Enter to open, tab to navigate, enter to select
PHI Visible Via Google Search Leads to $3 Million HIPAA Settlement
Practical Law Legal Update w-020-2650 (Approx. 7 pages)
PHI Visible Via Google Search Leads to $3 Million HIPAA Settlement
by Practical Law Employee Benefits & Executive Compensation
| Published on 08 May 2019 • USA (National/Federal) |
The Department of Health and Human Services (HHS), Office of Civil Rights (OCR) announced a $3 million settlement with a covered entity that provides diagnostic medical imaging services to address potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The provider must also carry out a corrective action plan that involves completing and updating a risk analysis and risk management plan, adopting business associate agreements and HIPAA policies and procedures, and providing training to workforce members.
On May 6, 2019, HHS's Office for Civil Rights (OCR) announced a $3 million resolution agreement to address potential violations of HIPAA's privacy, security, and breach notification requirements by a HIPAA covered entity that provides diagnostic medical imaging services (see Practice Notes, HIPAA Privacy Rule, HIPAA Security Rule, and HIPAA Breach Notification Rules). The provider must also complete a two-year corrective action plan that involves adopting and updating business associate (BA) agreements and HIPAA policies and procedures, performing a risk analysis and developing a related risk management plan, and furnishing training to workforce members (see HIPAA Privacy, Security, and Breach Notification Toolkit and Practice Note, HIPAA Enforcement: Settlement Agreements).
Non-Secure Web Server Led to Exposure of Health Information Online
In May 2014, HHS was informed that social security numbers belonging to the provider's patients were available online because of a non-secure file transfer protocol (FTP) web server. HHS confirmed that protected health information (PHI) of the provider's patients, including social security numbers, was visible via a Google search. The provider had been informed of the non-secure FTP by the FBI around the same time that HHS learned of the breach.
HHS's subsequent investigation revealed that:
- The names, dates of birth, phone numbers, addresses, and, in some instances, social security numbers, of more than 305,000 individuals were accessible to the public through the provider's insecurely configured FTP server.
- The provider's server was configured to allow anonymous FTP connections to a shared directory.
- The provider had failed to implement technical policies and procedures to restrict access to those persons or software programs that had been granted access to the FTP server that maintained the ePHI until May 2014.
- The provider had not entered into a written BA agreement with one of its BAs until June 2016, and had continued to engage with another BA without a BA agreement (see Standard Document, HIPAA Business Associate Agreement).
- The provider failed to perform an accurate and thorough risk analysis of the potential risks to the ePHI that it held.
- For over four months, the provider failed to:
- accurately identify and respond to the exposure of individuals' PHI through the non-secure server;
- mitigate the harmful effects of this known security incident to the extent practicable; and
- document the incident and its outcome.
- The provider failed to notify affected individuals and media outlets of the security breach for 147 days after it discovered the breach (see Practice Note, HIPAA Breach Notification Rules).
Corrective Action Plan
In addition to paying HHS $3 million to settle the action, the provider must satisfy a corrective action plan (CAP) that HHS characterized as "robust." Among other things, the CAP requires the provider to perform a risk analysis and develop and implement a risk management plan, adopt and manage BA agreements, update its HIPAA policies and procedures, and develop and furnish HIPAA training to its workforce members.
Business Associate Agreements; Content Requirements Involving Business Associates
The CAP requires the provider to review all its relationships with vendors and third-party service providers to identify BAs. The provider must provide HHS:
- An accounting of the provider's BAs, including:
- the names of its BAs;
- a description of services provided and the date that services began; and
- a description of how the BAs handle and interact with the provider's PHI.
- Copies of BA agreements that the provider maintains with each BA.
The CAP also requires the provider to update its BA agreement policies and procedures. The CAP includes specific content requirements concerning the provider's BAs, for example:
- Designating one or more individual(s) to ensure that the provider enters into a BA agreement with each of its BAs before disclosing PHI to the BAs.
- Establishing procedures for assessing the provider's current and future business relationships to determine whether each relationship is with a BA that requires the provider to enter into a BA agreement.
