Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

A HIPAA Life Sentence… and SO Many Lessons

Posted on November 15, 2018 I Written By

Mike Semel is a noted thought leader, speaker, blogger, and best-selling author of HOW TO AVOID HIPAA HEADACHES . He is the President and Chief Security Officer of Semel Consulting, focused on HIPAA and other compliance requirements; cyber security; and Business Continuity planning. Mike is a Certified Business Continuity Professional through the Disaster Recovery Institute, a Certified HIPAA Professional, Certified Security Compliance Specialist, and Certified Health IT Specialist. He has owned or managed technology companies for over 30 years; served as Chief Information Officer (CIO) for a hospital and a K-12 school district; and managed operations at an online backup company.

In 2012 Accretive Health Care was banned from doing business in Minnesota for 2 – 6 years for a HIPAA violation.

In 2018 New York State suspended a nurse’s license for a year for a HIPAA violation.

But, a life sentence?

The New Jersey Attorney General announced a $ 200,000 HIPAA and consumer fraud penalty against an out-of-business Georgia medical transcription company. In 2016 ATA Consulting LLC d/b/a Best Medical Transcription breached the medical records of over 1,650 people treated by three New Jersey healthcare providers by publicly exposing their medical records to the Internet. And, their customer, Virtua Health, paid a $ 418,000 settlement for violations of both HIPAA and the New Jersey Consumer Fraud Act.

Tushar Mathur, owner of Best Medical Transcription, agreed to a permanent ban on managing or owning a business in New Jersey.

Wow.

A life sentence for a HIPAA violation.

And the medical clinic paying a $ 418,000 penalty for the actions of its vendor.

By a state, not the federal government.

What can you learn from this?

1. It’s shocking to see how many servers have been misconfigured, or protected data being stored on web servers, exposing patient records to the Internet. These HIPAA penalties were all for exposing patient records through the Internet:

LESSONS –

  • Have your servers installed by a certified professional using a detailed checklist to ensure that no data is exposed to the Internet.
  • Make sure your organization has enough data breach insurance to cover millions of dollars in penalties; that you live up to all the requirements of your policy; and that you consistently implement the security controls you said you have in place on your insurance application.
  • Make sure your outsourced IT provider has enough Errors & Omissions insurance to cover your penalties

2. Many doctors and business owners tell me that “the federal government will never get them” or that they are “too small to be of interest” to federal regulators.

LESSONS –

  • Regulators go after small businesses, which doesn’t always make headlines. The Federal Trade Commission forced a 20-employee medical lab to go out of business. The business owner fought the FTC and ultimately won in court, but his business was gone.
  • Don’t ignore your risk that your state Attorney General (who probably wants to be governor) wants by getting headlines about protecting consumers. The HITECH Act (2009) gave state Attorneys General the authority to enforce HIPAA. Violations also can be tied to consumer protection laws, not just HIPAA.
  • Lawyers are representing patients whose information was released without authorization. Patients have successfully sued doctors for HIPAA violations.
  • Doctors shouldn’t laugh off HIPAA or just complain (INCORRECTLY) that it interferes with patient care. A doctor went to jail for a HIPAA violation.

3. HIPAA is only one regulation with which you must comply.

LESSONS –

  • Don’t think that a ‘We Make HIPAA Easy’ web-based solution is enough to protect your assets from all your regulatory challenges.
  • Don’t think that a self-conducted Security Risk Analysis is a substitute for a professionally-designed HIPAA compliance program that will meet all the federal and state requirements you must follow.
  • Don’t think that an IT Security company doing a vulnerability or penetration test is a substitute for a HIPAA Security Risk Analysis or a robust compliance program.
  • Every state now has data breach laws the state Attorneys General love to enforce. These consumer protection laws protect Personally Identifiable Information (PII) held by medical practices. State laws have different requirements than HIPAA. For example, HIPAA requires that patients be notified no later than 60 days after a data breach. California requires just 15 days.
  • Because of the opioid crisis, many types of medical practices are now offering substance abuse treatment, which requires additional confidentiality measures. So do HIV, mental health, and STD treatments. You need to address all the regulations that apply to you.

4. Don’t blindly trust your vendors.

LESSONS –

  • Signing a Business Associate Agreement (BAA) isn’t evidence that your vendor really complies with HIPAA. According to the NJ Attorney General, Best Transcription signed a BAA with Virtua Health but:
  • Failed to conduct an accurate and thorough risk assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI it held;
  • Failed to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with the Security Rule;
  • Failed to implement policies and procedures to protect ePHI from improper alteration or destruction;
  • Failed to notify VMG of the breach of unsecured PHI; and
  • Improperly used and/or disclosed ePHI in contravention of its obligations under its Business Associate Agreement with VMG.

Make sure your vendors understand their HIPAA obligations. Even after five years, my experience is that many Business Associates have failed to keep up with the changes required by the 2013 HIPAA Omnibus Final Rule. Many talk about HIPAA in their sales and marketing but do not comply.

Remember that you are responsible for the actions of your vendors.

WHEN YOU ARE LYING AWAKE TONIGHT, ASK YOURSELF:

  • Are you really sure you can survive an investigation by your state attorney general?
  • Are you really sure your Business Associate vendors have conducted a HIPAA risk analysis; have implemented HIPAA security measures; have implemented HIPAA policies and procedures, are really protecting your PHI, and will notify you if there is a breach?
  • Are you willing to bet $ 418,000 (what Virtua paid) on it?
  • If you are a Business Associate, what do you think it will feel like if you are banned for life from doing business?

Doctors send patients to specialists all the time. Whether you are a medical provider or a vendor, do you have the trained and certified specialists you need that can help with all your regulatory challenges? Does your team need expert help to validate what is you and your vendors are doing and help you address any gaps?

Don’t risk your assets. Don’t risk a life sentence.

 

 

Be Sure That Business Associates Are HIPAA-Prepared, Or Else

Posted on June 6, 2012 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Sure, most readers will know that it’s important to have business associates who know how to handle potential HIPAA concerns.  I’d wager, however, given the outbreak of partner-related data losses of late, many facilities and medical practices aren’t subjecting their business partners to severe enough scrutiny.

There’s many, many ways a business associate can drop the ball, especially if you’re not keeping them informed.  For example, consider the case of South Shore Hospital of South Weymouth, MA, which lost boxes of unencrypted backup tapes en route to associate Archive Data Solutions.  The tapes stolen included HIPAA-protected ePHI (SSNs, names, financial account numbers and diagnoses).

While the business associate may have done wrongly, it was the hospital which was fined a total of $475,000 over the incident, which affected over 800,000 individuals. The state’s Attorney General slapped the hospital with these fines because it hadn’t done due diligence to make sure the associate had appropriate safeguards in place.

So, how do you protect yourself in your relationship with data management associates?  The following list of criteria, supplied by Thu Pham, seem likely to do the trick:

  • Business associate has been independently audited across all 54 HIPAA citations and 136 audited components; they’ve passed with 100% compliance and can show you a copy of their report.
  • They can tell you the particular technologies they’ll use to meet HIPAA security standards.
  • They have documented policies and procedures already in place, including policies related to breach notification.
  • They have proof their employees are trained on how to handle your PHI, with last completed dates of training.
  • They should have their own business associate agreement in place that defines their responsibilities when handling your PHI.

I might also ask them how they train their workers, as all of this preparation might be worth a lot less if policies are loose.  Now, over to you. Do you think this list is sufficient to protect your institution?  Are there items you’d add or clarify?