Liles Parker PLLC
(202) 298-8750 (800) 475-1906
Washington, DC | Houston, TX
San Antonio, TX | Baton Rouge, LA

We Defend Healthcare Providers Nationwide in Audits & Investigations

A HIPAA Risk Assessment is Essential to Avoid Liability

Covered entities and business associates must perform a HIPAA risk assessment.(August 23, 2014):  Almost all health care providers and suppliers qualify as a covered entity under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).  Together with the business associateswith whom they work, these entities are responsible for ensuring that any protected health information (PHI) under their control has been properly secured and remains confidential.  Let’s face it, the regulations governing a health care provider’s obligations under HIPAA are both extensive and complex.

Many small and mid-sized health care providers and suppliers have found it difficult to fully comply with their many statutory obligations under HIPAA’s privacy and security mandates.  Nevertheless, it is important to keep in mind that the government is actively investigating allegations of breach, regardless of the size of provider or supplier that may be involved.

I.   The Importance of Conducting a HIPAA Risk Assessment:

A recent federal criminal indictment of an individual for a HIPAA violation should serve as a reminder to all health care providers of the importance of fully complying with HIPAA’s security requirements.  While most health care providers and suppliers have diligently worked to comply with HIPAA’s privacy requirements, their compliance with HIPAA’s security and risk assessment mandates remains a challenge.  A recent case out of the U.S. Attorney’s Office for the Eastern District of Texas provides a stark reminder of why all health care providers must remain diligent in their efforts to secure and protect the medical records that have been entrusted to their care by their patients.

Last month, federal prosecutors announced that a former employee of an unnamed hospital in East Texas had been arrested in Georgia the previous year on charges unrelated to the theft of PHI.  At the time of his arrest, he was discovered to be in possession of patient medical records from Texas.  The subsequent investigation indicated that from December 1, 2012, through January 14, 2013, the individual had obtained PHI while he was employed at an East Texas hospital.  The defendant allegedly took the patient records with the intent to use the patient’s PHI for personal gain.  The defendant is currently in jail, awaiting trial.  If convicted, he could be sentenced to prison for up to 10 yearsThere are two main points that all covered entities and business associates should keep in mind:

1.  The theft of PHI is a serious crime.  Both federal and state prosecutors are actively pursing individuals who illegally steal or improperly use patient PHI for personal gain.  Under 18 U.S.C.A. § 1028A(a)(1), the federal “Aggravated-Identity-Theft” statute prohibits an individual’s knowing use of another person’s identifying information without a form of authorization recognized by law. 

2.  While the government’s Press Release does not discuss whether the East Texas hospital had previously conducted a proper HIPAA risk assessment, it would not be surprising to later learn that the Office of Civil Rights (OCR) has initiated its own audit of the organization to verify that it has, in fact, previously conducted a HIPAA risk assessment.    

II.  HIPAA’s Security Rule Requires that a Risk Assessment be Conducted:

While details regarding what security provisions and precautions the East Texas hospital may have implemented are not available, one wonders if the hospital conducted a risk analysis as required by HIPAA’s Security Rule provisions.  The Security Rule states that all covered entities must implement policies and procedures “to prevent, detect, contain, and correct security violations.” (45 C.F.R. § 164.308(a)(1).)   A risk analysis is one of four required implementation specifications in the Security Rule that actually provide instructions on how to implement the requirement.  Conducting a risk analysis would likely have revealed system vulnerabilities, perhaps even the one that failed to prevent the theft of patient PHI.  Certainly a risk analysis would have revealed the necessity of various audits, any of which could have revealed the fact that the defendant was improperly accessing and taking patient records.

Unfortunately, conducting a HIPAA risk assessment is still a problem for many health care providers.  A series of audits were conducted in 2012 by federal contractors working for OCR to assess whether health care providers, suppliers, health plans and clearinghouses have been complying with HIPAA’s Privacy, Security, and Breach Notification requirements.  A number of health care providers were included in these audits.  The results showed that 60% of the deficiencies reported were related to HIPAA security requirements.  In addition, 65% of the findings were for health care providers, in particular smaller providers.  Of the 59 providers, 58 had at least one finding relating to a Security Rule deficiency.   Nearly 80% of the healthcare providers had not completed a risk assessment.[1]  OCR concluded that driving compliance with the Security Rule aspects of HIPAA would be a likely focus in the future.

