Last October, the Office of Civil Rights (OCR) settled with City of New Haven, Connecticut (New Haven) after concluding that New Haven violated the HIPAA Privacy and Security Rules. New Haven entered into a two-year corrective action plan (CAP) and has agreed to pay $202,400 to OCR, despite operating a public health clinic that provides preventative medical services. OCR's actions show that even services established to treat the public aren't immune to non-compliance accountability.
New Haven failed to timely-terminate a workforce member's ePHI access. This former employee is reported to have returned to their workplace and use a computer to access ePHI eight days after their access should have been revoked. This person accessed 498 patients' information and downloaded their ePHI onto a portable USB drive. Additionally, OCR concluded "...New Haven failed to conduct an enterprise-wide risk analysis, and failed to implement termination procedures, access controls such as unique user identification, and HIPAA Privacy Rule policies and procedures...".
Lessons learned here include but are not limited to: maintaining a formal process to terminate access to ePHI §164.308(a)(3)(ii)(C), ensuring that only those authorized are allowed physical access to ePHI systems §164.310(a)(2)(ii) and providing guidance to the workforce re: downloading ePHI §164.310(d)(1).
Last October also saw Aetna Life Insurance Company and the affiliated covered entity (Aetna) settling with OCR for $1,000,000 after three major violations in 2017. That June, Aetna discovered two web services used to display plan-related documents associated with more than 5,000 health plan members were indexed by internet search engines. Two months later Aetna reported complaints that envelops used to communicate with their patients allowed the text "HIV medication" to be seen through the envelope's window. Three months later, Aetna reported that a research study mailing sent to Aetna plan members contained the name and logo of a research study in which they were participating (i.e. an unauthorized disclosure).
Aetna is a large insurance company and events like this are bound to happen. But this news reminds us to: perform periodic technical and nontechnical evaluations of operational changes affecting the security of ePHI §164.308(a)(8), verify the identity of persons or entities seeking access to ePHI §164.312(d), limit PHI disclosures to the minimum necessary to accomplish the purpose of the use or disclosure §164.502(b) and §164.514(d), and have in place appropriate administrative, technical, and physical safeguards to protect the privacy of PHI §164.530(c)(1).
Today, OCR announced that Excellus Health Plan, Inc. (Excellus) has agreed to pay $5.1 million and endure a two-year CAP following a cyber attack based breach that affected 9.3 million people. Excellus was breached by criminals for approximately 18 months and OCR concluded that potential violations of the HIPAA Rules included failure to conduct an enterprise-wide risk analysis, and failures to implement risk management, information system activity review, and access controls.
Excellus' breach reinforced the importance of: identifying risk §164.308(a)(1)(ii)(A), managing risk §164.308(a)(1)(ii)(B), and active audit log reviews §164.308(a)(1)(ii)(D).
Notably, OCR has also imposed 14 "right of access" initiative settlement actions since the first on September 9th, 2020. We encourage our partners to understand and comply with this new standard.
Stay (HIPAA) safe, Alan -