In 2020, the Department of Health and Human Services’ (HHS) Office for Civil Rights issued a record 19 fines for failure to comply with the HIPAA regulations. Six of the fines announced in 2020 were principally issued for failure to comply with the HIPAA Security Rule’s requirement to conduct a security risk assessment and to track and inventory network devices. The message of OCR 2020: Keep patient records safe. 2020 fines related to HIPAA Security Rule violations are discussed below.
HIPAA Security Rule Violations: Risk Analysis and Risk Assessment
OCR 2020 enforcement activity began with fines for violation of the Security Rule’s administrative safeguard requirement to perform a risk analysis and risk assessment. As a practical matter, failure to perform these is the equivalent of removing a bottom card from a house of cards: if you don’t perform the assessment and management, whatever other security measures you take won’t prop you up.
HIPAA Security Rule Violations: Steven A. Porter, M.D.
Out in Ogden, Utah, the gastroenterology practice of Steven A. Porter, M.D. (patients treated per year: 3,000) had a spat with a business associate. Porter filed a breach report on November 21, 2013, with an embarrassing allegation: business associate Elevation 43, a business associate of Dr. Porter’s electronic health record (EHR) company, was impermissibly using the Practice’s patients’ electronic protected health information (“ePHI”) by blocking the Practice’s access to that ePHI. Elevation told Dr. Porter that it would be happy to restore access – for $50,000.
OCR’s investigation revealed that Dr. Porter’s office was in significant noncompliance with the HIPAA Security Rule, first and foremost because it failed to conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of all its ePHI. OCR also found that the practice failed to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level. The point of a risk analysis is to identify and investigate these risks and vulnerabilities. If you don’t know they exist, you obviously are not taking sufficient measures to reduce the risks to a reasonable and appropriate level. The implication of OCR’s findings is clear enough. The practice would not have been held prey to ransom in the first place had it conducted the risk analysis – crime does pay if nothing is done to prevent it. OCR dinged the practice for failing to enter into a valid business associate agreement with Elevation 43. OCR, finding the main event to be the Security Rule violation, wrangled Dr. Porter into a $100,000 fine and two-year corrective action plan.
HIPAA Security Rule Violations: Metropolitan Community Health Services
A couple of months later, OCR struck again, fining Metropolitan Community Health Services (Metro), a Williamston, North Carolina provider serving the underserved population in that state’s rural east, in the amount of $25,000. Back in 2011, Metro, a federally qualified health center (FQHC), filed a breach report (affected patients: 1,263) with OCR. Upon investigation, OCR found widespread, longstanding noncompliance with the HIPAA Security Rule. OCR found that Metro did not develop Security Rule policies and procedures. Metro also failed to conduct any risk analyses and neglected to provide workforce members with security awareness training until 2016. In short, Metro treated the Security Rule as if it did not exist.
HIPAA Security Rule Violations: And Then There Were Four
The remaining four Security Rule fines cost each recipient, all of whom are large and well-known, over one million dollars.
Lifespan Affiliated Covered Entity
First up was Lifespan Affiliated Covered Entity (“Lifespan ACE”), a health system with teaching, medical, and mental health services hospitals. Also, Rhode Island’s nonprofit behavioral healthcare provider. Filing of a breach report led to an OCR investigation. The investigation determined that an unencrypted laptop theft – theft committed by someone breaking into an employee’s car parked in a public lot – resulted in an ePHI data breach affecting over 20,000 individuals. The investigation revealed that the MacBook computer which has never been found, was left unencrypted. Therefore, thieves had access to ePHI including patient names, medical record numbers, demographic information, and medication information. Unsecured PHI of patients at various affiliates was breached.
OCR, in fining Lifespan $1,040,000 in September of 2020, found that Lifespan did not implement encryption policies and procedures, and did not implement policies and procedures to track or inventory devices that access the network or which contain ePHI.
Athens Orthopedic Clinic PA
Second up was Athens Orthopedic Clinic PA (“Athens Orthopedic”), a Georgia orthopedic practice serving approximately 138,000 patients per year. In September, OCR announced that Athens Orthopedic agreed to pay $1,500,000 to OCR. In June of 2016, a journalist notified Athens Orthopedic that a database of their patient records may have been posted online for sale. On June 28, 2016, a hacker contacted Athens Orthopedic and demanded money in return for a complete copy of the database it stole. Athens Orthopedic subsequently determined that the hacker used a vendor’s credentials on June 14, 2016, to access their electronic medical record system and exfiltrate patient health data. The hacker continued to access protected health information (PHI) for over a month until July 16, 2016.