III.  Meaningful Use and Risk Assessments:

Conducting a risk analysis is also a core requirement under the Meaningful Use rules. [2]  In order to receive a meaningful use incentive, providers were required to certify that they conducted a risk assessment in accordance with the HIPAA Security Rule provisions.   Over 245,000 eligible professionals received payments for usage of electronic health records for 2011 and 2012.

Yet if the statistics from OCR’s admittedly small sample of healthcare providers in 2012 is true, this could mean that a very large majority of those healthcare providers who certified to having conducted a risk assessment as part of their meaningful use certifications did so falsely. The data on which providers, including names and NPI numbers, have received a meaningful use incentive payment is publicly available.   Thus it is highly likely that as part of the soon-to-be-restarted HIPAA audits, OCR will explicitly review whether providers falsely certified that they conducted a security risk analysis, when in fact they did not.  While the amount of money that a provider might have to return for a false certification is not large, the potential penalties for having falsely certified compliance with the regulations are much larger and more serious.

IV.  Final Remarks:

While overdue, if your organization has not already conducted a HIPAA security risk assessment, it is imperative that you do so immediately.   The window to take remedial action may be closing, especially if you have received payments under the meaningful use provisions.  Need help?  Give us a call.  In Part II of  this article, we will discuss several of the considerations you should take when engaging outside assistance to conduct a security risk assessment of your organization.

H Kocher photo (2)

Heidi Kocher serves as Counsel for Liles Parker and represents health care providers and suppliers in the Dallas / Fort Worth metropolitan area.  Heidi is an experienced health lawyer and is skilled in assisting clients with transactional projects, compliance issues and in fraud and abuse counseling.  Should you have any questions regarding the HIPAA security risk assessment process, please give Heidi a call.  For a free consultation, call Heidi at: 1 (800) 475-1906.

[1] HIPAA Privacy, Security and Breach Notification Audits:  Program Overview & Initial Analysis, presentation by Verne Rinker JD, MP, at 2013 NIST / OCR Security Rule Conference, May 21-22, 2013, available at http://csrc.nist.gov/news_events/hipaa-2013/presentations/day1/rinker_day1_215_hipaa_privacy_security_breach_audits.pdf

[2] See the July 28, 2010 Final Rule Notice, 75 Fed.Reg. 44314 at 44369; 42 CFR 495.6(d)(15).

HIPAA Encryption is the Best Way to Avoid a Violation

HIPAA Encryption is Your Best Defense Against a Breach.(May 29, 2014):  On April 22, 2014, the U.S. Department of Health and Human Services Office for Civil Rights (HHS-OCR) announced that it had entered into resolution agreements with two entities for $1,725,220 and $250,000, respectively, to resolve potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. The main take away from these settlements? Covered entities and business associates could best protect themselves against future violations through HIPAA encryption procedures.

I.     HIPAA and HITECH Impose Duty to Safeguard Privacy and Security of Patient PHI:

Under the Health Insurance Portability and Accountability Act of 1996[1] (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act[2], covered entities[3] and business associates[4] must safeguard the privacy and security of their patients’ Protected Health Information (PHI). PHI includes any information held by a covered entity which concerns health status, provision of health care, or payment for health care that can be linked to an individual.[5]

Additionally, in January 2013, HIPAA was updated via the Final Omnibus Rule. These updates not only greatly enhanced a patient’s privacy rights and protections, but it also strengthened the ability of HHS-OCR to vigorously enforce the HIPAA privacy and security protections. For example, covered entities and business associates must review and modify security measures as needed to ensure the continued provision of “reasonable and appropriate” protection of EPHI.[6] Moreover, the impermissible use or disclosure of PHI (i.e. in violation of the HIPAA Privacy Rule) is now presumed to be a breach unless the covered entity or business associate demonstrates that there is a low probability that the PHI has been comprised.[7]

However, while employees of covered entities and business associates regularly use laptops, tablets or other mobile devices to access, store and transmit electronic PHI (EPHI), many of these entities have not implemented effective requisite safeguards to protect this sensitive information. These devices, many of which remain unencrypted, leave EPHI vulnerable to unauthorized access and disclosure. Under these circumstances, a “breach”[8]  has occurred and must be reported.  Furthermore, there are significant civil monetary penalties for security breaches.  In light of these risks, HIPAA encryption is recommended.

