HHS Says Not Understanding HIPAA Creates (HUGE) Risk

Hacker accessing HIPAA PHI

What’s worse than a 2.5 million dollar HIPAA settlement? Knowing that it could have been avoided, that’s what.

The Department of Health and Human Services (HHS) oversees HIPAA enforcement. As part of this enforcement, HHS publishes official summaries of their completed cases. This one might give you nightmares.

Consider this Cautionary Tale…

On April 24, 2017, HHS released a summary of a case involving a remote cardiac monitoring company, CardioNet. One of the company’s employees left a laptop in their car overnight, just outside their house, which was stolen back in 2012. The laptop contained unsecured protected health information (PHI) for more than a thousand patients, accessible by anyone who possessed that laptop.

When the company followed procedure and reported this breach to HHS, it triggered an investigation into their compliance with HIPAA’s Security Rule. HHS found that the CardioNet had not employed a sufficient risk analysis and management process and had not created policies and procedures necessary to protect their patients’ health information.

In other words, they were not in compliance with HIPAA. HHS’s official headlines makes the message clear: “$2.5 million settlement shows that not understanding HIPAA requirements creates risk.”

An unfortunate event, for both the company and the patients involved. But how does this help to demonstrate how your practice can stay in compliance?

What Should Have Been Done Differently?

To begin with, this case illustrates two important elements of HIPAA compliance that are often overlooked.

First, HHS found the risk analysis and management process of the cardiac monitoring company to be insufficient.

This is the same risk analysis and management that is the cornerstone of compliance with the HIPAA Security Rule. A risk analysis must comprehensively analyze your office’s actual I.T. risks, threats, and vulnerabilities.

All devices that create, store, or transmit electronic PHI need to be included in your analysis. Depending on the complexity of your I.T. infrastructure, this can be quite an undertaking, but necessary nonetheless. Other circumstances can also influence what needs to be covered by the risk analysis.

For example, if you have an internet accessible website that delivers PHI to patients, you must consider an entirely new set of risks, threats, and vulnerabilities. The website and the PHI are now accessible over the public internet, which allows hackers from around the globe access to information if security measures are insufficient. A risk analysis must cover all points where electronic PHI is created, stored, or transmitted and it must be customized for your own I.T. structure.

This is the most important activity when it comes to compliance with HIPAA’s Security Rule.

Depending on the complexity of your I.T. structure, it may be well worth it to involve an I.T. professional and/or use a risk analysis tool.

Second, this case illustrates the consequences of one of the most common breach situations.

It involves a stolen electronic device that contained unsecured PHI. In 2012, the year the initial incident in this case occurred, approximately 40% of reportable breaches were the result of lost or stolen devices. While it does not cover all HIPAA requirements, taking steps to avoid a situation like this will go a long way to reduce potential legal and financial liability.

Again, the steps you should take depend primarily on your existing I.T. structure. The key is to make it impossible for the unauthorized person who found or stole the device to view or gain access the PHI. This can be accomplished in a variety of ways.

If you use an electronic health records exclusively and the device is only used to access the records without storing any PHI on its memory, then an unauthorized person could not reasonably access that information—assuming the electronic health records requires a login or some other sort of user authentication.

However, if PHI is stored on the actual device, the approach must be different. Two good and relatively inexpensive options in this scenario are full-drive encryption and/or the ability to wipe the device’s memory remotely. If implemented correctly, either of these options will make it practically impossible for the unauthorized person to access PHI.

In fact, had the cardiac company in the case correctly used any of these options, it is possible that they would not even have had to report it as a breach. There would not have been a compliance review and, perhaps most importantly, there could have been no fines or negative publicity at all.

As this case demonstrates, ignorance of the law is not a defense. However, every step closer to compliance reduces the potential legal and financial liability a practice may face. Performing sufficient risk analyses and ensuring that the PHI on your mobile devices can be secured after a loss or theft are not the only requirements, but they are two giant steps forward.

Train Your Team and Ensure Understanding of HIPAA’s Requirements

What should a small practice do to avoid unsuccessful audits and crippling HIPAA fines like this one? Training your team properly to understand and comply with HIPAA’s requirements remains your best precaution against violations. We’ve updated our own HIPAA training program at YourHIPAATraining.com in response to the most recent Phase II audit protocol used by HHS—so this is your chance to train based on HHS’ own enforcement standards.

Once trained, it’s equally important that you retrain frequently (once a year is recommended), train new hires immediately (not next week or next month), and ensure that your Security and Privacy Officer(s) understand and follow through with recommended steps for compliance. Fines like this one often could have been prevented.

Friendly Disclaimer: This information is general in nature and is not intended to provide legal advice or replace counsel about a specific HIPAA compliance issue with a specialized attorney. This material is meant to provide information that is believed to be current as of the date of this post.

Jun 20, 2017

Friendly Disclaimer: This information is general in nature and is not intended to provide legal advice or replace individual guidance about a specific issue with an attorney or HR expert. The information on this page is general human resources guidance that is believed to be current as of the date of publication. Note that CEDR is not a law firm, and as the law is always changing, you should consult with a qualified attorney or HR expert who is familiar with all of the facts of your situation before making a decision about any human resources or employment law matter.
Related Reading
Episode 105: Artificial Intelligence and HR?!
Episode 105: Artificial Intelligence and HR?!

For this episode of What the Hell Just Happened?! Paul Edwards discusses how artificial intelligence (AI) is working its way into the world of business ownership and management with CEDR Senior Solution Center Advisor Halisi Tambuzi. Can AI be unintentionally biased? If so, how would that affect your practice? How can you prepare for a world of AI integration? Listen as Paul and Halisi analyze the risk that AI can create if used without caution, as well as how you still may be able to find ways to leverage the value of this emerging technology to streamline HR processes at your practice.

read more
Episode 104: Can I Mandate Vaccines for New Employees?
Episode 104: Can I Mandate Vaccines for New Employees?

For this episode of What the Hell Just Happened?! Paul Edwards discusses the ever-evolving world of COVID vaccine mandates with CEDR Compliance Officer Nora Gustafson, including if you, as an employer, can require your new hires to get vaccinated before starting employment with you. Are you legally allowed to make vaccination a requirement? Can you list it as a requirement in your job ad? Or, do you have to leave it all alone and hope your new hires are doing what you’d ideally like them to do? Listen as Paul and Nora analyze the risks associated with vaccine mandates and explain how to handle them in a safe and legally compliant way.

read more
Episode 103: The Half-Million-Dollar Birthday Party
Episode 103: The Half-Million-Dollar Birthday Party

For the third episode of What the Hell Just Happened? Paul Edwards has a conversation with CEDR Social Media Coordinator and Compliance Expert Ally Dagnino to discuss a common issue – mental health and other medical accommodations in the workplace. Can you choose which accommodations to implement? Will your business get in trouble if requested accommodations are not met? How do you know which ones are valid? Listen as Paul and Ally analyze the risks associated with this scenario and hash out how to handle it in a safe and legally compliant way.

read more
Share This