The Department of Health and Human Services’ Office for Civil Rights has stepped up enforcement of HIPAA in recent years and has agreed to a number of settlements after discovering risk analysis failures.
Late last week, the OCR announced that it has arrived at another settlement following the discovery of risk analysis failures at a HIPAA business associate. Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) has agreed to pay a financial penalty of $650,000 to the OCR to settle potential HIPAA violations dating back to September 23, 2013.
The OCR looks into all breaches of ePHI involving over 500 individuals to determine whether the breach stemmed from violations of HIPAA Rules. In February 2014, the OCR received a number of breach notifications from nursing homes following a breach of ePHI involving CHCS. In April 2016, the OCR launched a full investigation into the breach.
Investigators sought confirmation that CHCS had performed one of the most fundamental requirements of the HIPAA Security Rule – An organization-wide risk analysis. CHCS was unable to provide satisfactory evidence that a risk analysis had been performed to a standard required under 45 C.F.R. § 164.308(a)(1)(ii)(A).
As a result of this failure, the ePHI of individuals receiving medical services from six nursing homes was placed at risk. CHCS also failed to implement the necessary safeguards to manage risks identified during the risk analysis, as required by implementation specification 45 C.F.R. § 164.308(a)(1)(ii)(B).
The HIPAA Security Rule was introduced to ensure that the protected health information of individuals is appropriately protected and the risk analysis is an essential element of the Security Rule. If healthcare organizations do not assess all systems for security vulnerabilities there is no way of ensuring that data security measures are sufficient, or effective. If healthcare organizations do not look for security gaps, it is highly probable that some will remain and they could potentially be exploited by malicious actors.
This settlement should serve as a reminder to all business associates of covered entities that they are required to comply with the HIPAA Security Rule and must conduct regular risk analyses to identity vulnerabilities that could place the confidentiality, integrity, and availability of ePHI at risk.
Covered entities should also check whether their business associates have performed this most basic of security measures. It is a responsibility of covered entities to ensure that risk analysis failures are identified, whether they exist in their own organizations or their business associates.