II.     Stolen Laptops Without HIPAA Encryption Lead to Settlements:

Unauthorized breaches regularly occur in situations when electronic devices are lost or stolen.  In fact, stolen laptops with unencrypted EPHI have resulted in many recent settlement agreements with HHS-OCR. Just last month, two covered entities agreed to collectively pay HHS-OCR almost $2 million to resolve potential violations of the HIPAA Privacy and Security Rules.

Following the first covered entity’s submission of a breach report indicating that a laptop had been stolen from one of its facilities, HHS-OCR initiated a compliance review. HHS-OCR concluded that the covered entity recognized that lack of HIPAA encryption of electronic devices posed a security risk to patient data. However, it “failed to adequately remediate and manage its identified lack of HIPAA encryption or, alternatively, document why HIPAA encryption was not reasonable and appropriate and implement an equivalent alternative measure to encryption, if reasonable and appropriate.”

As to the other covered entity, HHS-OCR found that it “did not implement policies and procedures to prevent, detect, contain, and correct security violations, including conducting an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI it held, and implementing security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with 45 C.F.R. § 164.306 from the compliance date of the Security Rule.”

As part of the resolution agreements with HHS-OCR, both covered entities entered into a corrective action plan where it agreed to provide OCR with an updated risk assessment management plan, updates on the HIPAA encryption status of its devices and equipment, and proof that they had completed security awareness training of their staff.

III.  Final Remarks:

A review of both settlement agreements reveals some interesting findings. Notably, both agreements reflect some degree of compliance with the Security Rule prior to the imposition of a monetary settlement. While covered entities and their business associates should review these settlement agreements; it is important to understand that partial compliance with HIPAA and HITECH is NOT SUFFICIENT. If you are found to be in violation of the Rules, civil monetary fines will be levied on you.

Covered entities and business associates should ensure that they are in FULL COMPLIANCE with the requirements of HIPAA.  You must take steps to immediately conduct a full Security Rule risk assessment and mitigate any identified risks to patient PHI. Do you need help conducting a risk assessment or instituting a full compliance program? We would be more than happy to assist you. Give us a call today.

Remember: if you and your staff are using laptops to access, store and transmit ePHI, OCR has given you the appropriate guidance to safeguard your patients – and YOU: “[…] encryption is your best defense against these incidents.”

Robert Saltaformaggio, Esq., serves as an Associate at Liles Parker, Attorneys & Counselors at Law.  Liles Parker attorneys represent health care providers and suppliers around the country in connection with Medicare audits by ZPICs and other CMS program integrity contractors.  The firm also represents health care providers in HIPAA Omnibus Rule risk assessments, privacy breach matters, State Medical Board inquiries and regulatory compliance reviews.  For a free consultation, call Robert at:  1 (800) 475-1906.


[1] Pub.L. 104–191, 110 Stat. 1936.

[2] Enacted under Title XIII of the American Recovery and Reinvestment Act of 2009 (Pub.L. 111–5

[3] “Covered entities” generally include health care clearinghouses, employer sponsored health plans, health insurers, and medical service providers that engage in certain transactions. 45 C.F.R. 160.103.

[4] See 45 CFR Sections 160.102 and 160.103.

[5] 45 C.F.R. 164.501.

[6] 45 C.F.R. 164.306(c).

[7] 45 CFR §§ 164.400-414.

[8] See 45 CFR §§ 164.402.

HIPAA Risks of Breach: Windows XP Will No Longer be Supported by Microsoft

HIPAA Risks of Breach(February 5, 2014):  Has your practice addressed the latest HIPAA risks of breach that have been identified?  As discussed below, health care providers must take immediate remedial action if they are currently running Windows XP on one or more of their office computers. 

Why is this action necessary?  Because after April 8, 2014, Microsoft will no longer promulgate security updates or patches for this operating system. As a result, any computer running this outdated software system will effectively be non-compliant with HIPAA and HITECH regulations.

I.   Windows XP Support Ends April 2014:

Historically, Windows XP has been one of Microsoft’s most popular operating systems. It was first released in August 2001 and is still widely used on personal computers in both homes and business environments.  In fact, many health providers continue to use Windows XP on their workstations as part of a multi-faceted system that integrates electronic hardware, software, medical devices and the internet.

Unfortunately, as computers and the internet have become an integral part of the health care industry, Windows XP based computer systems and work stations have become a likely target for malicious activity. To combat these problems and protect users from cyber threats, Microsoft has customarily provided technical support for its software products for a period of years after the product’s release. Generally, this support comes in the form of a “service pack” and includes a collection of updates, fixes, or enhancements to a software program or operating system that is delivered in the form of a single installable package.

