Category Archives: HIPAA fines

FEDERAL JUDGE RULES FOR OCR, FINES MD ANDERSON $ 4.3 MILLION DOLLAR FINE FOR MAJOR HIPAA VIOLATION INVOLVING UNENCRYPTED STOLEN DEVICES AND 33,000 PATIENT RECORDS

In the ruling, the Judge found that The University of Texas MD Anderson Cancer Center (MD Anderson) violated the HIPAA RULE for Privacy and Security Rules and granted summary judgment to the Office for Civil Rights (OCR) on all issues, requiring MD Anderson to pay $4,348,000 in civil money penalties to OCR. The $4.3 million dollar fine is the fourth largest amount ever awarded to OCR.

MD Anderson is an academic institution and a comprehensive cancer treatment and research center located at the Texas Medical Center in Houston.  OCR investigated MD Anderson following three separate data breach reports in 2012 and 2013 involving the theft of an unencrypted laptop from the residence of an MD Anderson employee and the loss of two unencrypted universal serial bus (USB) thumb drives containing the unencrypted electronic protected health information (ePHI) of over 33,500 individuals.

OCR’s investigation found that MD Anderson had written encryption policies going as far back as 2006 and that MD Anderson’s own risk analyses had found that the lack of device-level encryption posed a high risk to the security of ePHI. Despite the encryption policies and high risk findings, MD Anderson did not begin to adopt an enterprise-wide solution to implement encryption of ePHI until 2011, and even then it failed to encrypt its inventory of electronic devices containing ePHI between March 24, 2011 and January 25, 2013.

OCR is serious about protecting health information privacy and will pursue litigation, if necessary, to hold entities responsible for HIPAA violations,” said OCR Director Roger Severino. “We are pleased that the judge upheld our imposition of penalties because it underscores the risks entities take if they fail to implement effective safeguards, such as
data encryption, when required to protect sensitive patient information
.”

LESSONS LEARNED

1.  MD Anderson had written encryption politics going back to 2006, and had identified lack of
encryption as a material weakness in their own risk analysis!

2.  If a HIPAA Risk Analysis identifies a weakness in a critical area like encryption, immediately
start encrypting all electronic devices.

THANKS FOR READING THE RISKAlert Report©
For more information and a free subscription:  write to:  caroline@riskandsecurityllc.com

We provide the best CMS Facility All-Hazards Risk Assessments, HIPAA Risk Analysis, as well as Active Shooter Training,
Workplace Violence Assessments, and Mass Casualty Drills & Training Programs.

www.riskandsecurityllc.com   and   www.caroline-hamilton.com

$ 3.5 Million Dollar Fine for Fresenius Medical Care North America (FMCNA) to settle potential violations of the HIPAA Privacy and Security Rules for FIVE different breaches.

RISKAlert Report Updated: Feb 2, 2018

FMCNA, a German company with US Operations based in  Waltham, Massachusetts, has agreed to pay a hefty $ 3.5 million dollar fine that covers 5 separate HIPAA Violations.

FMCNA is a provider of products and services for people with chronic kidney failure with over 60,000 employees that serves over 170,000 patients. Their facilities include dialysis facilities, outpatient cardiac and vascular labs, and urgent care centers, as well as hospitals and post-acute care providers.

US Dept. of Health and Human Services said the company failed to heed HIPAA’s risk analysis and risk management rules. FMCNA is also required to adopt a Comprehensive Corrective Action Plan. DHHS’ Office of Civil Rights,(OCR) investigation into the data incidents found that FMCNA covered entities failed to conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of all of its ePHI.

The breaches spanned three states including Florida, Alabama, and Georgia. Each provider had specific
deficiencies and the Agreement calls out each deficiency by provider. You can read the entire Resolution Agreement at https://www.hhs.gov/sites/default/files/fresenius-racap.pdf.

Fresenius Medical Care’s corporate headquarters is in Bad Homburg, Germany. The North American headquarters is in Waltham, Massachusetts and the Asian-Pacific headquarters is located in Hong Kong.

LESSONS LEARNED:

1. All providers need to have a current Risk Analysis that identifies potential threats,
     analyzed solutions, and provides a concrete plan to fix any deficiencies. The Risk Analysis
     must adjust to new threats, such as Ransomware attacks.

