Groundhog Day 2023 means two years of following a corrective action plan and a $1.25 million settlement for Banner Health Affiliated Covered Entities (Banner Health) following the announcement of a Resolution Agreement with the Department of Health and Human Services (HHS) Office for Civil Rights (OCR).
The settlement and resolution agreement follow an investigation of a 2016 hacking incident that exposed the protected health information of almost three million people.
Background of Banner Health’s 2016 Hack
OCR launched an investigation of the Arizona-based non-profit health system in November 2012 following a breach report stating that an unauthorized party accessed the PHI of millions of patients.
OCR’s investigation revealed potential violations of HIPAA rules and regulations, including the HIPAA Privacy Rule and the HIPAA Security Rule:
- The requirement to conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all ePHI held by Banner (see 45 C.F.R. § 164.308(a)(1)(ii)(A)).
- The requirement to implement sufficient procedures to regularly review records of information system activity (see 45 C.F.R. § 164.308(a)(1)(ii)(D)).
- The requirement to implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed (see 45 CFR § 164.312(d)).
- The requirement to implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network (see 45 C.F.R. 164.312(e)(1)).
Banner Health made no admission of liability as part of the resolution agreement.
Consequences of OCR Investigation
The hack affected the records of patients at as many as 31 hospitals and 70 associated clinics in at least four western and midwestern states. The resolution agreement calls for Banner to pay $1.25 million to OCR and requires them to follow a Corrective Action Plan for two years that includes:
- Conducting an accurate and thorough HIPAA Security Risk Assessment;
- Developing and implementing a Risk Management Plan;
- Developing, revising, and maintaining HIPAA Policies and Procedures for their entire workforce;
- Distributing the Policies and Procedures to all workforce members for attestation/certification; and
- Preparing an implementation report and annual reports.
“Hackers continue to threaten the privacy and security of patient information held by health care organizations, including our nation’s hospitals,” said OCR Director Melanie Fontes Rainer. “It is imperative that hospitals and other covered entities and business associates be vigilant in taking robust steps to protect their systems, data, and records. This begins with understanding the risks and taking action to prevent, respond to, and combat such cyber-attacks.”
With less than a month before the HIPAA Breach Notification deadline for incidents affecting less than 500 patients in 2022, the announcement should remind us that OCR investigators take their enforcement duties seriously. If you need assistance avoiding a situation like the one faced by Banner Health, let Compliancy Group help you become fully HIPAA compliant.