In the case of Windows XP, the software product has been out more than a decade and multiple newer versions of Windows have been released during period.  As a result, Microsoft has announced that after April 8, 2014, Windows XP will no longer be supported.   From a practical standpoint, this means that health care providers and other customers who still operate computers utilizing Windows XP will no longer receive new security updates, non-security hotfixes, free or paid support or online technical content updates. Any new vulnerabilities identified in the Windows XP operating system after April 8th will remain unaddressed by Microsoft.  Therefore, it will likely be easier for computer hackers to successfully infiltrate and exploit any Windows XP-based operating system via unpatched or non-secure vulnerabilities.

II. After April 2014, Providers Relying on Windows XP Systems will Have Another HIPAA Risk:

The Health Insurance Portability and Accountability Act (HIPAA) was enacted by Congress on August 21, 1996.  HIPAA regulates the availability and exchange of “Protected Health Information” (PHI) and helps prevent the unlawful release of patient medical information. The statute also helps to reduces instances of health care fraud, abuse, and sets standards for industry-wide billing procedures.  Under HIPAA, health care providers are obligated to take a wide range of steps designed to secure and protect PHI.

Both a “Privacy Rule” and a “Security Rule” are covered under HIPAA. These rules apply to “Covered Entities,” which include health plans, health care clearinghouses such as billing services, and health care providers that transmit health data in a way that is regulated by HIPAA. The Privacy Rule and the Security Rule have been designed to protect patient privacy and set standard procedures for the security of electronic PHI (e-PHI). Together, these two rules establish national standards for ensuring that a patient’s health information is kept confidential and secure.

Subsequent to the passage of HIPAA, Congress enacted the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009.  HITECH was created to encourage the adoption of electronic health records (EHR) and other support technology. Notably, the law also:

  • Expanded the obligations of physicians and other health care providers under HIPAA to protect patient’s PHI.
  • Extended the Privacy and Security Rules to business associates of the covered entities who have access to the PHI.
  • Increased the penalties for violations of those obligations under the rules. 

For health care providers who still utilize Windows XP-based computer systems, the decision by Microsoft to terminate its technical support of the software is very problematic.  Since Windows XP is no longer supported by Microsoft, any computer operating this system will be more susceptible to HIPAA risks of breach and / or other security risks.

III.  What Actions Should Health Care Providers Utilizing Windows XP Systems Take?

Many large health care provider organizations are already aware of this security concern and have implemented new operating systems.  However, many small to mid-sized health care providers have only recently learned of Microsoft’s support termination decision.  To the extent possible, these health care providers should examine their computer systems and determine whether their current Windows XP operating system can be upgraded to a more recent operating system, such as Windows 7 or Windows 8.  st now be realizing this monumental change. For these providers, they should immediately begin to transition their operating systems to more modern systems, such as Windows 7 or Windows 8.  Unfortunately, many older computer systems may not support an operating system upgrade. As a result, a health care provider may have to completely replace one or more of his office computer systems.  While replacement will be expensive, it will still be far cheaper than the monetary penalties that a provider may face if a HIPAA breach occurs due to the provider’s continued use of a computer running Windows XP.

Health care providers should immediately determine whether their practice’s Compliance Officer has conducted a review of the organization’s computers (and associated operating systems) to ensure that after April 8th the equipment will still be HIPAA / HITECH compliant.  If Windows XP based systems are still in use, a transition strategy should be identified and implemented.

IV.  Conclusion — Reducing the HIPAA Risks of Breach in Your Practice:

Importantly, the Windows XP operating system issue is merely one of many privacy concerns  that must be addressed by a practice’s Compliance Officer.  The failure of a health care provider recognize and address the Windows XP security risk can lead to a  breach of PHI and a possible privacy compliance audit by the Office for Civil Rights (OCR).  Depending on the facts, an OCR audit can lead to the imposition of civil monetary penalties (CMPs).

All health care providers should affirmatively review the mandatory requirements under the HIPAA and HITECH laws.  Frankly, there is no valid excuse for a covered entity not to have already conducted a proper risk assessment of its practice. Appropriate safeguards to protect individual patient PHI must be instituted to ensure that a breach does not occur.  Don’t let the theft of PHI through an obsolete operating system be the first time you assess the safety and security of your PHI. Taking measures to implement an effective compliance plan NOW is just your first step. In doing so, you can better ensure that your continuing obligation to fully comply with applicable statutory and regulatory requirements are being met.  Need help setting up your Compliance Plan or in conducting a HIPAA Omnibus Rule risk assessment?  Give us a call.

