Inside A HIPAA Breach - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Healthcare // Security & Privacy
News
10/7/2014
09:06 AM
50%
50%

Inside A HIPAA Breach

A business associate's breach has a serious ripple effect on one small healthcare provider.

Mental Health Tools: From Office To Pocket
Mental Health Tools: From Office To Pocket
(Click image for larger view and slideshow.)

A Saturday night phone call gave no indication it heralded months of bureaucracy, finger pointing, expense -- and the dismal realization that even the smallest healthcare provider is liable and harmed when a business associate suffers a HIPAA breach.

"This is a lot of burden on a very small practice. They didn't cause the breach, but they definitely suffer the consequences because of it," said Art Gross, president and CEO of HIPAA Secure Now, in an interview.

On one end of the phone was Dr. Bill Jones (pseudonym), who employs six people at his oral surgery practice. On the other was a patient's parent, a self-described computer geek who had spent the evening doing his customary bimonthly online search of family members' names -- only to discover that his son's health information from Jones's web-based admissions form was readily available to anyone with more than basic computer skills. Although a Google search didn't disclose the boy's information, Jones's more-computer-savvy son successfully located the patient's data with a more-sophisticated search, Jones told InformationWeek.

[How connected? Read Healthcare Big Data Debate: Public Good Vs. Privacy.]

As a small practice with no full-time IT professionals on staff, Jones relied on a solution provider to maintain his workstations and network, design his website, and support an electronic registration form patients could complete prior to visiting the office for dental surgery. The office also installed an electronic health record (EHR) software package earlier that year. The form included information such as name, date of birth, address, and insurance provider, and thousands of people used the feature since the practice began offering this capability in fall 2006, Jones said.

When he learned of the breach, Jones had no way to reach the service provider and take down the site until 8 a.m. on Monday. Initially, the two organizations worked together to figure out and resolve the problem, said Jones.

"On Monday, the company found 50 patients affected over about six months. The database had become live and searchable. They found the error. They shut it down. We still haven't relaunched it. Thousands of patients use it a year. We typically see a patient for a particular problem; treat that problem, and then the patient's released back to their regular dentist. There are thousands of patients so it's a very, very small percentage [affected] but it's still a very major problem. The very frustrating thing is I didn't have direct control of it."

(Source: AJ Cann/Flickr)
(Source: AJ Cann/Flickr)

Even though the breach occurred at a technology service provider that signed a business associate contract and was HIPAA certified, Jones quickly learned that his practice was not indemnified. Once notified of the breach, the Office of Civil Rights (OCR) wrote to the dental surgery and asked it to provide proof of the security steps it had taken both before and after its business associate's breach within 20 days, said Gross. The list of required items included:

  • A response to the allegations made in the complaint, describing the circumstances of the breach, the date it occurred, and the protected health information (PHI) that became available
  • Copies of notes or other documentation related to any internal investigation, plus details of any corrective actions taken
  • A copy of the breach risk assessment, if taken
  • The covered entity's policies and procedures regarding PHI uses, safeguarding, and disclosure
  • A copy of the dental surgeon's business associate agreement with the solution provider
  • Information on any risk management plans developed as a result of this breach
  • Evidence of information system activity reviews
  • Documentation showing any network scans or penetration tests conducted before or after the breach
  • A copy of the practice's approved access management policy
  • Proof of the oral surgeon's security awareness and training materials before the breach and evidence of workforce training, including attendance
  • Evidence of anti-virus software; data backup procedures; technical access controls, including password management and policy and procedure; implanted network security devices; and network security monitoring

Jones, who is self-insured for malpractice, immediately contacted the insurer who led the investigation into the breach and ordered a HIPAA security analysis -- which the practice had begun working through even before it received OCR's letter.

Prior to the breach, all employees had undergone HIPAA and HITECH training, said Jones. The dental surgery office, which does not accept Medicare but is accredited with the Joint Commission, has a large three-ring

Next Page

Alison Diana has written about technology and business for more than 20 years. She was editor, contributors, at Internet Evolution; editor-in-chief of 21st Century IT; and managing editor, sections, at CRN. She has also written for eWeek, Baseline Magazine, Redmond Channel ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
dandmi
50%
50%
dandmi,
User Rank: Apprentice
11/13/2014 | 12:59:15 PM
Getting the CE to Sign Off on Noncompliant Solutions
The hardest part of being a BAA (especially a provider of tech solutions), is that many doctors and dentists don't want to buy all of the services that will keep them compliant on their networks.  When we are asked to install systems with configurations that don't comply with HIPAA (i.e. automatic logoffs, passwords on PCs, etc.), we need them to sign off stating that "best practices were proposed, but the CE elected not to go forward with fully compliant systems". 

Unfortunately, this practice does not sit well with the covered entity, however, it's important to make sure that the CE acknowledges that Best Practices for network configuration has not been deployed.

BAA's can be the first group to be thrown under the bus when an audit takes place, so my advice to BAA's is to dot your i's, and make sure there is written acknoledgement if fully compliant solutions are not deployed.

