Slow Learners Teach Big Lessons – $2 Million State HIPAA Penalty

Posted on December 4, 2017 I Written By

Mike Semel is a noted thought leader, speaker, blogger, and best-selling author of HOW TO AVOID HIPAA HEADACHES . He is the President and Chief Security Officer of Semel Consulting, focused on HIPAA and other compliance requirements; cyber security; and Business Continuity planning. Mike is a Certified Business Continuity Professional through the Disaster Recovery Institute, a Certified HIPAA Professional, Certified Security Compliance Specialist, and Certified Health IT Specialist. He has owned or managed technology companies for over 30 years; served as Chief Information Officer (CIO) for a hospital and a K-12 school district; and managed operations at an online backup company.

Editor’s Note: We’d like to welcome Mike Semel as the latest addition to the Healthcare Scene blog team.  We’ve been working with Mike for quite a while as a guest blogger, so it’s great to have Mike now covering security and privacy with us in a more formal capacity.  Check out all of Mike Semel’s EMR and HIPAA blog posts.

I think it is fair to call people slow learners if they get caught violating HIPAA:

  • after they published 50,000 patient records to the Internet for a 2-year period, so patients Googling themselves found their medical records,
  • and THEN DID IT AGAIN DURING THE INVESTIGATION for the first incident.

Duh.

On November 22, California Attorney General Xavier Becerra announced a $2 million settlement with Cottage Health System and its affiliated hospitals for violating both state and federal privacy laws. The settlement came after two separate data breaches where more than 50,000 patient records were made publicly available online. The state settlement is on top of a $4.125 million class-action settlement with its patients, that Cottage Health’s insurance company is trying to recover, because it said Cottage Health was not truthful on its insurance application.

It’s bad enough that from 2011 until 2013 (after it was notified by a patient that he found his medical records online), Cottage Health had a server with protected health information that was not encrypted, password protected, protected by firewalls, or protected against unauthorized access.

What is truly stunning is that, in 2015, during the federal investigation for the first incident, Cottage Health reported that it made another 4,596 patient records available online.

I have been the Chief Information Officer in a hospital, and know how bad executive and departmental management and oversight would have to be to create an environment where that can happen once, let alone twice.

Based on the complaint provided by the California Attorney General, there are a lot of lessons you can learn from this penalty.

LESSONS

1. It not just the OCR. This HIPAA penalty was issued by a state Attorney General. The federal HITECH Act (2009) gave state AG’s the authority to enforce civil penalties for violations of the HIPAA Privacy and Security Rules. It doesn’t take the federal Office for Civil Rights to go after you. It could be your state Attorney General, who is probably motivated by wanting to impress voters for his campaign to be governor or senator someday.

2. Know your state laws. California’s Confidentiality of Medical Information Act and Unfair Competition Law were also cited in the penalty. Forty-eight states, plus DC and Puerto Rico, have their own laws protecting Personally Identifiable Information. Some, like California, have state laws that protect medical records beyond the scope of HIPAA. State laws have different patient notification requirements than HIPAA’s maximum of 60 days. In California, patients must be notified within just 15 days.

3. Management should pay attention to security and compliance, before it has to sign $6 million in checks, plus legal fees. From the IT department to the executive suite, this penalty is proof that management was not validating the organization’s security and compliance.

Cottage Health isn’t a small, rural hospital with 25 beds, trying its best, with limited resources, to serve a community. According to its 2016 Annual Report, Cottage health generated over $746 million in revenue and had 3,120 employees.  Seventeen of them are Vice Presidents.

At least Cottage Health’s CEO didn’t publicly blame his IT guy, like the former CEO of Equifax did in front of Congress. Maybe he realizes he could have avoided spending $6 million by having better management.

4. Patients are Consumers, who are protected against Negligence & Unfair Business Practices. The $4 million settlement plus the $2 million penalty are proof that management was ignoring the commitment it made to its patients every day in the Cottage Health Notice of Privacy Practices.

Our Pledge
We understand that medical information about you and your health is personal, and we are committed to protecting it.

The Federal Trade Commission forced the closure of a small medical lab because it said the lab violated its prohibition of Unfair Business Practices by not protecting patient information.

There is a lawsuit in Connecticut where the state appeals court certified a Notice of Privacy Practices as a contract with a patient.

Yes, patients (and now their lawyers) really do read those notices. Treat yours with respect because it is a contract, not a brochure.

5. Don’t Assume Your HIPAA Compliance Program is Working. Not having policies, procedures, basic IT security like passwords and firewalls, means that a lot of Cottage Health managers and executives had to be asleep at the switch. Not complying with the HIPAA Security Rule, effective since 2005, which protects electronic data, means that Cottage Health’s compliance program was a mirage. I can imagine their compliance and security staff telling management that they had everything handled. Management believed them. Over 50,000 patients and an Attorney General disagree.

6. Prevent the Triggering Event. This wildfire started with a small spark. An IT engineer configured a server and plugged it into the network. Things as simple as checklists could have prevented the negligent publication of the medical records to the Internet.

The NIST Cybersecurity Framework (NIST CSF) is a 41-page document simple enough for even small organizations to use to improve their data security.

Bring in a qualified independent third party to evaluate your compliance and security against the HIPAA rules and the NIST CSF, and give the report directly to the CEO. Not a good use of the CEO’s time? It’s much better than the CEO’s involvement after an investigation has started.

7. If You Are Being Investigated, Don’t Let the Same Problem Happen Again. Duh.