Healthcare LawyerRobert W. Liles, Esq., serves as Managing Partner at Liles Parker, Attorneys & Counselors at Law.  Liles Parker attorneys represent health care providers and suppliers around the country in connection with Medicare audits by ZPICs and other CMS program integrity contractors.  The firm also represents health care providers in HIPAA Omnibus Rule risk assessments, privacy breach matters, State Medical Board inquiries and regulatory compliance reviews.  For a free consultation, call Robert at:  1 (800) 475-1906.

Dermatology Practice HIPAA Breach Results in Settlement with OCR

Dermatology Practice HIPAA Breach(December 30, 2013):  A Concord, Massachusetts dermatology practice has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Breach Notification Rules with the Department of Health and Human Services (HHS).  The settlement is notable because it follows an investigation by the HHS Office for Civil Rights (OCR) into the practice after it voluntarily disclosed a data breach affecting patient health information.  Importantly, the dermatology practice HIPAA breach was reportedly the first case handled by OCR where the provider did not have the required HITECH policies and procedures in place to help the practice avoid the breach.

I.  The HIPAA Breach Notification Rule Requirements:

On January 17, 2013, HHS issued its final HIPAA Omnibus Rule[1], which affected many aspects of the privacy rule. The Omnibus Rule became effective on March 26, 2013, and HIPAA covered entities and business associates had to comply with its requirements no later than September 23, 2013. The rule comprised four final rules, which included a modification to the interim final rule for Breach Notification for Unsecured Protected Health Information[2] (the “Breach Notification Rule”).  The new Omnibus Rule strengthened the Breach Notification Rule with more objective standards, such as replacing its harm threshold for breach notification with a default presumption that a breach is any acquisition, access, use, or disclosure of protected health information (PHI) that violates the HIPAA Privacy Rule.

Furthermore, under the Health Information Technology for Economic and Clinical Health Act (“HITECH”), covered entities must make mandatory notifications to affected individuals, the Secretary HHS, and, in certain circumstances, the media in the event of a breach of unsecured PHI.

For individuals, the notifications must be provided without unreasonable delay and in no case later than 60 days following the discovery of the breach. The notification must include, to the extent possible, a description of the breach, a description of the type(s) of information that was involved in the breach, the steps affected individuals should take to protect themselves from potential harm, a brief description of what the covered entity is doing to investigate the breach, mitigate the harm, and prevent future breaches. If the breach affects more than 500 resident of a State or jurisdiction, the covered entity must also provide notice to prominent media outlets serving the State or that jurisdiction. Finally, covered entities must notify the Secretary HHS of breaches of unsecured PHI through the HHS web site.  If the breach affects 500 or more individuals, this notice to the Secretary must be made without unreasonable delay and in no case later than 60 days following a breach.

II.  Dermatology Practice Voluntarily Discloses a Breach:

The Massachusetts dermatology practice at issue is a private practice that delivers dermatology services in four locations in Massachusetts and two in New Hampshire. On October 7, 2011, the provider reported to HHS a breach of its unsecured electronic PHI (ePHI). The breach occurred after an unencrypted thumb drive, which stored ePHI regarding surgeries of approximately 2,200 individuals, was stolen from a staff member’s car. The thumb drive was never recovered.

Following proper HIPAA Breach Notification rules, the provider notified its patients within 30 days of the theft and provided notice to the local media. On November 9, 2011, HHS notified the provider that OCR intended to investigate the provider’s compliance with the HIPAA Privacy, Security, and Breach Notification Rules.

III.  Potential Violations of HIPAA:

OCR’s investigation revealed several notable deficiencies in the practice’s risk management and compliance practices. In particular, the investigation revealed that,

The provider did not conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality of ePHI as part of its security management process until October 1, 2012;

The provider did not fully comply with the requirements of the Breach Notification Rule, which requires covered entities to have written policies and procedures and training workforce members regarding those policies and procedures, until February 7, 2012; and

The provider failed to reasonably safeguard the thumb drive that wound up being stolen.

These failures indicate that the provider’s problem did not stem from whether it appropriately responded to the breach.  Instead, the OCR review demonstrates that providers such as this are deficient in whether they are compliant with the Privacy, Security, and Breach Notification Rules prior to a breach incident and whether a breach can be avoided in the first place.

