In $5.5 Million HIPAA Settlement, HHS Cites Faulty Security Audit Controls
The Department of Health and Human Services (HHS) announced a $5.5 million settlement with a public health care system, and covered entity under the Health Insurance Portability and Accountability Act (HIPAA), to address potential HIPAA violations involving the disclosure of individuals' protected health information.
On February 16, 2017, HHS announced a $5.5 million settlement with a nonprofit, Florida-based public health care system, which includes several hospitals, a nursing home, and related health care facilities, for potential HIPAA violations (see HIPAA Toolkit ( www.practicallaw.com/7-502-6708) ). HHS's investigation occurred after the health care system, a HIPAA covered entity, provided HHS with an initial breach notification and an addendum breach report concerning improper access to patients' protected health information (PHI) (see Practice Notes, HIPAA Breach Notification Rules for Group Health Plans ( www.practicallaw.com/1-532-2085) and HIPAA Enforcement and Group Health Plans: Penalties and Investigations ( www.practicallaw.com/2-519-1055) ).
Scope of Alleged Violations
In April 2012, the covered entity informed the government, via HIPAA breach notification, that two of its employees had improperly accessed patient information (including the patients' names, dates of birth, and social security numbers). In a follow-on report submitted to HHS a few months later (and after an internal investigation), the covered entity indicated that:
12 users had gained impermissible access to information at physician offices affiliated with the health care system.
More than 105,500 individuals were potentially affected by the improper access.
According to HHS, these incidents resulted in federal charges involving the sale of PHI and the filing of fraudulent tax returns.
Following its own investigation, HHS concluded that the covered entity violated the HIPAA Privacy Rule by:
Impermissibly disclosing the PHI of 80,000 individuals because a former employee of one of the covered entity's affiliated physician practices gained access to patients' PHI for over a year (see Practice Note, HIPAA Privacy Rule ( www.practicallaw.com/4-501-7220) ).
Failing to adopt procedures to regularly review information system activity (for example, audit logs, access reports, and incident tracking reports; see Practice Note, HIPAA Security Rule: Administrative Safeguards ( www.practicallaw.com/5-502-1269) ).
Not implementing policies and procedures that – based on the covered entity's access authorization policies – established, documented, reviewed, and changed a user's right of access to workstations, transactions, programs, and procedures.
Corrective Action Plan
In addition to the $5.5 million payment, the covered entity must adhere to a corrective action plan (CAP) that includes:
Completion of a risk analysis of enterprise-wide risks to the security of PHI, along with:
implementation of a risk management plan to address these risks; and
evidence that appropriate security measures and safeguards identified in the risk management plan are being implemented.
Revisions to the covered entity's policies and procedures governing:
the establishment, modification, and termination of access (including protocols for access by affiliated physicians, their practices, and employees);
information system activity to provide for the regular review of audit logs, access reports, and security incident tracking reports; and
compliance with the HIPAA Security Rule standards for security management processes (including to prevent, detect, contain, and correct security violations).
Submission of the covered entity's revised policies and procedures to HHS for its approval, followed by adoption and distribution of the policies and procedures to the covered entity's workforce members (and including the workforce members of the covered entity's HIPAA business associates; see Standard Document, HIPAA Business Associate Agreement ( www.practicallaw.com/3-501-6706) ).
Internal monitoring of the covered entity's compliance with the CAP.
Review of the covered entity's CAP compliance by an objective and independent third-party assessor (a requirement that includes a lengthy list of numerous subparts, such as unannounced site visits to the covered entity's various facilities by the assessor).
A six-year document retention rule regarding all records related to the covered entity's compliance with the CAP.
Practical Impact: Audit Controls
This latest HHS settlement caught our eye because it involves an aspect of HIPAA compliance for covered entities – specifically, audit controls under the HIPAA Security Rule – that has not received as much attention in recent settlements as other parts of the HIPAA rules. However, given the size of the payment here and the scope of the CAP requirements (which the government characterized as "robust"), it is clear that HHS wants covered entities to focus more closely on audit controls under the Security Rule (see Practice Note, HIPAA Security Rule ( www.practicallaw.com/5-502-1269) ).
In a newsletter issued last month, HHS offered greater detail regarding the audit controls (for example, regularly monitoring and logging user activities) that might have prevented the impermissible access to PHI by former employees that resulted in this settlement. The newsletter includes several examples of audit trails and emphasizes the importance of these trails in maintaining a record of system activity and preventing breaches from occurring.