On July 29, 2016, Athens Orthopedic filed a breach report informing OCR that 208,557 individuals were affected by this breach, and that the PHI disclosed included patients’ names, dates of birth, Social Security numbers, medical procedures, test results, and health insurance information. OCR’s investigation discovered longstanding, systemic noncompliance with the HIPAA Privacy and Security Rules by Athens Orthopedic, including failures to conduct a risk analysis, and failure to implement risk management and audit controls. Athens Orthopedic’s weak security posture left it an easy target for months-long hacking and exfiltration.
Major Fines Issued For HIPAA Security Rule Violations
The final two Security Rule fines of 2020 were also issued in September of 2020 – the first, in the amount of $2.3 million, and two days later, the second, in the amount of $6.85 million.
The first: Business associate CHSPSC LLC, (“CHSPSC”), in Franklin, Tennessee, provides IT and health information management to Tennessee’s Community Health Systems’ hospitals and clinics.
Like Athens Orthopedic before it, CHSPSC was found to have numerous security flaws that allowed hackers to remotely access its network. The information system was hacked in April of 2014. CHSPSC only learned about the hack when the FBI notified CHSPSC eight days after the hack began. Despite the notification from the nation’s top law enforcement bureau, the hackers continued their remote access, PHI-exposing spree for four whole months. By August of 2014, the damage from this healthcare hack had been done. The intrusion ended up affecting 6.1 million individuals, exposing their protected health information. In light of this damage, a class action lawsuit was filed against CHSPSC; CHSPSC settled the lawsuit for $3.1 million dollars. OCR then took its turn, entering into a settlement with CHSPSC under which CHSPSC was required to pay $2.3 million and implement a corrective action plan (CAP).
The catalog of Security Rule violations found by OCR includes:
- Failure to conduct a security risk analysis;
- Failure to implement information system activity review;
- Failure to implement security incident procedures; and
- Failure to implement access controls and audit logs.
The second, $6.85 million dollar fine – the second largest fine in the history of HIPAA enforcement – was issued to a health insurer whose name is known the world over and whose founding dates back to 1945. In September of 2020, Premera Blue Cross (PBC) agreed to pay $6.85 million to OCR, and to implement a corrective action plan, to settle potential violations causing a breach that affected over 10.4 million people, exposing their names, addresses, dates of birth, email addresses, Social Security numbers, bank account information, and health plan clinical information. PBC, like many other Blues, is enormous: it is the largest health plan in the entire Pacific Northwest. The definition of a tempting target.
On March 17, 2015, PBC filed a breach report on behalf of itself and its network of affiliates stating that cyber attackers had gained unauthorized access to its information technology (IT) system. The hackers used a phishing email to install malware that gave them access to PBC’s IT system in May 2014, which – it’s deja vu all over again – went undetected for nearly nine months, until January 2015. The attack was an advanced persistent threat – a cyberattack literally designed for a silent running. OCR’s investigation found systemic noncompliance with the HIPAA Security Rule, including failure to implement audit controls, failure to conduct an enterprise risk analysis, and risk management.
OCR announced this fine with a warning shot across the bow:
“If large health insurance entities don’t invest the time and effort to identify their security vulnerabilities, be they technical or human, hackers surely will. This case vividly demonstrates the damage that results when hackers are allowed to roam undetected in a computer system for nearly nine months,” said Roger Severino, OCR Director.
OCR 2020: Insecurity Everywhere
The lessons to be learned from the six HIPAA Security Rule violations fines are simple to state: covered entities and business associates that do not implement administrative, technical, and physical safeguard provisions of the HIPAA Security Rule set off PHI-exposing ticking time bombs. Audit logs, access controls, inventorying of network devices, and most critically, risk analysis and risk management, must all be implemented. The federal government, in September of 2020, updated its Security Rule Assessment Tool, to drive home the point that covered entities and business associates must review and update their risk assessment on a regular basis, then follow up to address identified vulnerabilities. As the government notes, though, the Security Risk Assessment Tool is not intended to be an exhaustive or definitive source on safeguarding health information from privacy and security risks – all the more reason to seek out expertise.
