HHS Rings in 2013 with News of Settlement for Small Breach
We hope all of our readers had a happy and relaxing holiday season, and we wish you all the best for this New Year!
It seems fitting for the first post of the year to revolve around HHS's announcement of its first breach settlement of 2013. In what may quickly become a "trend" for HHS and OCR, the $50,000 settlement with the Hospice of North Idaho (HONI) is the first of its kind. Coming after OCR investigated a reported breach involving 441 patients and theft of an unencrypted laptop in the summer of 2010, it is a far cry from the breach tallies we have seen in the past numbering in the hundreds of thousands of affected individuals and over a million dollars in fines.
Yet again OCR has called out a covered entity for failing to conduct a risk analysis as required by the HIPAA Security Rule and cracked down on yet another breach involving an unencrypted device (see, for example, the Alaska DHHS Resolution Agreement which resulted from theft of a flashdrive containing PHI). Not only did OCR state that HONI had failed to implement policies and procedures to address mobile device security despite regular and routine use of laptops in the field, but that HONI also failed to conduct a risk analysis to safeguard electronic PHI, stating,
HONI did not conduct an accurate and thorough analysis of the risk to the confidentiality of ePHI on an on-going basis...from the compliance date of the Security Rule to January 17, 2012. In particular, HONI did not evaluate the likelihood and impact of potential risks to the confidentiaity of electronic PHI maintained in and transmitted using portable devices, implement appropriate security measures to address such potential risks, document the chosen security emasures and the rationale for adopting those measures, and maintain on an on-going basis reasonable and appropriate security measures. (emphasis added)
The risk analysis is too often abandoned to the wind by many covered entities, despite being a "Required" implementation specification for the security management process needed to prevent, detect, contain, and correct security violations.
Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.
This breach settlement combined with the fact that the risk analysis is also an independent core measure required for Meaningful Use participants in the Medicare and Medicaid EHR Incentive Programs, suggests all covered entities should make it their New Year's Resolution to be more proactivate about their risk analyses and throw out bad portable device habits, whether they are big or small. If your organization doesn't have policies and procedures regarding use of laptops, flashdrives, and other devices which can store or access ePHI, and a good reason for not encrypting them where their use is necessary, it may be in for a rude awakening in the event of loss, theft or OCR or CMS knocking at the door to conduct an audit. Remember, even though not required per se by the HIPAA Security Rule, encryption of data at rest and in transmission is an implementation specification that must be addressed by all covered entities.
OCR and ONC have made available several resources and tools to help covered entities of all sizes in conducting and reviewing a risk analysis. The majority of these are now readily available in one location on the Health IT website under the National Learning Consortium Resources section. The NIST 800-30 Special Publication has also consistently been referred to by OCR as a resource to use in preparing for and conducting risk analyses. In addition, ONC recently released a new initiative aimed at increasing the security of mobile devices, Mobile Devices: Know the RISKS. Take the STEPS. PROTECT and SECURE Health Information.
Whatever the reasons or excuses in the past, make 2013 the year your organization resolves to be more proactive about its risk analysis and security management processes, managing mobile devices and the overall security of ePHI.