Rady HIPAA Breach – Access Controls & Training

Rady Children’s Hospital in San Diego announced this week that it has discovered two instances of impermissible disclosure of patient information – both disclosures arising from employees sending spreadsheets containing PHI to job applicants.  Surprisingly, Rady employees did not learn the lesson from their northern California neighbor, Stanford, which recently settled a lawsuit for $4 Million based on similar circumstances of a vendor releasing patient information to a job applicant.  In both the Rady situations (and at Stanford) identifiable patient information was sent to job applicants in order to evaluate those applicants’ skill sets.  The spreadsheets contained names, dates of birth, diagnoses, insurance carrier, claim information, and additional information.  Combined, the breach affected over 20,000 patients.

Rady has announced that it will take the following actions to prevent future events:

• Only commercially available and validated testing programs will be used to evaluate job applicants who will be tested onsite.
• We are increasing data security by further automating flagging of emails that may contain potential protected health or other sensitive information, and requiring an added level of approval before it can be sent.
• Rady Children’s is working with our email encryption provider to further strengthen our protection of sensitive data.
• Rady Children’s continually provides employees with education regarding privacy policies. We will be using these incidents as examples to better inform our leadership team and employees about the risks and the importance of the policies we have in place and train them in these new measures we are taking.

Though these steps are important, it is quite alarming that breaches such as these are still happening.  Why are job applicants receiving spreadsheets with patient information?  As Rady notes above, training exercises are commercially available.  Breaches, such as the one at Rady and at Stanford, reveal several flaws in HIPAA compliance – but two in particular rise to the surface.

1.  Access Controls.  The HIPAA Security Rule stresses the importance of access controls both internally and externally within a covered entity (and now business associates). Who gets access to the PHI, who gives that person access, and what access do they have?  The administrative, physical, and technical safeguard requirements all touch on whether access to PHI for workforce members is appropriate.  For example, a technical safeguard requirement specifically addressing access controls requires that covered entities, and business associates “implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in 164.308(a)(4).”  45 CFR 164.312.  Covered entities and business associates alike should evaluate who within their organizations actually need access to PHI to perform job functions.  Does the HR Department or an internal/external recruiter, arguably in charge of hiring new staff, need PHI in order to perform their job duties?  (Note, I do not opine here as to whether access to PHI was properly granted to the workforce members at Rady, as I lack sufficient information to make that judgment).  Determining if access to PHI is appropriate is both a requirement of the HIPAA Security Rule (though it is “addressable” you still need to address it!) and is a good mitigation tactic to avoid impermissible breaches, such as the one here.

2.  Training.  All covered entities and business associates are responsible for HIPAA Security training for all members of the workforce.  45 CFR 164.308.  Though training may vary depending on the workforce member’s use of PHI, all staff must be trained.  Training does not end following an initial session.  Periodic security updates are specifically identified in the Security Rule as an implementation specification.  These updates do not have to be limited to information about new virus protection software installed on the system. They can include valuable tidbits like case studies, HIPAA rule reminders, and HIPAA related headlines.  For some workforce members HIPAA may not be top of mind (specifically for those in business roles that may not deal with patients or patient information on a routine basis).  Providing periodic training updates and reminders, including examples of other HIPAA breaches (i.e. Stanford here) may be very useful in driving home how easy HIPAA breaches can be…and how expensive they are.

Avoidance of HIPAA breaches altogether is nearly impossible, but proper access controls and training can help mitigate against breaches such as the one that occurred here.

For more information about HIPAA Security contact Elana Zana.


Copier Hard Drive Breach Costs Plan $1.2 Million

Yesterday, HHS announced a new HIPAA related settlement with Affinity Health Plan for $1,215,780 related to PHI maintained on leased copy machines.  This settlement follows an OCR investigation prompted by Affinity’s breach report filed on April 15, 2010.   Affinity became aware of the breach following notice from CBS Evening News.  Apparently, CBS purchased a photocopier previously leased by Affinity as part of an investigative report.  CBS then notified Affinity that the copy machine contained PHI on its hard drive.  Affinity reported that an estimated 344,579 individuals were affected by this breach.

OCR determined that Affinity improperly disclosed PHI when it returned its copy machines to the leasing agents without erasing the data on the copier hard drives.  Additionally, Affinity failed to include the copy machine hard drives in its HIPAA mandated risk analysis required by the Security Rule and failed to implement policies and procedures for wiping the hard drives when returning the photocopiers to its leasing agents.  Affinity also entered into a corrective action plan with the OCR to retrieve all hard drives contained on copy machines previously leased that remain in the possession of the leasing agent.

Covered Entities (and now business associates) need to make sure that all electronic devices, including copy machines, medical equipment computers, mobile phones, tablets, etc. are incorporated into their HIPAA Security Policies and Procedures and are evaluated to ensure that PHI is wiped prior to returning or selling any such devices.  The FTC has issued a report on safeguarding data stored in hard drives of digital copiers and NIST has also issued guidance on media sanitation.

For more information regarding how to comply with the HIPAA Security Rules please contact Elana Zana.

HHS Announces New HIPAA Breach Settlement

HHS has announced its first HIPAA breach settlement involving less than 500 patients.  The announcement came on January 2, 2013 following a disclosure by the provider, Hospice of North Idaho.  The facts involved the theft of an unencrypted stolen laptop that contained ePHI for 441 individuals.  HHS found that the provider did not do a sufficient analysis of the risk to confidentiality of ePHI after the new rule went into effect and did not have in place appropriate policies or security measures to ensure the confidentiality of ePHI.  To settle the matter, the provider agreed to pay HHS $50,000 and enter into a corrective action plan.  More information about the settlement, including the settlement agreement can be found at this link on the HHS website.

This settlement shows that HHS takes breach notifications seriously.  At the same time, it appears that HHS will be open to entering reasonable settlement agreements to resolve this type of breach.  Mostly this demonstrates what we all know:  don’t put ePHI on unencrypted laptops or other mobile devices.  For more information, contact Dave Schoolcraft, Lee Kuo or Casey Moriarty.

ONC Launches Toolkit on Using Mobile Devices

Theft of mobile devices is one of the most common causes of HIPAA breaches.  Though usage of mobile devices is permitted under HIPAA, users must maintain appropriate security to avoid unauthorized use or disclosure of patient information.  The ONC recently launched a new website entitled: Mobile Devices: Know the RISKS. Take the STEPS. PROTECT and SECURE Health Information to help providers better use their mobile devices that contain PHI.  The website contains videos, tip sheets, and FAQs.  Providers using mobile devices are strongly encouraged to visit the site and install security safeguards to avoid potential breaches.

For more information about HIPAA and securing mobile devices please contact Elana Zana.

New Type of Breach – Hackers Encrypting PHI & Holding for Ransom

Typical breach scenarios often include a stolen laptop or other device and the extraction of medical records by those thieves.  Now a new type of breach has occurred, hackers breaking into systems and holding PHI for ransom.  Bloomberg recently reported a breach in which hackers burrowed into the computer network of a surgical practice in Illinois.  Rather than stealing the data and using it for identity theft purposes, the hackers encrypted the PHI and held it for ransom.  To read the full article click here.

This type of incident would most likely be considered a “breach” under the HITECH Act, requiring breach notification to the affected individuals, unless the NIST encryption standards were already employed providing a safe harbor.  However, other HIPAA requirements are also implicated including obligations under the Security Rule to have technical and physical safeguards, which may include building secure firewalls to prevent such hackers.      Along with maintaining a secure system, it is also advisable to back-up all PHI.