2. Covered entities like FMCNA are responsible for all the providers in their network.

THANKS FOR READING THE RISKAlert Report©

For more information and more great content:
www.riskandsecurityllc.com or www.caroline-hamilton.com

For a no-cost subscription, write to caroline@riskandsecurityllc.com

Last-Minute HIPAA Compliance Tips

With only 2 weeks (15 days) left to meet the HIPAA Omnibus Rule, let’s say you
have done everything you could possibly do, to be in full compliance with every
part of HIPAA:

1. Finish a current HIPAA Risk Analysis – CHECK

2. Rewrite Business Associate agreements – CHECK

3. Rewrite Policies & Procedures – CHECK

4. Get PHI off the office copiers – CHECK

5. Gather Documentation in one place – CHECK

6. Start HIPAA Security Awareness Program – CHECK

7. Update HR Sanctions Policies – CHECK

8. Finalize Contingency Plans – CHECK

9. Add more encryption – CHECK

10. Implement Plan for Smartphones & Mobile Devices – CHECK

11. Have staff sign new Affirmation Agreements – CHECK

And in spite of your careful preparation, you walk into work on Monday, and the OCR
regulators are sitting in the Lobby, and they’ve been there since 7:00 AM!

No matter what else you have done, or started, and have not done, your insurance policy is to be
able to pull out your most current (in months, not years) HIPAA Risk Analysis and then pull out all
your supporting documentation including:

1. All information, including network diagrams, on where the PHI is on your network, and the
automated network controls you have implemented.

2. A record of every application, every database, etc. that hold PHI, are used to create,
manage, or share PHI, in both electronic and paper form.

2. Rosters going back 3 years of everyone in the organization who’s taken HIPAA training.

3. A copy of the Policies and Procedures, and Security Plans, printed out and labeled in 3-ring
Binders.

4. List of all HIPAA controls that are currently in place and verification documents.

5. Copies of all Business partners agreements and contracts

6. A notarized statement signed by the Board Director, CEO or Administrator formally
stating the organization’s Commitment to HIPAA Security & Privacy & Omnibus Rules.

7. Copies of recent employee surveys validating their stated compliance with all HIPAA
Security, Privacy, and Omnibus Rules.

All of these elements should be printed in their most current versions and put in D-Ring
binders, which you will pull out of a cabinet designed for high security.  Nothing thrills a regulator
or auditor more than getting everything you ask for in a neatly labeled, giant 3-ring binder.
It says “PREPARED” in a way that having files on the network never will.

And, BTW, you HAVE completed all these steps – right?

For More Information, Contact Caroline Hamilton at caroline@riskandsecurityllc.com

What Happens if OCR Shows up – Asking about your HIPAA Compliance?

With only 2 weeks (15 days) left to meet the HIPAA Omnibus Rule, let’s say you have
done everything you could 
possibly do, to be in full compliance with every part of HIPAA:

1.  Finish a current HIPAA Risk Analysis – CHECK
2.  Rewrite Business Associate agreements – CHECK
2.  Rewrite Policies & Procedures – CHECK
3.  Get PHI off the office copiers – CHECK
4.  Gather Documentation in one place – CHECK
5.  Start HIPAA Security Awareness Program – CHECK
6.  Update HR Sanctions Policies – CHECK
7.  Finalize Contingency Plans – CHECK
8.  Add more encryption – CHECK
9.  Implement Plan for Smartphones & Mobile  Devices – CHECK
10. Have staff sign new affirmation Agreements – CHECK

And in spite of your careful preparation, you walk into work on Monday, and the regulators from
OCR are sitting in the Lobby, and they’ve been there since 7:00 AM!

No matter what else you have done, or started, and have not done, your insurance policy is to be
able to pull out your most current (in months, not years) HIPAA Risk Analysis and then pull out all
your supporting documentation including:

1. All information, including network diagrams, on where the PHI is on your network, and the automated
network controls you have implemented.

2.  A record of every application, every database, etc. that hold PHI, are used to create, manage, or
share PHI, in both electronic and paper form.

2.  Rosters going back 3 years of everyone in the organization who’s taken HIPAA training.

3.  A copy of the Policies and Procedures, and Security Plans, printed out and labeled in 3-ring
Binders.

4.  List of all HIPAA controls that are currently in place and verification documents.

5.  Copies of all Business partners agreements and contracts

6.  A notarized statement signed by the Board Director, CEO or Administrator re-stating
the organization’s Commitment to HIPAA Security & Privacy & Omnibus Rules..

