Imagine you are surfing the internet when you stumble across your protected health information, or the protected health information of a loved one. You wonder, shouldn't health information be protected? How could the information be accessed on the internet? What should you do? You decide it is best to file a complaint to the responsible health-care organization.
Now, imagine you are the representative for the health-care organization. The individual who discovered the ePHI files a complaint with you. As you finish documenting the complaint you can't help but wonder, what are possible repercussions of an ePHI breach?
Two health-care organizations submitted a joint breach report regarding the disclosure of ePHI of 6,800 individuals, including patient status, vital signs, medications, and laboratory results. The entities first learned of the breach after receiving a complaint by an individual who found the ePHI of the individual's deceased partner on the internet.
The two covered entities submitted a joint breach report because they share a joint arrangement and refer to their organizations as an affiliation. They operate a shared data network and a shared network firewall that is administered by employees of both entities. The shared network links to patient information systems containing ePHI.
The investigation initiated by the U.S. Department of Health and Human Services Office for Civil Rights revealed the breach was caused when a physician for one of the entities developed applications for both entities. The physician attempted to deactivate a personally-owned computer server on the network containing patient ePHI. The lack of technical safeguards resulted in ePHI being accessible on search engines.
In addition to the impermissible disclosure of ePHI on the internet, it was discovered neither entity made efforts prior to the breach to assure that the server was secure and that it contained appropriate safeguards. Furthermore, neither entity had conducted an accurate and thorough risk analysis or developed an adequate risk management plan that addressed potential threats and hazards to the security of ePHI. Lastly, one of the entities failed to implement appropriate policies and procedures for authorizing access to its databases and failed to comply with its own policies on information access management.
This resulted in $4,800,000 in monetary payments, the largest HIPAA settlement to date. According to Christina Heide, the acting Director of Health Information Privacy for OCR "when entities participate in joint compliance arrangements, they share the burden of addressing the risks of protected health information." She goes on to say "health care organizations need to make data security central to how they manage their information systems."
We recommend ensuring appropriate administrative, technical and physical safeguards are in place to adequately protect ePHI. In our reference guide, we state that risk analysis and risk management are the keys to identifying and selecting the security controls you will use to manage your security risk. We have recognized the importance of thorough risk analysis and risk management. To address this, our website has updated Tools & Assessments, such as a SRA, that can be accessed and completed. For two entities, a thorough risk analysis and risk management plan may have prevented an unnecessary breach of ePHI, and $4,800,000 in monetary payments.
Please do not hesitate to contact one of our professional consultants if you have any questions about HIPAA Privacy, HIPAA Security, or questions about safeguarding ePHI.