Hacker Group's Impermissible Access to ePHI Leads to $1.5 Million HIPAA Settlement | Practical Law

Hacker Group's Impermissible Access to ePHI Leads to $1.5 Million HIPAA Settlement | Practical Law

The Department of Health and Human Services (HHS) has announced a settlement of potential violations of the Health Insurance Portability and Accountability Act (HIPAA) involving a Georgia-based orthopedic clinic (and HIPAA covered entity (CE)). The CE must pay $1.5 million to settle potential HIPAA violations resulting from the impermissible disclosure of electronic protected health information (ePHI) in its possession. The CE also must comply with a two-year corrective action plan.

Hacker Group's Impermissible Access to ePHI Leads to $1.5 Million HIPAA Settlement

Practical Law Legal Update w-027-5395 (Approx. 6 pages)

Hacker Group's Impermissible Access to ePHI Leads to $1.5 Million HIPAA Settlement

by Practical Law Employee Benefits & Executive Compensation
Published on 22 Sep 2020USA (National/Federal)
The Department of Health and Human Services (HHS) has announced a settlement of potential violations of the Health Insurance Portability and Accountability Act (HIPAA) involving a Georgia-based orthopedic clinic (and HIPAA covered entity (CE)). The CE must pay $1.5 million to settle potential HIPAA violations resulting from the impermissible disclosure of electronic protected health information (ePHI) in its possession. The CE also must comply with a two-year corrective action plan.
On September 21, 2020, HHS issued a resolution agreement and related press release announcing a settlement with a Georgia-based orthopedic clinic and HIPAA covered entity (CE) for potential violations of the HIPAA Privacy and Security Rules (see Practice Notes, HIPAA Privacy Rule and HIPAA Security Rule). Under the agreement, the CE will pay $1.5 million to HHS and must comply with a broad-ranging, two-year corrective action plan (CAP).

Hacker Demands Payment for Return of Stolen Health Information

In June 2016, a journalist notified the CE that patient records belonging to the CE were available for sale online. Two days later, a hacker group known as "The Dark Overlord" contacted the CE, demanding money in exchange for the return of a full copy of the stolen records (without sale or further disclosure). A computer forensic analysis confirmed that the hacker group obtained access to the CE's system using credentials belonging to one of the CE's vendors.
HHS began its investigation after the CE filed its July 2016 breach report, indicating that the breach affected more than 208,500 individuals and included patient information such as names, dates of birth, and social security numbers (see Practice Note, HIPAA Breach Notification Rules). The individuals' clinical information also was compromised, including reasons for visiting the clinic, "social histories," medications, test results, and medical procedures.
HHS's investigation revealed that the CE failed to:
  • Prevent the unauthorized disclosure of electronic protected health information (ePHI) of more than 208,500 individuals.
  • Maintain copies of its HIPAA policies and procedures.
  • Implement certain technical safeguards.
  • Enter into business associate (BA) agreements with three of its BAs (see Standard Document, HIPAA Business Associate Agreement).
  • Provide HIPAA training to all workforce members.
  • Conduct an accurate and thorough risk analysis concerning the ePHI in its possession.
  • Implement sufficient security measures to reduce risks and vulnerabilities to the ePHI in its possession.

Corrective Action Plan Focuses on Procedures and Workforce Training

In addition to the $1.5 million payment, the CE must comply with a CAP that imposes extensive requirements on the CE regarding BA agreements, risk analysis and risk management, HIPAA policies and procedures, and training for workforce members.

Business Associate Agreements

Under the CAP, the CE must review its relationships with vendors and third parties to identify BAs and provide HHS:
  • An accounting of its BAs, including their names, a description of the services provided, dates those services began, and a description of how the BA handles the CE's PHI.
  • Copies of all BA agreements the CE has with its BAs.

