Academic medical centers and research institutions that treat patients don’t just have to worry about policies imposed by NIH or regulations by funding agencies. They also must watch the enforcement actions by the HHS Office for Civil Rights related to their standing as HIPAA covered entities (CEs). And in recent weeks, OCR has been very busy.
In September and early October, OCR issued three settlements in quick succession against organizations for allegedly ignoring warning signs of hackers and seven for allegedly failing to provide patients or parents access to medical records in a timely manner.
Although the payments in the settlements spanned the gamut from $3,500 in the smallest access case to $6.85 million in the largest data breach case, the message from OCR was clear: failure to follow HIPAA rules involving security and patient medical records access may result in an OCR enforcement action.
Breaches Represent Most Costly Settlements
The settlements involving breaches were $6.85 million from insurer Premera Blue Cross over a 2015 data breach[1] and $2.3 million from CHSPSC LLC,[2] an affiliate of Community Health Systems Inc., over a 2014 data breach.
In both the Premera case and the CHSPSC case, OCR found what it termed systemic longstanding issues of noncompliance with the HIPAA security rule. In Premera’s case, the insurer had been warned about security issues but failed to take action, OCR said, while in CHSPSC’s case, the company had received a warning from the FBI about a potential hack but failed to step in quickly to stop it.
Premera, which operates in Washington and Alaska and is the largest health insurer in the Pacific Northwest, filed a breach report in March 2015 stating that hackers had used a phishing email to install malware, giving the hackers access to Premera’s information technology (IT) system in May 2014. The breach went undetected for nearly nine months, and hackers gained access to sensitive personal information, including health information and Social Security numbers.
OCR Director Roger Severino said in a statement the case “vividly demonstrates the damage that results when hackers are allowed to roam undetected in a computer system” for months at a time. As detailed by the settlement agreement, OCR found potential violations of four HIPAA provisions. The breach affected nearly 10.5 million people.
As part of its settlement with OCR, Premera agreed to a corrective action plan (CAP) containing several measures to shore up IT security. It represents the second-largest payment to resolve a HIPAA investigation in OCR history.