How do other BAA's approach this scenario?
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
10/23/2014 | 3:35:45 PM
Re: HIPAA Certified
Good ideas here, Gary. And that wisdom also extends to other devices, doesn't it, like printers? That, at least, is what i have learned from other experts in the past.
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
10/23/2014 | 3:34:37 PM
Re: Speaking Out
The case has not yet been resolved. The dental surgeon is waiting to hear what happens from the government but is trying to mitigate his damage by taking the steps I outlined in the article, both in hopes of reducing his risk and because he really doesn't want to run the risk of exposing patient data. He felt terrible, of course.
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
10/23/2014 | 3:32:55 PM
Re: Exceptional reporting!!!
Thank you so much, @JerryWebb. As you so accurately point out, each state may have its own variations above and beyond HIPAA. I know Florida, where I live, has its own rules and you mention Texas. There is no such thing as a one-size-fits-all approach and if I was a healthcare provider, especially a smaller one, I would take some outside expert counsel here. 
Gary Scott
50%
50%
Gary Scott,
User Rank: Moderator
10/23/2014 | 3:13:43 PM
HIPAA Certified
HIPAA includes specific provisions on data protection.  When outsourcing projects to a third party, HIPAA Privacy Rule requires that a covered entity obtain satisfactory assurances from the businesses associate that the organization will safeguard EPHI it receives.

If you are a covered entity searching for an EPHI service provider, steer clear of any organization that tells you they are 'HIPAA Certified'.  HIPAA Certification does not exist.  Not only does HIPAA not certify providers for handling EPHI, HIPAA does not give steadfast rules on how services should be provided.

For example, when it comes to destroying EPHI from computer hard drives, HIPAA suggests 1) erasing, 2) degaussing or 3) physically shredding computer hard drives.  HIPAA also says "Other methods of disposal also may be appropriate, depending on the circumstances."  When dealing with EPHI and HIPAA regulations, do yourself a service and error on the safe side.

When it's time to dispose of your Windows XP computer -that time has already come and gone – have a third party vendor shred your hard drives.  Opting for the most secure handling of EPHI will help your business in the long run.
jerrywebb
100%
0%
jerrywebb,
User Rank: Apprentice
10/9/2014 | 1:34:49 PM
Exceptional reporting!!!
I see situations "in the trenches" like this every week (up to and including the "finger pointing" and being caught up in litigation). The notion that BA agreements are being used like cookie cutter templates is spot on. Many in the IT industry (where I come from) arbitrarily sign these agreements without a clue what they mean or the consequences (especially in Texas where there are more implications besides federal HIPAA law). HIPAA compliance process is a journey not a destination!! During a REAL RISK ANALYSIS, any security professional should discuss pros / cons of SAAS / CLOUD (it's NOT new technology and there are serious pros and cons), MSP's and all the other IT buzz words that get offered to small businesses (who usually don't have a clue nor can afford someone who does). It's not all about "what is the cheapest" when it comes to anything IT which is (sadly) where IT has gone the last decade having been in it for 40 years.
gcaus
50%
50%
gcaus,
User Rank: Apprentice
10/9/2014 | 9:52:32 AM
Re: Speaking Out
Clearly, with XP and other major issues regarding compliance, were there any fines from the OCR?! Please don't tell me that the only penalty was they had to pay for credit monitoring. If that is the case, I don't see how this scares physicians. Most aren't doing anything, or printing out some policies and getting an EHR.
marias117
50%
50%
marias117,
User Rank: Apprentice
10/8/2014 | 4:25:52 PM
HIPAA Certified?
A quick quotation of the article:

"Even though the breach occurred at a technology service provider that signed a business associate contract and was HIPAA certified"

Last time I checked  no certification program is recognized by any federal governing office. Also at the end of the article there is a mention of Windows XP still used in the practice.

I think this is more related to the quality of service of the business associate that was providing HIPAA advice. 
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
10/7/2014 | 10:10:10 AM
Speaking Out
Although "Dr. Jones" didn't want to use his own name, he wanted to speak to me because he was concerned other small practices could easily find themselves in the same position: Thinking they'd done everything they could to secure patient data and safe, due to business associate contracts. As he discovered, this is not the case. 
Slideshows
Strategies You Need to Make Digital Transformation Work
Joao-Pierre S. Ruth, Senior Writer,  11/25/2019
Commentary
Enterprise Guide to Data Privacy
Cathleen Gagne, Managing Editor, InformationWeek,  11/22/2019
News
Watch Out: 7 Digital Disruptions for IT Leaders
Jessica Davis, Senior Editor, Enterprise Apps,  11/18/2019
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
Getting Started With Emerging Technologies
Looking to help your enterprise IT team ease the stress of putting new/emerging technologies such as AI, machine learning and IoT to work for their organizations? There are a few ways to get off on the right foot. In this report we share some expert advice on how to approach some of these seemingly daunting tech challenges.
Slideshows
Flash Poll