Archive for Unsecure PHI
St. Elizabeth’s Medical Center in Boston has agreed to a corrective action plan and civil fine of $218,400 with OCR to address deficiencies in its HIPAA compliance program following employee practices at the hospital that exposed ePHI on more than 1,000 patients.
OCR initially received a complaint in November 2012 that hospital employees were allegedly storing patient records containing PHI in an unsecure online document sharing application without analyzing the risks of doing so, according to a July 8 resolution agreement between OCR and St. Elizabeth’s. Those documents contained the ePHI of at least 498 patients.
A nursing home that unexpectedly shut its doors in May is now facing allegations from neighbors that the owners simply abandoned the facility and left it unsecured with trash, boxes and patient files lying about inside the building, according to a report from Fox 13 News in Utah.
Homeowners who live next to the former Deseret Health and Rehabilitation facility in Sandy, Utah called local police June 2 to report the situation after they saw people entering the building and carrying out items. When a news crew visited the scene, a pile of patient files containing confidential information was just sitting out on the sidewalk, according to Fox 13.
A spokesman from the Utah Department of Health told the station state authorities were concerned at the situation and trying to work with the parent company on proper storage of the patient records.
A California hospital network that agreed to a $4.13 million settlement to a class-action lawsuit for exposing the PHI of more than 32,000 patients is now getting push back from its liability insurance provider about paying the claims.
In December 2013, it was discovered the health system and a third-party vendor, InSync, stored patients’ unencrypted electronic medical records on a database accessible to the Internet. So, potentially, patients’ PHI could have showed up in an online search engine for the world to see. There was no evidence that actually happened at the time, but Cottage Health had to notify 32,755 patients there PHI may have been publicly exposed.
The health system then agreed to settle a class-action lawsuit brought by the patients. Chicago-based Columbia Casualty Company, Cottage Health’s liability insurer, paid the bill but then filed a complaint in federal court in May 2015, seeking repayment of the insurance claims.
A new threat is emerging on the healthcare horizon. Medical identity theft is running rampant and hackers are targeting merchants’ credit card systems. It’s only a matter of time before the two worlds collide.
“Virtually all patient-facing healthcare organizations accept credit and debit cards, and a significant number of business associates [BA] and other related companies do as well,” says Dan Berger, president and CEO of Redspin, Inc., in Carpinteria, California. “Medical records are already one of the most high-value targets for identity theft, and adding credit card numbers in to the mix exponentially increases the security risks that healthcare companies face every day,” he says.
Healthcare organizations must become familiar with the payment card industry data security standards (PCI DSS) to protect the privacy and security of their patients, says Phyllis A. Patrick, MBA, FACHE, CHC, founder of Phyllis A. Patrick & Associates, LLC, in Purchase, New York. “There are all kinds of threats that we didn’t see or saw a lot less of a few years ago,” says Patrick.
The Payment Card Industry Security Standards Council (PCI SSC), a coalition of credit card merchants, was established in 2006 to develop the PCI requirements. The current version of the requirements is PCI DSS 3.0, says Berger. Credit card companies are not subject to the same federal and state regulations as banks and credit unions, although some states opted to incorporate PCI standards into state law. Therefore, the card companies came together to develop their own security standards to protect cardholder data and industry transactions, says Berger.
Continue reading “PCI requirements are essential to HIPAA security programs” on the HCPro website. Subscribers to Briefings on HIPAA have free access to this article in the August issue.
A recent HHS statement emphasizes the need for encryption, citing two recent OCR settlement agreements that totaled nearly $2 million as examples of the dangers posed by unencrypted devices in healthcare. Unencrypted computers and mobile devices pose a significant security risk for organizations because patient PHI is incredibly vulnerable if one of these devices in stolen or hacked.
OCR’s $1,725,220 resolution agreement with Concentra Health Services, a national healthcare company, for potential HIPAA violations stemming from the theft of an unencrypted laptop computer highlights the importance of encryption.
An OCR investigation revealed that during several risk analyses Concentra identified that its lack of encryption was a security threat. Although the organization took steps to encrypt its devices, its efforts were inconsistent and incomplete. Concentra failed to implement sufficient policies and procedures to detect and correct security violations by failing to execute appropriate risk management measures to reduce the lack of encryption, according to the resolution agreement.
Similarly, OCR agreed to a $250,000 monetary settlement with Arkansas-based QCA Health Plan, Inc., following an incident involving the theft of an unencrypted laptop containing PHI from a workforce member’s car. The health plan began its effort to encrypt its devices following the breach, but failed to comply with a multitude of HIPAA Privacy and Security Rule requirements from April 2005 to June 2012, according to the HHS statement. Much like Concentra, QCA Health Plan also failed to implement policies and procedures to prevent, detect, contain, and correct security violations, including conducting a thorough risk assessment, according to the resolution agreement.
Encryption is the best defense for covered entities and business associates, Susan McAndrew, OCR’s deputy director of health information privacy, said in the statement.