In early December of 2024, the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) announced it has issued a $548,625 civil monetary penalty (CMP) against Children’s Hospital Colorado (CHC), for the latter’s HIPAA compliance trip-ups: violations of the HIPAA Privacy and Security Rules. Details of the CMP are provided below:
548,265 Reasons Why HIPAA Compliance Matters: It All Started When….
CHC, founded in 1897 (a mere 21 years after Colorado became a state) is known for its excellence. Recently, US News and World Reports designated CHC as one of the ten best children’s hospitals in the United States, the best children’s hospital in Colorado, and the best children’s hospital in the region.
Pedigree, though, does not insulate even the best of the best from experiencing cybersecurity incidents.
In September of 2017, CHC notified OCR of a breach of PHI that had occurred two months earlier. A physician’s CHC email account, containing the PHI of 3,370 children, had been compromised because the CHC information technology help desk had previously disabled two-factor authentication from the doctor’s account, and failed to reactivate it.
Flash forward to 2020. In the first half of April of 2020, CHC notified OCR of another breach. This time, an unauthorized individual had accessed the email accounts (which contained the PHI of 10,840 individuals) of three CHC workforce members. OCR subsequently investigated this breach. It was determined that this access did not require technological sophistication; two of the workforce members had given permission to the unknown third parties to access their email accounts by accepting a multi-factor authentication access request that neither had initiated. The workforce members’ accounts contained PHI consisting of names, dates of services, medical record numbers, zip codes, medical diagnoses, social security numbers, and driver’s license numbers. All of this information was impermissibly disclosed to third parties.
548,265 Reasons Why HIPAA Compliance Matters: Nursing a Lack of Privacy Training
CHC enters into agreements with various nursing schools, to provide clinical opportunities for nursing students. The scope of the agreements is considerable: From March 1, 2018, through November 30, 2018, CHC had an “Agreement for Student Education” in effect with 26 universities and colleges. Those nursing students on clinical rotations at CHC facilities during this time frame created and received PHI through patient care and had access to medical and other records containing PHI that were maintained by CHC in its electronic health systems.
CHC’s agreements with the nursing schools during this time frame was clear on who was responsible for the students’ HIPAA training: “[a]t the commencement of a Student’s placement the [CHC] contact person shall provide an orientation to Students regarding [CHC’s] administrative policies and standards including applicable confidentiality laws, rules, regulations, and procedures with respect to patient records.”
The nursing school agreement that CHC had in place with one school – Illinois State – even specifically stipulated that a nursing “student is part of the Children’s Colorado’s ‘workforce’ as defined in HIPAA Privacy Regulations….” (The HIPAA Privacy Rule requires that covered entities train their workforce on the covered entities’ privacy and breach notification policies and procedures.)
During OCR’s investigation of whether training was conducted, CHC admitted a HIPAA compliance no-no: “[t]he total number of workforce members for whom CHC did not provide HIPAA Privacy Rule [training] between January 1, 2013, and December 31, 2018, was 6,666” including 3,495 nursing students. CHC did not begin to train these workforce students, who had considerable PHI exposure, as required by law, until November 30, 2018.
548,265 Reasons Why HIPAA Compliance Matters: Shadowing the Security Rule
The HIPAA Security Rule requires a covered entity to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic PHI (ePHI) held by the covered entity. This requirement is the “security risk analysis” requirement of the HIPAA Security Rule – a cornerstone of HIPAA compliance. During OCR’s investigation, CHC submitted documents showing attempts to complete this analysis. In mid-2018, OCR informed CHC that the analyses were insufficiently accurate and thorough, because the analyses did not account for all the locations and systems that created, received, maintained, and/or transmitted ePHI.
OCR provided CHC with Security Rule technical assistance so that CHC could bring itself into HIPAA compliance. Whatever CHC gleaned from this assistance may have been to its benefit: In May of 2021, CHC provided OCR with the results of CHC’s “Children’s Hospital Colorado 2020 Healthcare Enterprise Risk Assessment” that a third party, Tevora completed on its behalf (dated February 5, 2021). OCR concluded that this document was an adequate risk analysis.
Upon OCR’s concluding both its investigation of the 2017 incident, and the 2020 incident, OCR concluded that, until February 5, 2021, CHC’s HIPAA compliance was wanting: CHC, OCR had concluded, failed to conduct an accurate and thorough risk assessment.
548,265 Reasons Why HIPAA Compliance Matters: A Last Chance
OCR officially notified CHC of the results of OCR’s investigations on June 23, 2023 and offered CHC the opportunity to resolve the matter informally.
The matter was not resolved informally. OCR then sent CHC a Letter of Opportunity (LOO) via email on October 13, 2023. The LOO informed CHC that OCR’s investigations found preliminary indications of noncompliance with the Security Rule risk analysis requirement; the Privacy Rule’s use and disclosure standard; and the Privacy Rule workforce training standard.
In the LOO, OCR provided CHC with an opportunity to submit evidence of mitigating factors for OCR to consider in making a determination of a CMP. CHC submitted a response, which OCR found insufficient as evidence of mitigation. In a Notice of Proposed Determination to Impose a Civil Monetary Penalty dated June 11, 2024, OCR proposed a civil monetary penalty of $548,265. Children’s Hospital Colorado waived its right to a hearing and did not contest OCR’s findings. Accordingly, in September of 2024, OCR imposed the CMP of $548,265.
548,265 Reasons Why HIPAA Compliance Matters: Analyze and Train
In a press release announcing the CMP, OCR Director Melanie Fontes Rainer noted the importance of HIPAA compliance: “Email continues to be a very common way for cyberattackers to enter health information systems and jeopardized privacy and security.” “Health care entities should identify potential risks and vulnerabilities to email accounts and train their workforce to protect health information in those accounts.”