7.  Copies of recent employee surveys validating their stated compliance with all HIPAA
Security,  Privacy, and Omnibus rules.

All of these elements should be printed in their most current versions and put in D-Ring
binders, which you will pull out of a cabinet designed for high security.  Nothing thrills a regulator
or auditor more than getting everything you ask for in a neatly labeled, giant 3-ring binder.

It says “PREPARED”  in a way that having files on the network never will.

And, BTW, you HAVE completed all these steps – right?

 

 

 

 

HIPAA COUNTDOWN – 26 DAYS LEFT TO COMPLY WITH HIPAA OMNIBUS RULE!

The HIPAA Countdown continues, with the HIPAA Omnibus Rule compliance date of September 23rd looming in the distance.

Now that everyone is coming back to work, relaxed from the long weekend (we hope), it’s time to get back to work.

As a HIPAA Risk Analysis expert, I have gotten more than 300 calls and emails in the last 5 days (yes, even on Sunday) about
what NEEDS to be done right now.   Here’s a sample of the questions,

“Should I do a penetration test before Sept 23rd?”
“Should we update our policies before Sept. 23rd?”
“Should I hurry and get the laptops encrypted by Sept 23rd?” 
“We re-wrote our business agreements – what else do I need to do before Sept. 23rd?

To quote Leon Rodriguez, the Director of the Department of Health and Human Services, Office of Civil Rights, which is
the lead federal agency for HIPAA Enforcement, “The Number One Thing you need to do before September 23rd
is to update, or start a new 
HIPAA Risk Analysis.”  

According to the OCR Guideline on Risk Analysis,  “Conducting a risk analysis is the first step in identifying and
implementing safeguards that comply with and carry out the standards and implementation specifications in the Security
Rule. Therefore, a risk analysis is foundational, and must be understood in detail before OCR can issue meaningful
guidance that specifically addresses safeguards and technologies that will best protect electronic health information.”

This is why the First Area that OCR will address when they visit is:  “Where is your HIPAA Risk Analysis?”

Where is yours?  And has it been updated lately?

And did you know that Leon Rodriguez is on Twitter!  His twitter handle is @OCRLeon.

 

 

 

Countdown for HIPAA — Less than 25 days to Deadline & How to Get A Free HIPAA Risk Analysis Guide

NEW DEADLINE:  September 23, 2013

The new HIPAA Omnibus rule became law on March 23, 2013.   The main provisions of the Rule, which include new requirements for healthcare organizations, insurance companies, hospitals, clinics, pharmacies, dental practices and many other organizations, also include Business Associates, which means any organization that has access to patient medical records (PHI- Protected Health Information).

So all the data managers, the data storage companies, the lawyers and countless other companies who are part of flow of healthcare and medical data also have to have a completed HIPAA Risk Analysis by September 23, 2013!

For primary healthcare providers, to be in compliance with the HIPAA Omnibus Rule, they have to revise all their policies and procedures, and also rewrite their contracts with business associates, to place responsibility for data protection on the business associates. And business associates have to apply the same policies to their subcontractors too.  So thousands of policies and contracts are being furiously re-written, as I write this!

Completing a  HIPAA Risk Analysis is the best way to prepare for the deadline, and also to pinpoint any area where your organization needs to
improve a control, a policy or their operating procedures.   As a core HIPAA requirement, the Risk Analysis is a kind of summary of where the organization is in relation to all the HIPAA Rules, including HIPAA Privacy, HIPAA Security, NIST SP 800-66, the Office of Civil Rights, and the
Breach Notification Act.

There are great software tools available to help managers do a HIPAA Risk Analysis (like my HIPAA Risk-Pro program), available online at
www.flash-risk.com, or, as another option, many other organizations are hiring HIPAA consultants to come in and do a Risk Analysis for them.

So if you are a healthcare organization, or a designated business associate, you can start your HIPAA Risk Analysis on Tuesday, Sept. 3,
and have it completed by the deadline.

The Office of Civil Rights has a big pot of money, collected from fines, and they have hired more investigators to go out and audit all these organizations for HIPAA Compliance.  Recently a small hospice in Idaho was fined $50,000, and a physicians practice in Arizona was fined $100,000, and
many other organizations, including states and health plans, have been fined more than $1,000,000 for a variety of violations, including not
having a current Risk Analysis.