IV.  The Cost of this Dermatology Practice HIPAA Breach:

This dermatology practice HIPAA breach was ultimately settled for $150,000. The provider is also required to implement a corrective action plan to correct deficiencies in its HIPAA compliance program.  In particular, the provider will have to develop a risk analysis and risk management plan that addresses and mitigates any security risks and vulnerabilities within its practice. The provider will also have to provide OCR with this implementation report as part of the settlement agreement.

Notably, in its Press Release, HHS acknowledged that this settlement is the first where a covered entity has not had policies and procedures in place to address the breach notification provisions of the HITECH Act. “As we say in health care, an ounce of prevention is worth a pound of cure,” said OCR Director Leon Rodriguez. “That is what a good risk management process is all about – identifying and mitigating the risk before a bad thing happens.  Covered entities of all sizes need to give priority to securing electronic protected health information.”

 V.  Final Remarks:

Providers and other covered entities must understand the problems associated an unexpected theft or other event that results in a reportable breach.  As this case demonstrates, a breach of PHI may open up the provider to a compliance audit by the OCR.  This audit can certainly lead to subsequent civil and/or criminal penalties.

It is imperative that all covered entities affirmatively review the mandatory requirements under the new HIPAA Omnibus Rule.  Frankly, there is no valid excuse for a covered entity not to have already conducted a proper risk assessment of its practice. Appropriate safeguards to protect individual patient PHI must be instituted to ensure that a breach does not occur. Don’t let a stolen thumbdrive be the first time you assess the safety and security of your PHI. Taking measures to implement an effective compliance plan is just your first step. In doing so, you can better ensure that your continuing obligation to fully comply with applicable statutory and regulatory requirements are being met.  Need help setting up your Compliance Plan?  Give us a call.

Healthcare LawyerRobert W. Liles, Esq., serves as Managing Partner at Liles Parker, Attorneys & Counselors at Law.  Liles Parker attorneys represent health care providers and suppliers around the country in connection with Medicare audits, HIPAA privacy requirements and other health law issues.  For a free consultation, call Robert at:  1 (800) 475-1906. 


[1] Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules, 78 Fed. Reg. 5566 (Jan. 25, 2013), available at www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf.

[2] See 45 C.F.R., part 164, subpart D.

HIPAA Breach Penalties are Being Assessed for Potential Disclosures of Less than 500 Patients. Have You Taken Steps to Prevent a Breach?

HIPAA Breach Penalties are Increasing.

(January 8, 2013):  A few days ago, the Department of Health and Human Services’ Office for Civil Rights (HHS’ OCR) issued an important announcement — one which is likely to affect ALL health care providers at some point.   OCR has announced that they have entered into a monetary settlement with an Idaho-based hospice company in connection with a HIPAA breach involving less than 500 patients.  As the settlement agreement details, the hospice company has agreed to pay $50,000 to settle these potential violations arising out of the company’s loss of an un-encrypted laptop which contained personal health information (PHI) that was being used outside of the office.

While the hospice company did, in fact, report the loss, OCR noted that prior to the loss, the hospice had NOT conducted any sort of risk analysis or attempted to safeguard the information.  Under HIPAA, all health care providers are required to have safeguards in place to prevent this (and similar) types of HIPAA breaches from taking place.  OCR’s director Leon Rodriguez stated:

“This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information. Encryption is an easy method for making lost information unusable, unreadable and undecipherable.”

All entities are required to report “breaches” of 500 patients or more to the secretary of HHS and then to the press within 60 days.  Smaller breaches are reported to HHS on an annual basis. In this particular case (which occurred in 2010), a total of 441 patients had their information put at risk.  Notably, OCR’s announcement did not indicate that any patient suffered any harm as a result of the laptop’s loss or this alleged HIPAA breach.  Nor is it alleged that any type of identify theft took place.

Healthcare LawyerRobert W. Liles, Esq., serves as Managing Partner at Liles Parker. Robert and the other attorneys at Liles Parker represent health care providers in HIPAA related audits and projects.  Should you have any HIPAA privacy questions, please give us a call for a free consultation.  Robert can be reached at:  1 (800) 476-1906.

Healthcare Cloud Computing – Compliance Risks

Healthcare Cloud Computing(August 14, 2012):  Cloud computing is in the process of revolutionizing the way that individuals and businesses store, receive, and use their data. You may have heard about it through companies such as Google, Apple, and Microsoft, all advertising sophisticated cloud computing services. But what are the risks your organization faces with respect to healthcare cloud computing?