BA Policies and Procedures

The CAP also requires the CE to revise its BA policies and procedures to:
  • Designate an individual responsible for ensuring that the CE enters into a BA agreement with each BA before disclosing PHI to the BA.
  • Establish a process for identifying present and future BAs that also requires the CE to enter into BA agreements.
  • Create a process for negotiating and entering into BA agreements with BAs before disclosing PHI.
  • Adopt a standard template BA agreement.
  • Implement a process for preserving documentation of a BA agreement for six years after the BA relationship ends.
  • Limit disclosure of PHI to BAs to the minimum necessary for BAs to perform their duties (see Practice Note, HIPAA Privacy Rule: Minimum Necessary Standard).

Risk Analysis and Risk Management

The CAP also requires the CE to:
  • Perform an accurate, thorough, and enterprise-wide risk analysis of security risks and vulnerabilities covering all electronic equipment, data systems, programs, and applications that contain, store, transmit, or receive ePHI.
  • Develop a complete inventory of the CE's electronic equipment, data systems, off-site data storage facilities, and applications that contain or store ePHI.
  • Create and adopt an enterprise-wide risk management plan to address and mitigate any security risks and vulnerabilities identified in the risk analysis.
  • Perform a risk analysis, and develop a corresponding risk management plan, on an annual basis.
The CE's initial and subsequent risk analyses and risk management plans must be submitted to HHS for approval.

HIPAA Policies and Procedures

The CAP requires the CE to review and revise its HIPAA policies and procedures to comply with the HIPAA Privacy and Security Rules—and also its breach notification requirements (see HIPAA Privacy, Security, and Breach Notification Toolkit and Practice Note, HIPAA Breach Notification Rules). The policies and procedures must meet specified content requirements and address specific concerns identified by HHS, including:
  • Technical access controls for network/server equipment and systems to prevent unauthorized access disclosure of ePHI.
  • Technical access control and restriction for any software application containing ePHI, so that authorized access is limited to the minimum necessary (see Practice Note, HIPAA Privacy Rule: Minimum Necessary Standard).
  • Technical mechanisms to create access/activity logs, and procedures to regularly review logs for suspicious events.
  • Termination of user accounts.
  • Password strength and password changes.
  • Identifying BAs and workforce training.
Furthermore, the CE may need to create or revise policies and procedures in response to findings from the risk analysis or to implement a risk management plan.
The CE must submit its revised policies and procedures to HHS for approval. Once the policies and procedures are approved, the CAP requires the CE to:
  • Finalize and adopt the approved policies and procedures.
  • Distribute the policies and procedures to all workforce members.
  • Document that workforce members have read, understand, and will comply with the policies and procedures. The CE may not provide a workforce member access to PHI until it obtains this documentation.
  • Review and, if necessary, revise the policies and procedures on an annual basis.

Training

Under the CAP, the CE must submit its proposed training materials to HHS for approval (see Standard Document, HIPAA Training for Group Health Plans: Presentation Materials). After the materials are approved, the CE must:
  • Provide training to all workforce members.
  • Obtain a certification, in written or electronic form, from each workforce member stating that the workforce member received the training.
  • Ensure that workforce members complete the required training.
  • Review and, if necessary, revise the training materials on an annual basis.

Practical Impact

The CAP reflects HHS's emphasis on HIPAA policies and procedures to combat the compliance shortfalls uncovered in its investigation. As in other recent HHS/HIPAA settlements, for example, this latest agreement requires the CE to systematically identify its BAs and ensure that a BA agreement is in place with each BA identified (see Practice Note, HIPAA Enforcement: Settlement Agreements: Characteristics of Settlement Agreements and Legal Update, In $1 Million HIPAA Settlement, HHS Emphasizes Business Associate and Encryption Compliance). Also in keeping with other recent settlements, the CAP imposes specific content requirements for the CE's revised policies and procedures that correspond to core HIPAA privacy, security, and breach notification requirements. From a technology perspective, the CAP identifies a relatively detailed list of technical access controls and related provisions—ranging from activity logs to password updates to workforce training—intended to prevent the type of unauthorized access (here, using a vendor's credentials) that permitted a hacker to access and ransom individuals' PHI.