem, Inc. – $16 million settlement
Anthem, Inc. was subjected to advanced persistent threats through spear-phishing tactics and for which an employee inadvertently responded to a malicious email that ultimately opened a door for the attackers to gain access and steal ePHI resulting in the largest U.S. health data breach in history. In addition to the impermissible disclosure of ePHI due to inadequate access controls, OCR determined that Anthem did not perform an enterprise-wide risk analysis, did not review information system activity regularly, and did not identify or respond to security incidents timely. Performing a comprehensive enterprise-wide risk analysis is required under the HIPAA Security Rules. Reviewing suspicious activity reported on system logs in a timely manner may have helped to thwart the attacker’s activity and avoided the security incident.
Additionally, providing annual information security awareness training to existing employees and when onboarding new hires is an important measure to inform employees, your first line of defense, of the latest security threats that they may be subjected to and how to respond to avoid harm. It is important to ensure the training is updated annually so that the latest and most common types of malicious attacks are included in the training program. Doing so may have prevented the employee from responding to the phishing email.
June 2018 – University of Texas MD Anderson Cancer Center – $4.3 million judgment
MD Anderson had an unencrypted laptop stolen and lost two unencrypted USB drives containing ePHI. Centrally managing all end-point devices and enforcing encryption to be enabled on all laptops and either blocking access to utilize USB drives or enforcing encryption on them when used would have rendered the data unreadable. Written encryption policies are great but if they are not enforced, they are not reliable security measures.
Additionally, although MD Anderson had highlighted the risk on their risk analysis as a high risk, actions to remediate the gap identified were not timely implemented to mitigate the risk. Maintaining a current inventory of IT assets and knowing where protected health information is located are important elements for a comprehensive enterprise-wide risk analysis.
January 2018 – Fresenius Medical Care North America – $3.5 million settlement
OCR identified that Fresenius Medical Care failed to conduct a comprehensive risk analysis over the integrity, availability, and confidentiality of its ePHI. Performing a comprehensive enterprise-wide risk analysis covering the threats and vulnerabilities over the integrity, availability, and confidentiality of ePHI created, received, maintained, or transmitted by the organization is a required element of the HIPAA Security Rule.
November 2019 – University of Rochester Medical Center – $3 million settlement
The University of Rochester Medical Center failed to encrypt end-point devices including a stolen laptop and lost USB drives. OCR also noted that an enterprise-wide risk analysis had not been conducted. Centrally managing all end-point devices and enforcing encryption as well as performing a comprehensive risk analysis are key security measures to secure protected health information.
May 2019 – Touchstone Medical Imaging – $3 million settlement
Touchstone allowed one of their FTP servers uncontrolled access to protected health information. OCR found that Touchstone’s response to the security incident was not timely, breach notification to individuals impacted by the breach was not timely, a comprehensive risk analysis was not conducted, and Business Associate Agreements (BAA) were not in place as required. Having a strong incident response plan in place that is tested at least annually, a breach notification policy, a list of vendors who may have contact with protected health information that require a BAA to be in place as well as a comprehensive enterprise-wide risk analysis would have helped to mitigate the risk realized by Touchstone.
December 2018 – Cottage Health – $3 million settlement
Cottage Health exposed unsecured ePHI over the internet. OCR also found that a comprehensive enterprise-wide risk analysis was not conducted that thoroughly addressed the threats and vulnerabilities to the integrity, availability, and confidentiality of protected health information and a BAA was not in place with a contractor who had access to ePHI as required.
Ensuring that data in transit is properly encrypted is a security measure that could have reduced the risk that occurred for Cottage Health. Knowing what vendors have access to ePHI so a BAA could be executed and performing a comprehensive enterprise-wide risk analysis would have also helped to reduce the risks realized.
What are Common HIPAA Gaps in Recent Judgment/Settlements?
Some common gaps in the review of the material judgment and settlements reached as noted above and the measures to consider within your organization are as follows:
- Performance of a comprehensive enterprise-wide risk analysis
- Data encryption, at rest, in transit, and at all end-points
- Business Associate Agreements with vendors having access to PHI
- Review of system activity logs in a timely manner
- A documented incident response plan that is tested at least annually
- Information security awareness training for new hires when onboarded and annually for existing employees
In five of the six judgment/settlements noted above, the performance of a comprehensive enterprise-wide risk analysis was determined to be inadequate by OCR making the performance of a comprehensive enterprise-wide risk analysis the most common HIPAA gap identified for the material judgment/settlements of $3 million or more.
