• E-mail
• Print
• RSS

OCR sends message about risk analysis with HIPAA settlement

HIM-HIPAA Insider, December 21, 2015

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

The University of Washington Medicine (UWM) agreed to a $750,000 civil monetary penalty and corrective action plan (CAP) with OCR over a potential HIPAA violation, according to a statement released by HHS. UWM is the latest in a string of high-profile HIPAA settlements and OCR has taken the opportunity to make an example of the importance of conducting an organization wide risk analysis. UWM is an affiliated covered entity (CE), comprising designated healthcare components and several other University of Washington entities, including the university’s primary teaching hospital, University of Washington Medical Center.

The breach, reported to OCR November 27, 2013, occurred when an employee downloaded an email attachment that contained malware. The malware infected the organization’s system and compromised the PHI of roughly 90,000 patients. The PHI is taken from two different data sets containing different types of information. The first, involving 76,000 patients, included:

• Patient names
• Medical record numbers
• Dates of service
• Charges or bill balances

The second set of data affected the PHI of 15,000 patients and included:

• Patient names
• Medical record numbers
• Addresses and phone numbers
• Dates of birth
• Charges or bill balances
• Social Security numbers
• Insurance identification or Medicare numbers

The statement did not indicate which affiliated entity the employee worked for.

OCR’s investigation found that UWM failed to enforce risk assessments and analysis policies across its affiliated entities. Affiliated CEs are required to ensure that all member entities follow the organization’s policies and procedures. Although UWM’s policies stated that affiliated entities must have up-to-date risk assessments and security safeguards, it did not actually enforce these policies. UWM “failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of e-PHI,” according to the resolution agreement.

HHS’s statement included a link to its guide on conducting a HIPAA risk analysis.

OCR’s actions makes it clear that it expects entities to take risk assessments seriously and will not tolerate policies that exist only on paper, according to Rick Ensenbach, CISSP-ISSMP, CISA, CISM, CCSFP, manager of risk advisory and forensic services at Wipfli, LLP, in Eau Claire, Wisconsin.

“OCR is sending a very clear message to the communities saying it’s time to get off the bench and start doing your risk assessments,” he says. “It’s time to quit avoiding doing these or thinking that you don’t need to do them.”

Organizations should take this as a warning that simply going through the motions of a risk assessment will not be good enough, Ensenbach says. A checklist that provides no guidance or follow up won’t satisfy OCR. “This is something that they’re going to hold covered entities and business associates accountable for,” he says.

If a breach involves an employee downloading malicious software, he says, it’s most likely because he or she didn’t recognize what it was. This emphasizes the importance of regular training on phishing attacks and other cybersecurity threats. These attacks are becoming increasingly sophisticated, Ensenbach says, and increasingly difficult to detect. Although it may be impossible to completely eliminate this threat, education should be part of an organization’s risk management plan and cybersecurity threats should be included in the risk analysis.

Ensenbach notes that the most prevalent issue OCR found in its 2011 pilot audits was that most of the audited organizations did not have a risk analysis. Organizations also need to be aware that the risk assessment required to meet meaningful use standards is not the type of organization wide risk assessment, analysis, and management plan that will ensure an organization has reasonable protections that will satisfy OCR.

UWM’s settlement also included a CAP and an agreement to submit annual reports on its compliance efforts. The CAP specifically requires UWM to develop a current and comprehensive risk analysis that includes risks associated with the storage and transmittal of ePHI which were “excluded from its August 2014 ‘HIPAA Meaningful Use Risk Assessment’,” according to the resolution agreement. UWM must also develop a risk management plan, submit proof of its compliance program reorganization within 180 days of the resolution agreement’s effective date, and submit regular compliance reports to HHS for one year.

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

• E-mail to a Colleague
• Print
• RSS
• Archive