For more information on how to do a HIPAA Risk Analysis, you can write to:  info@riskandsecurityllc.com and get a free HIPAA Risk Analysis Guide, a free Project Plan, and a copy of exactly what the OCR Regulators look for when they conduct a HIPAA audit.

 

Why HIPAA Compliance is Related to Federal Contracts

Most healthcare organizations take Federal money – whether it’s reimbursement for Medicare services, or if it’s a federal grant for
providing special care or even addiction treatments, or whether they are part of an NIH trial, or receiving grant money for research.

If your organization is part of state government, county government or even city government, your organization probably takes federal money too.

When the hospital, clinic or treatment center gets that Federal check, they have to first sign a contract saying they verify that they are in compliance WITH ALL FEDERAL LAWS, RULES AND GUIDELINES.  In the old days, this may have meant that you didn’t discriminate in your hiring policies, or that you complied with the Americans with Disabilities Act (ADA), or that you complied with federal reporting requirements, like for a GSA Contract, or for billing protocols.

But HIPAA is also a law, and a Federal Rule, and so when you signed that contract, you attested, or ‘represented’ that your organization was in compliance with all the HIPAA laws and rules, too.

I recently talked to a CEO of a large hospital that, as a Level 1 trauma center, received millions of dollars each year from the Federal government – and he wasn’t aware of their HIPAA status!  He didn’t know if a HIPAA risk analysis had been done (it hadn’t), or whether they had amended all their business associate agreements (hadn’t even started), and also had no idea that some of these HIPAA Rules had elements that needed to be formally approved by the Board.

If you’re the HIPAA Compliance Officer, the Privacy Officer, the Information Security Officer, or any functional title that means, the HIPAA Buck stop with you — you need to explain this to your manager or director.  This will get any administrator’s attention, because they don’t want to have to give any of that money back, and they also don’t want to get into a lawsuit over a compliance issue.

So keep talking about that HIPAA Compliance deadline of September 23, 2013, and you’ll get the support you need, and maybe the budget you need to keep all your HIPAA activities in full swing!

 

How to Easily Update your HIPAA Business Associate Agreements Before Sept. 23, 2013

One of the major changes for every business involved with the new HIPAA Omnibus Rule is that you are required to 
“Review and,  if Necessary, Amend Business Associate Agreements”
Whether your organization is defined as a Hospital, a Physician Practice, a Group Health Plan, a Managed Care organization, a Pharmacy, a Dental Office, or any kind of “Covered Entity” (CE), you have to change your business agreements with all the people who access, create, manage, store, or view your Protected Health Information (PHI).
The new HIPAA Omnibus Rule (45 CFR § 164.314(a) and .504(e)) added new elements that require you to adjust the Business Associate agreements to make sure they agree (in writing) to comply with the HIPAA Security Rule, to make sure they perform their own Risk Analysis to assess how they protect PHI.
Covered entities and business associates must ensure that their existing and future agreements contain the elements required by . In addition to previous requirements, the agreement must require the business associate to:


1.  Comply with the security rule.

2.  Execute business associate agreements with their subcontractors. 

3.  To the extent the business associate carries out an obligation of a covered entity, comply with any HIPAA
      rule applicable to such obligations.

4.  Report breaches of unsecured protected health information to the covered entity (organization).
If you’re not sure how to adjust all these agreement, DHHS-OCR has updated sample business associate language for you
to use at :  http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html.

The HIPAA Omnibus Rule has made accountability more important because it says that the Covered Entity (CE) is

are liable for the misconduct of business associates if the business associate is acting as the agent of the covered entity.

In the same way, business associates should review their agreements with their Covered Entities and also their Sub-Contractors to make sure that the language in their contracts is up to date and makes it clear that the subcontractors are acting as independent contractors and not as the agents of the covered entity or business associate, and that the agreements do not give the covered entity too much control over day-to-day operations of you, their business associate.

As of today, August 19, 2013, both the Healthcare Provider (CEs), and the Business Associates have 34 more Days to modify these agreements modified and up to date, making sure they match the new HIPAA Omnibus Rule if :

(1) the agreement they had in place on January 25, 2013, complied with the HIPAA rules as of that date, and

(2) the agreement does not expire or renew (other than through evergreen clauses) prior to September 23, 2014!

