The US Department of Health and Human Services Office of Civil Rights (HHS OCR) has become fed up with entities not taking their HIPAA failures seriously. At the recent 28th Annual National HIPAA Summit, OCR Director Roger Servino outlined his office’s new approach to HIPAA enforcement. No longer would OCR work from a compliance standpoint, they will now work from an enforcement view. They want to make examples out of sites that don’t do what is legally mandated to protect patient privacy. This week’s case study is a good example of this. The entity involved was fined $3 million for numerous HIPAA failures.
Touchstone Medical Imaging, LLC, is a Tennessee based medical imaging services company (TMI) that provides diagnostic medical imaging services in Arkansas, Colorado, Florida, Nebraska, and Texas.
TMI was informed by the FBI in May 2014, that one of the servers they used to host patient information was available on the internet without any authentication. The server in question was an FTP server that allowed for anonymous connections to the data. The data on the server contained the Protected Health Information (PHI) of 307,839 patients.
To make matters worse, this information had been indexed by search engines like Google. This meant that the data could be found simply by performing a Google search. Even after the server was removed, search engines store this data in cache making it still available online.
The breach was reported to OCR but TMI initially claimed that the breach resulted in no patient data being compromised.
OCR launched their investigation and that forced TMI to admit that patient data was indeed breached.
The investigation revealed many disturbing events at TMI. The first was that the breach wasn’t actually investigated until September 2014 a full 4 months after it was discovered. This means that the notification was made well in excess of the 60 windows mandated by law.
TMI’s notification to patients was also late and this created yet another violation.
The second item discovered was that TMI had not done a proper Risk Assessment of their networks. This is what led to the server being online without the proper access controls on the PHI.
An additional item discovered in the investigation was that TMI didn’t have Business Associate Agreements for two of its vendors who had access to their ePHI.
All told, there were eight HIPAA violations.
All of these items show clear willful neglect of TMI’s obligation to protect PHI.
What was the result?
OCR fined TMI $3 million and agreed to a Corrective Action Plan. The amount of the settlement was because of a long history of non-compliance with HIPAA regulations. It also shows OCR’s willingness to go after sites who are flagrantly violating HIPAA rules. This is in line with its new focus on enforcement.
“Covered entities must respond to suspected and known security incidents with the seriousness they are due, especially after being notified by two law enforcement agencies of a problem. Neglecting to have a comprehensive, enterprise-wide risk analysis, as illustrated by this case, is a recipe for failure.”
OCR Director Roger Severino
You can read the agreement resolution and action plan here.
HIPAA Failures can lead to enormous fines
If sites perform their due diligence and still have a breach, OCR is far less likely to impose fine them. The overwhelming number of breaches reported in the past were settled with corrective action plans. Its when sites don’t do anything for HIPAA. They show total disregard to their legal obligation or protect patient data, privacy, and health, that’s when OCR gets to work. The recent case of the practice who shut down due to a ransomware infection is a perfect example. All patients lost their medical records. This makes it very hard to find a new physician and for complex specialties, this can be life-threatening. This was all because the practice didn’t do anything for their HIPAA to protect their data. I can imagine the fine the practice will pay once OCR investigates due to the seriousness of this incident.
When practices don’t do their part, that is when OCR brings the hammer. This case is a perfect example due to the sheer number of violations by TMI.
Get started with your Risk Assessment. Make sure it’s very thorough and covers all of the likely risk types for your circumstances. After that, make sure you remediate everything you discovered and document it.
One key point to remember is to NEVER not do things that you have documented that you do. This will set you up for an even larger failure.