I.  What is Healthcare Cloud Computing?

Essentially, “healthcare cloud computing” is the process of using various offsite computer and server resources that are delivered to users remotely through the internet. You use a program on your computer to access data, software, and powerful processing resources at a remote location. Because nearly all of the data storage and processing is done remotely, there is less of a need for high-powered, sophisticated computers at a user’s location, meaning individuals and small businesses can access computer tools that had previously only been reserved for the largest of corporations. In fact, a recent survey by Microsoft found that 39% of small business owners were beginning to engage in some sort of cloud-based computing.

II. Risks of Healthcare Cloud Computing:

Reliance on healthcare cloud computing can expose a provider and his / her practice to a variety of very serious risks.  Chief among these risks is the potential for a substantial privacy breach. Because data and data systems are maintained offsite, a provider, biller, or facility cannot ensure that the data contained on these remote servers is properly secure. As you know, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) governs the use of Protected Health Information (PHI) through its Security and Privacy Rules. These laws, administered by the Office for Civil Rights (OCR), protect the privacy of individual patients by setting out rules and repercussions concerning the wrongful use or disclosure of PHI. Under HIPAA, and the HITECT Act of 2009, there are 4 tiers of potential penalties a “covered entity” might face for wrongful use or disclosure or a security breach. Notably, nearly every healthcare provider is, at this point, a covered entity.

Despite an awareness that both known and emerging risks are present, many health care providers appear to have resigned themselves to the fact that the unparalleled convenience of healthcare cloud computing more than makes up for the potential dangers faced when using this medium.   Notably,  many cloud computing services advertise that they are HIPAA compliant or have undergone an SAS 70 Type II audit. Be careful – these audits can greatly vary in terms of their adequacy and sophistication, and may continually fail to meet the standards of HIPAA and HITECH. On top of this, as a health care provider, you are not in a position to ensure that the cloud computing company will continue to meet these standards.  In any event, should a breach occur – you will still be on the proverbial “hook” with OCR and its auditing contractors for any breaches that might occur.  Your decision to store PHI on a cloud computing server will not alleviate you of your obligation to safeguard patient medical records and personal information.  You are ultimately responsible for PHI entrusted to you by your patients, not the cloud service provider.   There are a number of technical security concerns that you should understand:

  •  First, how is data stored at the 3rd party site? Is the data of all clients thrown together on one server or on one hard drive, or does each client have a dedicated server? In addition, what if a server has a technical failure? If such an event occurs (as it inevitably will), the 3rd party vendor needs to completely destroy any PHI on their servers and have an available backup to ensure that the data still exists in some form. It is difficult for both you and the 3rd party vendor to guarantee this.

  • Second, transferring data to and from your “cloud” must be done through a secure channel (that is, “https://”). You need to specifically inquire with a cloud vendor whether a dedicated, secure connection can be established so that the “highway” through which your data passes cannot be accessed by others.

  • Third, the interface your organization uses to interact with the remote cloud server is at risk for security breaches, and you should ensure that the 3rd party host has developed properly secured interfaces. Again, this can be hard to do.

  • Finally, and probably most importantly, what about the employees of the remote cloud service? They generally have access to a substantial amount of sensitive data, and you have no ability to train, discipline, or terminate those individuals should wrongdoing occur. As you know, next to the theft of laptops and other mobile electronic devices, curious employees accessing unauthorized PHI is the most common type of breach under HIPAA. Couple that with a 3rd party vendor whose employees over whom you have no control, and it could mean substantial trouble if an individual employee wants to start exploring your patients’ medical records.

III. Conclusion:

As a result of these serious concerns, we strongly recommend that providers continue to use an internal server stored onsite. While it can be more expensive, it’s the only true way to ensure that your patient’s PHI is protected in accordance with HIPAA’s Privacy and Security Rules. In addition, you should consider conducting an internal HIPAA audit of your physical security, administrative safeguards, and electronic transmissions. Importantly, this audit should be done through counsel, so that any concerns may be reasonable covered by the attorney-client privilege.

Robert LilesHealthcare Lawyer counsels providers on HIPAA compliance risks, HIPAA breach notification and implementing effective compliance plans.  In addition, Robert performs gap analyses and internal reviews, trains healthcare professionals on compliance issues, and represents providers in Medicaid and Medicare post-payment audits and appeals. For a free consultation, call Robert today at: 1 (800) 475-1906.