In review of the judgment/settlements of less than $3 million over this same time period, two other common HIPAA gaps stand out as follows:
- Impermissible disclosure
- Right of access
Before a covered entity allows a film crew onsite for a documentary or social media is used to market services, for example, obtaining permission from patients is required before disclosing any protected health information related to them.
The first case regarding the right of access was settled by OCR in 2019. In summary, when a patient requests their protected health information from a covered entity, it should be provided within 30 days at a reasonable cost-based price.
What is a HIPAA Gap Analysis?
Since the performance of a comprehensive enterprise-wide risk analysis is the most common HIPAA compliance gap, it is imperative to understand what measures are not sufficient for an adequate HIPAA risk analysis. It is also important to understand what measures are needed in the conduct of an acceptable risk analysis. A HIPAA gap analysis is simply taking each standard under the HIPAA regulations and evaluating what existing controls the covered entity has in place to meet those standards. You can then identify where existing controls do not adequately address the standards. Where existing controls do not adequately address the standards, remediation actions must be taken to adequately address the HIPAA compliance gaps identified.
A HIPAA gap analysis is a good tool and highly recommended to determine if compliance with the privacy, security, and breach notification rules of the HIPAA regulations have been met or where the organization comes up short. However, it is not sufficient alone to be in compliance with the HIPAA regulations requiring a comprehensive enterprise-wide risk analysis. A HIPAA gap analysis of this nature is not sufficient because it does not cover all potential risks to protected health information.
What are Steps to a HIPAA Compliant Risk Analysis?
If you are just starting out on your HIPAA compliance journey, one of the first steps in accomplishing your compliance with the HIPAA regulations is for your organization to conduct a comprehensive enterprise-wide risk analysis. A HIPAA compliant risk analysis is the process of identifying the threats and vulnerabilities an organization has in their environment that may reasonably impose harm to the integrity, availability, or confidentiality of the protected health information created, received, maintained, or transmitted.
It is helpful to have in place an inventory of your information technology assets and know where your protected health information is stored, how it is created, how it is processed, and how it is transmitted. Another way to think of this is to identify every area in which ePHI is being used and to determine all of the ways in which breaches of ePHI could occur. Incorporating people (including third parties), processes, and technology into your risk assessment will help to tailor the vulnerabilities and threats to your organization’s specific environment and resulting risks to your protected health information.
Once the threats and vulnerabilities are determined, existing controls may be mapped that are identified to help reduce the risk from occurring. After all the existing controls have been identified and mapped against each threat and vulnerability, evaluation of residual risk may be performed which evaluates the likelihood and impact after existing controls are applied.
After controls are applied, if the residual risk is at an acceptable level, no further effort is needed other than ensuring that controls are operating effectively. Typical controls may include logical and physical access controls, encryption, antivirus software, patching, information security awareness training, and documented policies and procedures. On the other hand, if the residual risk is deemed not acceptable, remedial actions to mitigate the risk to an acceptable level must be undertaken.
This risk analysis identifies gaps where existing controls are insufficient and action is required to reduce risk to an acceptable level. Residual risks with a high likelihood and high impact should be prioritized for risk mitigation actions needed to reduce the risk to an acceptable level.
Managing risk is a continuous process. A risk management plan provides guidance for the organization to follow in evaluating risk, prioritizing risk, managing risk, assigning roles and responsibilities, implementing controls that mitigate risk, and periodically (at least annually) reassessing risk that incorporates changes to the environment. Where gaps are identified, indicating that risks are not mitigated to acceptable residual risk levels, action plans must be documented and tracked through to resolution and remediation of the gaps.
Conducting a risk analysis and having a risk management plan in place are required elements to be in compliance with HIPAA regulations in order to identify risks to the integrity, availability, and confidentiality of protected health information.
Linford & Company works with clients on their compliance journey with HIPAA by identifying gaps in compliance and recommending measures to remediate them. If you have questions or would like more information regarding HIPAA, SOC 1, SOC 2, HITRUST or FedRAMP, please contact us.
Becky McCarty has over 20 years of experience in internal controls, audit, and advisory services. She specializes in SOC 1 and SOC 2 examinations for Linford & Co., LLP. Becky completed a Bachelor’s degree in Business Administration (Accounting) and a Master of Science degree in Management Information Systems. She worked 6 years with KPMG LLP commencing in 1999, worked several years in the energy industry, and joined Linford & Co., LLP in 2018. Becky also served 9 years on the Board of Directors for a home healthcare nonprofit. She works closely with clients so that the examinations are performed efficiently and with minimal disruption while ensuring performance in accordance with professional guidance. She enjoys helping clients successfully achieve the requirements for their SOC compliance efforts based on their objectives and/or applicable trust services criteria.