Why organizations ignore HIPAA at their own peril
After a lull in enforcement actions concerning HIPAA, the Office for Civil Rights re-entered the fray with a $3 million fine. The settlement, announced on May 6, imposes a significant fine after widespread non-compliance was found by OCR.
As with many prior settlements, the factual scenario underpinning the latest settlement is fairly egregious. As one of many missteps, the party with HIPAA troubles, in this instance Touchstone Medical Imaging, had its troubles revealed to it by the FBI.
Around May 9, 2014, the FBI told TMI about an insecure FTP server that left patient information searchable on the internet. Likely unknown to TMI, OCR received notification of that insecurity at the same time, and OCR confirmed the report only a few days later. While that combination of events would not necessarily indicate a big issue, OCR subsequently sent a notice of investigation to TMI on Aug. 19, 2014, to obtain more background information about the breach.
The results of the investigation are where things turn a dramatic turn for the worse. According to the recitation of findings in the resolution agreement between OCR and TMI, the non-compliant conduct discovered included:
- Determining that the breach impacted 307,839 individuals
- Lack of policies to limit access to the FTP server containing PHI
- Not putting a business associate agreement with MedIT Associates until June 2016 (the nature of services is not identified)
- Continuing to work with another business associate (XO Communications) without a business associate agreement (it is not necessarily clear, but the resolution agreement implies that this failure is an ongoing violation)
- Not conducting a thorough risk analysis until April 3, 2014, (the only positive is that this risk analysis at lest occurred prior to notification from the FBI or OCR)
- Failure to notify individuals of the breach until Oct. 3, 2014, (almost five months after being told by the FBI of the issue)
- Failure to notify the applicable media outlets of the breach until Oct. 3, 2014.
As suggested, the initial underlying facts of not properly securing the FTP server could be chalked up to inadvertent error that would not bring a hammer down. However, as always happens following notification of a breach, OCR investigated the entity. When the investigation uncovered the widespread non-compliance, enforcement was bound to follow.
While the facts, as noted, are hopefully not indicative of how the majority of entities respond to breaches, there are some lessons to take away from the TMI settlement.
First, always check how all servers are implemented. No matter how secure a server, device or other tools can be, the security will be quickly undercut by inadequate implementation. Oftentimes default settings will not be consistent with what an entity necessarily wants. To be sure security is effective, run through the settings and compare to best practices.
Second, do not share patient information with any downstream entity (namely from a covered entity to a business associate or from a business associate to a subcontractor) without putting a business associate agreement into place. The BAA is always the obligation of the entity higher up on the chain. If helpful, use a checklist where the boxes need to be completed when going through contracting. One of the foremost boxes to check needs to be putting a BAA into place. The fact that TMI may potentially still be sharing PHI without a BAA begs the question of how deliberate and willful the alleged misconduct may be classified. Avoiding the problem is easy though with careful attention to contracting detail.
Third, the frequent flier violation of no or delayed risk analysis appears again. It is possible that every settlement has found an inadequate risk analysis. The risk analysis is fundamental to being able to implement comprehensive and compliant security policies. The risk analysis is time-consuming and resource intensive, but skipping is not an option.
Lastly, when a breach occurs, notification is mandatory. The required breach notification needs to be provided within 60 days of discovery of the breach. Discovery does not necessarily mean that all of the details have been finalized. When an entity is told about the breach by the FBI or other law enforcement, disputing the time of discovery will become difficult if not impossible. Pay attention to the ticking clock and inform individuals of breaches, even when such disclosure may be embarrassing.
As always, every settlement offers lessons even if the lessons may not be clear from the first glance. Ultimately, taking compliance obligations seriously and trying to do the right thing will go a long way to making those goals a reality.