HIPAA Biannual Update July to December 2018 BY ALEX TAIRA

Since ASCA’s last update in July, health care orga- nizations across the coun- try posted 163 breaches of protected health informa-

tion (PHI) affecting 500 or more indi- viduals. For the first time in two years a single type of breach, hacking or information technology (IT) incident, accounted for a majority (53 percent) of all breaches reported by the Office of Civil Rights (OCR). Hacking and the next most common breach cause, unau- thorized access (33 percent), accounted for 86 percent of all PHI breaches between July and December 2018. Within the US Department of Health and Human Services (HHS) the OCR is the enforcement agency responsible for protecting rights related to health information

privacy. This includes

enforcement actions for violations of the Health Insurance Portability and Accountability Act (HIPAA), which delineates who can view or receive an individual’s PHI and sets standards for security of PHI when being stored or transferred electronically.

When a significant health informa- tion breach occurs, OCR often estab- lishes a resolution agreement with the health care entity at fault. The resolu- tion agreement generally involves a monetary penalty, as well as a series of mandatory corrective actions that the entity must undertake to prevent a future breach from occurring. This was a momentous six-month period for OCR, as it announced a landmark $16 million settlement with Anthem Inc. for the 2015 data breach that caused an estimated 79 million people to have their PHI exposed. The settlement fig- ure far exceeded OCR’s previous high- est settlement payment of $5.5 million. ASCs can take important steps to help prevent these sorts of breaches


geted and undetected attack, the hack- ers managed to steal the electronic protected health information (ePHI) of roughly 79 million individuals, the largest health data breach in US his- tory. Anthem agreed to the aforemen- tioned $16 million settlement and a robust corrective action plan.

53% Hacking/IT Incident 33% Unauthorized Access/Disclosure 8% Theft 3% Loss 3% Improper Disposal

and limit their liability. While most OCR settlements do not reach the amount of the Anthem settlement, they can easily reach into the hun- dreds of thousands or millions depending on the extent of the data exposure. To help prevent unauthor- ized access, improper disposal, loss and theft of PHI, ASCs need to review and update policies and procedures frequently. ASCs also can also review the enforcement actions on the OCR website and consider how they can avoid the mistakes made by others. Below are selected OCR enforce- ment actions from the past six months and the precautionary takeaways for ASCs.

Anthem Inc.

What Happened: In January 2015, Anthem discovered that cyber-attack- ers had gained access to its system via phishing emails. At least one employee of an Anthem subsidiary responded to a malicious email, thus opening the entire IT system to hacker access. In less than two months via their tar-

Takeaway for ASCs: This attack rep- resents a startling illumination of how small incidence of lax cybersecurity and access detection can have devastat- ing effects. The hackers were targeting ePHI, and it took only one response to a phishing email to expose the whole health IT infrastructure. Further- more, Anthem was not able to detect the intrusion and allowed the hackers time to mine the system for the maxi- mum amount of ePHI. It is vital for all health care entities, including ASCs, to train their employees on the risks of phishing emails and other com- mon nefarious data attack vehicles. In addition, ASCs should have access detection mechanisms in place and regularly evaluate their data security policies to ensure the elimination of any possible vulnerabilities.

Advanced Care Hospitalists What Happened: Advanced Care Hospitalists (ACH), a company that provides contracted internal medi- cine physicians to hospitals and nurs- ing homes, allowed a fraudulent con- tractor to access and display patient information under the guise of a medi- cal billing contract. The contractor had no connection with any medical billing agencies and displayed ePHI—includ- ing names, dates of birth, and social security numbers—of potentially thousands of patients in public view on the ACH website. ACH agreed to a $500,000 settlement and a substantial corrective action plan.

Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34