So get out those pencils, and those agreements and start reviewing, amending and modifying those agreements!
SPECIAL TIP:  Here’s a web site with sample Business Associate language to use as a resource:
  http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html

Photocopier Misuse Triggers $1.2 Million Dollar Fine for Affinity Health

A HIPAA fine of $1,215,780 has been assessed against Affinity Health Plan,  a not-for-profit managed care plan serving the New York metropolitan area.  The Settlement was announced on August 14, 2013 at 11 pm.

This is the first settlement involving a copier.  Affinity Health Plan had a copier that they returned to the vendor, and it was re-sold to CBS Evening News, without erasing all the files that the printer had stored for year.

CBS News found that the hard drive of the used copier contained health records of The new copier owner found the files and it was determined that over 344,579 individuals had their Protected Health Information exposed by the Breach, which was initially reported in April of 2010.

Affinity impermissibly disclosed the protected health information of these affected individuals when it returned multiple photocopiers to leasing agents without erasing the data contained on the copier hard drives.  In addition, the investigation revealed that Affinity failed to incorporate the electronic protected health information (ePHI) stored on photocopier hard drives in its analysis of risks and vulnerabilities as required by the Security Rule, and failed to implement policies and procedures when returning the photocopiers to its leasing agents.

In addition to the $1,215,780 payment, the settlement includes a corrective action plan requiring Affinity to use its best efforts to retrieve all hard drives that were contained on photocopiers previously leased by the plan that remain in the possession of the leasing agent, and to take certain measures to safeguard all ePHI.

The settlement included violations of both the HIPAA Privacy and HIPAA Security Rule.  Increases in audits and, subsequently, fines at other healthcare organizations are expected to increase after the new HIPAA Omnibus Rule goes into effect on September 23, 2013.

To read the entire Department of Health and Human Servies (HHS)  Resolution Agreement and Corrective Action Plan can be found on the OCR website at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/affinity-agreement.html.

 

The Top 5 Reasons Why You May Not Be HIPAA Compliant!

After updating the HIPAA Law (HIPAA Omnibus Rule) in 2013, and a new Enforcement Deadline
coming up on September 23, 2013, some organizations still aren’t HIPAA compliant!   With over
22,000,000 disclosures of Protected Health Information already, what are the five most common
reasons why your organization isn’t compliant!

1. No HIPAA Risk Analysis – maybe you were too busy, or maybe you weren’t sure what a risk
analysis really is.   A HIPAA Risk Analysis,  (according to the Office for Civil Rights for the Department
of Health and Human services) is: Conduct an accurate and thorough assessment of the potential
risks and vulnerabilities to the confidentiality, integrity, and availability of electronic 
protected
health information held by the organization.

2.  The HIPAA Risk Analysis is out of datemaybe you did it five years ago, which was BEFORE
the new HIPAA Omnibus Rule 
was mandated.  Maybe you wanted to update it, but you got busy
with all the other pressing IT issues.  Maybe you didn’t have the right resources to run a risk analysis.

3.  HIPAA Risk Analysis was too focused on technical elements.  Many information security
managers think that “IT people always know best”, and as far as HIPAA goes, that’s not correct.
HIPAA rules need to be followed by the medical staff, by the medical records people, by the human
resources department, and by everyone who handles or accesses PHI (protected health information).
And the Risk Analysis has to reflect input from all these different roles.

4.  No correlation between the HIPAA Risk Analysis Recommendations and the changes
that were made
after the HIPAA Risk Analysis was completed.  The HIPAA Security controls should
have been implemented in conjunction with the Risk Analysis, not added completely independently.
The Risk Analysis should be a road map, not a boring report that ended up locked in a file cabinet somewhere.

5.  Inadequate training and security awareness program.   In a recent HIPAA Risk Analysis,
the individuals surveyed said they had a few hours of HIPAA training when they joined the company,
but nothing since.  Next question, how long had they been with the organization, and they said,
six years, twelve years, fifteen years, and yet they had never had UPDATED HIPAA Training
or even access to a security awareness program.

Don’t find out you’re not HIPAA Compliant, when a federal regulator is sitting out in the lobby.
BE PRO-ACTIVE and start your HIPAA Risk Analysis today.  To get started, send your questions to caroline@riskandsecurityllc.com, or review the OCR Guidelines for HIPAA Risk Analysis at:
http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/rafinalguidancepdf.pdf