- Creating a process for negotiating and entering into BA agreements with BAs before disclosing PHI to them.
- Creating a standard template BA agreement (see Standard Documents, HIPAA Business Associate Agreement and HIPAA Business Associate Policy).
- Developing recordkeeping procedures to maintain BA agreements for at least six years from when a BA relationship is terminated.
- Limiting disclosures of PHI to BAs to the minimum necessary for the BAs to perform their duties (see Practice Note, HIPAA Privacy Rule: Minimum Necessary Standard).
Risk Analysis and Risk Management
The CAP requires the provider to perform an accurate, thorough, and enterprise-wide risk analysis of potential risks to the ePHI that it holds. The risk analysis must include a complete inventory of all electronic equipment, data systems, off-site data storage facilities, and applications that contain or store ePHI. The scope and methodology of the risk analysis is subject to an HHS approval process. Once the provider carries out an approved risk analysis, it must also implement an organization-wide risk management plan to address security risks and vulnerabilities identified in the risk analysis.
Under the CAP, the provider must conduct – on an annual basis – an accurate and complete assessment of potential risks to the confidentiality, integrity, and availability of ePHI held by the provider and its sub-entities. The subsequent risk analyses and management plans must be submitted to HHS for review.
HIPAA Policies and Procedures
The provider's revised HIPAA policies and procedures must address numerous provisions under the HIPAA Privacy Rule and Security Rule, as specified in the CAP, including:
- Uses and disclosures of PHI, and disclosures to BAs (45 C.F.R. § 164.502(a); see Practice Note, HIPAA Privacy Rule: Permitted and Prohibited Uses and Disclosures of Health Information).
- Administrative, physical, and technical safeguards (45 C.F.R. §§ 164.308, 164.310, and 164.312; see Practice Note, HIPAA Security Rule: Safeguards and Related Organizational and Document Requirements).
The provider's updated HIPAA policies and procedures must reflect certain specific provisions related to the compliance shortfalls identified in HHS's investigation, including:
- Technical access controls for network/server equipment and systems to prevent impermissible access and disclosure of ePHI (see Practice Note, HIPAA Security Rule: Technical Safeguards: Access Control).
- Technical access controls and restrictions for software applications containing ePHI (that is, to limit authorized access to the minimum amount necessary).
- Technical mechanisms to create access and activity logs, and related administrative procedures to routinely review logs for suspicious events and to respond appropriately.
- Termination of user accounts when necessary and appropriate.
- Required and routine password changes, and password strength and safeguarding.
- Addressing and documenting security incidents.
From a process perspective, the provider must:
- Submit the revised policies and procedures to HHS for approval.
- Finalize and formally adopt the policies and procedures.
- Distribute the policies and procedures to all its workforce members.
- Document that its workforce members have read, understood, and agreed to comply with the policies and procedures.
The provider's workforce members may not have access to ePHI until this documentation is obtained.
Training
The provider must submit its proposed HIPAA training program for workforce members to HHS for approval (see Standard Document, HIPAA Training for Group Health Plans: Presentation Materials). Once the training program is approved, the provider must:
- Furnish training to all workforce members.
- Require workforce members who receive the training to provide a written or electronic certification confirming that they received the training.
The provider must also give routine retrainings using the updated procedures.
Practical Impact: Identifying BAs and Other HIPAA Compliance Lessons
Several factors contributed to the size of the settlement payment and relative severity of the CAP requirements in this enforcement action. For example, the provider appears to have made a bad situation worse by failing to thoroughly investigate a known security incident after being notified of the incident by both HHS and the FBI. This delay also contributed to the untimeliness of the provider's breach notification to the media and individuals affected by the breach. The settlement agreement also emphasizes the provider's noncompliance with HIPAA's risk analysis and BA requirements. The resulting CAP provisions are more prescriptive than usual regarding BA issues – particularly the requirement that the provider designate a BA manager to identify BA relationships and make sure the provider has BA agreements in place where necessary.