Healthcare organizations have an obligation to patients to protect their sensitive information, which is why HIPAA compliance is vital. Organizations that are HIPAA compliant not only protect their patients but also their business’ reputation. Two recent Office of Civil Rights (OCR) settlements highlight the importance of compliance.

In one case, a medical center came under fire for disclosing patient information to a news reporter. The other case involved poorly implemented security measures, ultimately leading to a ransomware attack that exposed sensitive patient information.

Medical Center Settles Potential Privacy Rule Violation

On November 20, 2023, the OCR announced a settlement with Saint Joseph’s Medical Center to resolve an incident involving the healthcare provider disclosing patient information to a news outlet.

During the height of the COVID-19 pandemic, Saint Joseph’s Medical Center was the subject of an Associated Press article discussing the medical center’s response to the public health crisis. While touring the medical center’s facility, reporters took photographs of patients receiving treatment for the virus. The images exposed protected health information (PHI), such as patients’ COVID-19 diagnoses, current medical statuses and prognoses, vital signs, and treatment plans.

As a result, the medical center agreed to pay the OCR $80,000 and implement a corrective action plan. Under the corrective action plan, the medical center must amend its policies and procedures, and retrain its workforce on the new guidelines.

In a press release discussing the settlement, OCR Director Melanie Fontes Rainer stated, “When receiving medical care in hospitals and emergency rooms, patients should not have to worry that providers may disclose their health information to the media without their authorization. Providers must be vigilant about patient privacy and take necessary steps to protect it and follow the law. The Office for Civil Rights will continue to take enforcement actions that puts patient privacy first.”

First OCR Settlement from Ransomware Incident

On October 31, 2023, the first OCR ransomware agreement in history was announced – a settlement with a HIPAA business associate (BA) for $100,000.

In 2019, Doctors’ Management Services, the business associate in question, reported a ransomware attack to OCR. According to the filing, the incident affected the protected health information (PHI) of 206,695 patients.

As is customary following a large-scale breach, the OCR launched an investigation into the BA’s HIPAA compliance.

OCR’s investigation determined that Doctors’ Management Services potentially:

• Failed to conduct a thorough security risk assessment
• Had insufficient monitoring of its health information systems’ activity
• Lacked policies and procedures to protect the confidentiality, integrity, and availability of electronic protected health information

“Our settlement highlights how ransomware attacks are increasingly common and targeting the health care system. This leaves hospitals and their patients vulnerable to data and security breaches,” said OCR Director Melanie Fontes Rainer. “In this ever-evolving space, it is critical that our health care system take steps to identify and address cybersecurity vulnerabilities along with proactively and regularly review risks, records, and update policies. These practices should happen regularly across an enterprise to prevent future attacks.”

Ransomware and hacking are very real threats faced by the healthcare industry, and the threat continues to grow. OCR has seen a 239% increase in large breaches reported involving hacking, with a 278% increase in ransomware incidents.

How to Prevent HIPAA Violations

Not every healthcare breach results in fines. When an organization can prove that they made reasonable efforts to comply with HIPAA, they are usually offered assistance from OCR rather than punishment.

While the Saint Joseph’s Medical Center incident is not typical, several healthcare organizations have been fined for the improper use or disclosure of PHI. Under the HIPAA Privacy Rule, PHI may only be disclosed for treatment, payment, or healthcare operations without obtaining patient consent. Before a healthcare provider may disclose PHI for another purpose, they must receive explicit written authorization from patients.

Hacking incidents, however, are the most cited cause of healthcare breaches. In 2023, hacking incidents accounted for 77% of large breaches reported. Breaches are bound to happen, but there are ways in which you can mitigate your risk of succumbing to one.

OCR recommends that healthcare organizations:

• Review all vendor and contractor relationships to ensure business associate agreements are in place
• Conduct a risk analysis regularly and when new technologies and business operations are planned
• Ensure audit controls are in place to record and examine information system activity
• Implement regular review of information system activity
• Utilize multi-factor authentication to ensure only authorized users are accessing ePHI
• Encrypt ePHI to guard against unauthorized access to ePHI
• Incorporate lessons learned from incidents into the overall security management process
• Provide training specific to the organization and job responsibilities on a regular basis

Contributed by Compliancy Group
Whether you’re starting from scratch or looking to streamline HIPAA, Compliancy Group’s software includes everything you need - from employee training to policies and procedures. Give your practice peace of mind. Automate, track, and manage all of your HIPAA requirements with software. Find out how Compliancy Group can help you simplify compliance.