Be Aware of Business Associate HIPAA Breach Risk Issues.

Providers Should Guard Against a Business Associate HIPAA Breach.(August 10, 2012): As you may know, HIPAA applies to “covered entities.” Under the HITECH Act of 2009, HIPAA was expanded to also include “business associates” of those covered entities. But what about subcontractors of those business associates? What happens if the improper conduct of an outside consultant results in a business associate HIPAA breach? Who is ultimately responsible for a HIPAA breach? Nowadays, particularly with the rise of electronic communications, data storage, and other e-tools, business associates may send out a  substantial percentage of their work to subcontractors, sometimes unbeknownst to the primary covered entity. Nevertheless, the covered entity may still be liable for any improper business associate HIPAA breach or wrongful disclosure of protected health information (PHI), or other compliance failures related to HIPAA and/or HITECH.

I.  Business Associate HIPAA Breach Environment:

This very thing recently happened at a major hospital in Hartford, CT. In fact, the HIPAA breach involved nearly 10,000 patients of the hospital and its associated hospice/home health agency, caused (as you may have guessed) by the loss of a company laptop. The hospital/hospice had contracted with a quality improvement company (the business associate) who had then sent out much of its data analysis work to a subsidiary. An employee of this subcontractor took an unencrypted company laptop home to continue work, but the laptop was later stolen from his home by a thief. The information contained on the stolen laptop included patient names, addresses, dates of birth, marital status, Social Security numbers, Medicare and/or Medicaid numbers, medical record numbers and certain diagnoses and treatment information.

As you can imagine, this represents a major HIPAA breach and a virtual goldmine for a criminal engaged in identity theft or Medicare billing fraud. HIPAA breaches like this, involving substantial numbers of patients and resulting from improperly secured electronics, are becoming more frequent everyday. And more often than not, these HIPAA breaches don’t necessarily involve the primary covered entity, but are instead caused by a business associate or their subcontractor, who may be less familiar or less concerned with the potential for HIPAA breaches. This is why it is always important to have a Business Associate Agreement with any business associate and to obtain “adequate assurances” from the business associate that they will hold their subcontractors to the same standards they must follow as a business associate. In any regard, if you believe that your organization, its business associate or a subcontractor has wrongfully disclosed PHI or has had a PHI breach, you should speak with legal counsel immediately.  Time is of the essence in reporting a HIPAA breach or wrongful disclosure.

II. Responding to an Identified Business Associate HIPAA Breach:

So what steps did the hospital take after discovering the HIPAA breach? Under the law, the hospital had to disclose the breach to the Secretary of the Department of Health and Human Services, the patients themselves, and the local news media, since the breach involved more (way more) than 500 individuals. In addition, this particular hospital:

  • Offered two years of free credit monitoring to affected patients
  • Established a call center to response to patient questions
  • Is Providing information to patients on obtaining credit reports and other indicia of fraud
  • Is ensuring that all PHI used by contractors is encrypted
  • Securely destroyed all data in the possession of its business associate (likely terminating the relationship)

On top of the costs of implementing these protective measures, the hospital likely faces a huge penalty imposed by the Office for Civil Rights (OCR) and could end up costing millions. The cost of ensuring that all PHI is properly encrypted and all premises are securely locked down is much less.

III.  Is Your Compliance Program Designed to Prevent a HIPAA Breach?

While HIPAA breaches are likely to occur even when an organization is actively attempting to enforce compliance, having an effective compliance plan is a powerful tool to show the government that your organization is trying to do the right thing. While penalties may still be imposed, they may be reduced from Tier D or Tier C to Tier B,  which could cap an organization’s liability at $100,000 a year (as opposed to $1.5 million a year for Tier D). As a result, if your organization does not have a robust compliance plan, or your compliance plan is not specific to your practice, actively updated, or actively enforced, you should consider having legal counsel assist in implementing an effective compliance plan. This will help to reduce the likelihood of a HIPAA breach, and possibly help to reduce the penalties associated with a HIPAA breach.

Robert LilesHealthcare Lawyer counsels providers on HIPAA breach notification and implementing effective compliance plans.  In addition, Robert performs gap analyses and internal reviews, trains healthcare professionals on compliance issues, and represents providers in Medicaid and Medicare post-payment audits and appeals. For a free consultation, call Robert today at 1 (800) 475-1906.