CMS Imposes $4.6 Million in Civil Monetary Penalties for HIPAA Violations
The Department of Health and Human Services’ Office for Civil Rights (OCR) imposed civil monetary penalties (CMP) of $3 million and $1.6 million for HIPAA violations in the first half of November.
$3 million CMP: Failure to Encrypt Devices
In 2010, the University of Rochester Medical Center (URMC), one of New York’s largest health systems, reported a lost unencrypted flash drive, and OCR supplied technical assistance. In May 2013, URMC filed a breach report with OCR after URMC lost another unencrypted flash drive. In January 2017, URMC filed a breach report after a resident physician’s personal laptop, which contained electronic protected health information (ePHI), was stolen.
OCR determined that URMC did not perform an enterprise-wide risk analysis, failed to implement security measures to reduce risks and vulnerabilities, failed to utilize device and media controls, and failed to employ a mechanism to encrypt and decrypt ePHI. OCR also recalled URMC’s 2010 HIPAA breach, noting that URMC had itself identified a lack of encryption as a substantial risk to ePHI disclosure, but did not take necessary action to encrypt devices. OCR Director Roger Severino warned that “[w]hen covered entities are warned of their deficiencies, but fail to fix the problem, they will be held fully responsible for their neglect.” Besides the $3 million CMP, URMC must follow a corrective action plan that includes implementation of a risk management plan, staff training, and reviewing policies and procedures, updating them when necessary.
$1.6 million CMP: ePHI Disclosure
CMS has also imposed a $1.6 million Civil Monetary Penalty on the Texas Health and Human Services Commission for allowing public access to ePHI through its website. In June 2015, the Commission’s predecessor agency, the Texas Department of Aging and Disability Services (DADS), filed a breach report with OCR after the ePHI of 6,617 individuals was exposed. Due to inadequate audit controls, DADS could not determine how many people accessed the exposed ePHI. However, DADS was able to determine that the improper disclosure occurred when an application was moved from a secure server to a public server, and a software flaw allowed the public to access ePHI without credentials.
OCR determined that DADS failed to conduct an enterprise-wide risk analysis, and failed to implement access and audit controls. In imposing a civil monetary penalty of $1.6 million, OCR Director Roger Severino explained that “[c]overed entities need to know who can access protected health information in their custody at all times.”
These two recent cases highlight OCR’s continued focus on potential HIPAA violations, including the failure to encrypt PHI and the failure to conduct risk analyses in order to uncover and fix potential vulnerabilities. In order to avoid similar issues, both covered entities and business associates should ensure that they have implemented all HIPAA-required safeguards and that they are conducting regular reviews of their policies and procedures as they relate to safeguarding PHI.