Inside A HIPAA Breach - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Healthcare // Security & Privacy
News
10/7/2014
09:06 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Inside A HIPAA Breach

A business associate's breach has a serious ripple effect on one small healthcare provider.

binder of compliance rules and conducts training annually. Attorneys laughed at the provider's binder, Jones said ruefully. Its annual training initiatives and other safeguards did not typically include the formal documentation processes OCR demanded.

"I think we're as well prepared as most practices are but we weren't prepared for what happened here," said Jones.

OCR requires documentation; small practices don't necessarily take attendance for online training sessions, for example, or formally list processes they practice, Gross said. Also, small practices might not have the internal capabilities to verify that business associates comply with the terms of their contracts or fail to address details such as notification timing, he added.

The government gives organizations 60 days after discovery of a breach to notify patients: After a billing company found a breach in its system, it alerted one practice on day 52, giving the healthcare provider only eight days to react, prepare, and share a message with patients, said Gross, discussing other small practices affected by business associate breaches.

"I think you'll get those details if the covered entity or the business associate went to a lawyer, but a lot of these business associate agreements are standard boilerplate business associate agreements, and some of the details are not defined," he said. "A lot of organizations are just signing these documents without knowing what it is, especially on the associate side. I think you're seeing a lot of signatures of business associate agreements without attention to detail."

While still wondering how OCR will penalize his practice after it completes the review, Jones already has learned from this experience, he said. The dental surgery, which stopped working with its first solution provider after finger-pointing began, offered two years of LifeLock monitoring to all 50 affected patients; about half took the service, said Jones. The father of the patient who discovered the breach requested more.

"He wanted 10 years, which we eventually decided to do. And then he signed a letter of understanding and agreed not to pursue any further action against the practice," said Jones. "I can understand some dismay there. I can understand how he felt."

In addition, the practice upgraded all its computers to Windows 8, including the few previously still on Windows XP. It also is working closely with its insurer, attorneys, a local solution provider, and HIPAA Secure Now on the audit and improvements to training, technology, documentation, and practices, and added encryption and vulnerability testing, said Jones. 

The owners of electronic health records aren't necessarily the patients. How much control should they have? Get the new Who Owns Patient Data? issue of InformationWeek Healthcare today.

Alison Diana is an experienced technology, business and broadband editor and reporter. She has covered topics from artificial intelligence and smart homes to satellites and fiber optic cable, diversity and bullying in the workplace to measuring ROI and customer experience. An ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
dandmi
50%
50%
dandmi,
User Rank: Apprentice
11/13/2014 | 12:59:15 PM
Getting the CE to Sign Off on Noncompliant Solutions
The hardest part of being a BAA (especially a provider of tech solutions), is that many doctors and dentists don't want to buy all of the services that will keep them compliant on their networks.  When we are asked to install systems with configurations that don't comply with HIPAA (i.e. automatic logoffs, passwords on PCs, etc.), we need them to sign off stating that "best practices were proposed, but the CE elected not to go forward with fully compliant systems". 

Unfortunately, this practice does not sit well with the covered entity, however, it's important to make sure that the CE acknowledges that Best Practices for network configuration has not been deployed.

BAA's can be the first group to be thrown under the bus when an audit takes place, so my advice to BAA's is to dot your i's, and make sure there is written acknoledgement if fully compliant solutions are not deployed.

How do other BAA's approach this scenario?
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
10/23/2014 | 3:35:45 PM
Re: HIPAA Certified
Good ideas here, Gary. And that wisdom also extends to other devices, doesn't it, like printers? That, at least, is what i have learned from other experts in the past.
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
10/23/2014 | 3:34:37 PM
Re: Speaking Out
The case has not yet been resolved. The dental surgeon is waiting to hear what happens from the government but is trying to mitigate his damage by taking the steps I outlined in the article, both in hopes of reducing his risk and because he really doesn't want to run the risk of exposing patient data. He felt terrible, of course.
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
10/23/2014 | 3:32:55 PM
Re: Exceptional reporting!!!
Thank you so much, @JerryWebb. As you so accurately point out, each state may have its own variations above and beyond HIPAA. I know Florida, where I live, has its own rules and you mention Texas. There is no such thing as a one-size-fits-all approach and if I was a healthcare provider, especially a smaller one, I would take some outside expert counsel here. 
Gary Scott
50%
50%
Gary Scott,
User Rank: Moderator
10/23/2014 | 3:13:43 PM
HIPAA Certified
HIPAA includes specific provisions on data protection.  When outsourcing projects to a third party, HIPAA Privacy Rule requires that a covered entity obtain satisfactory assurances from the businesses associate that the organization will safeguard EPHI it receives.

If you are a covered entity searching for an EPHI service provider, steer clear of any organization that tells you they are 'HIPAA Certified'.  HIPAA Certification does not exist.  Not only does HIPAA not certify providers for handling EPHI, HIPAA does not give steadfast rules on how services should be provided.

For example, when it comes to destroying EPHI from computer hard drives, HIPAA suggests 1) erasing, 2) degaussing or 3) physically shredding computer hard drives.  HIPAA also says "Other methods of disposal also may be appropriate, depending on the circumstances."  When dealing with EPHI and HIPAA regulations, do yourself a service and error on the safe side.

When it's time to dispose of your Windows XP computer -that time has already come and gone – have a third party vendor shred your hard drives.  Opting for the most secure handling of EPHI will help your business in the long run.
jerrywebb
100%
0%
jerrywebb,
User Rank: Apprentice
10/9/2014 | 1:34:49 PM
Exceptional reporting!!!
I see situations "in the trenches" like this every week (up to and including the "finger pointing" and being caught up in litigation). The notion that BA agreements are being used like cookie cutter templates is spot on. Many in the IT industry (where I come from) arbitrarily sign these agreements without a clue what they mean or the consequences (especially in Texas where there are more implications besides federal HIPAA law). HIPAA compliance process is a journey not a destination!! During a REAL RISK ANALYSIS, any security professional should discuss pros / cons of SAAS / CLOUD (it's NOT new technology and there are serious pros and cons), MSP's and all the other IT buzz words that get offered to small businesses (who usually don't have a clue nor can afford someone who does). It's not all about "what is the cheapest" when it comes to anything IT which is (sadly) where IT has gone the last decade having been in it for 40 years.
gcaus
50%
50%
gcaus,
User Rank: Apprentice
10/9/2014 | 9:52:32 AM
Re: Speaking Out
Clearly, with XP and other major issues regarding compliance, were there any fines from the OCR?! Please don't tell me that the only penalty was they had to pay for credit monitoring. If that is the case, I don't see how this scares physicians. Most aren't doing anything, or printing out some policies and getting an EHR.
marias117
50%
50%
marias117,
User Rank: Apprentice
10/8/2014 | 4:25:52 PM
HIPAA Certified?
A quick quotation of the article:

"Even though the breach occurred at a technology service provider that signed a business associate contract and was HIPAA certified"

Last time I checked  no certification program is recognized by any federal governing office. Also at the end of the article there is a mention of Windows XP still used in the practice.

I think this is more related to the quality of service of the business associate that was providing HIPAA advice. 
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
10/7/2014 | 10:10:10 AM
Speaking Out
Although "Dr. Jones" didn't want to use his own name, he wanted to speak to me because he was concerned other small practices could easily find themselves in the same position: Thinking they'd done everything they could to secure patient data and safe, due to business associate contracts. As he discovered, this is not the case. 
Slideshows
10 Ways to Transition Traditional IT Talent to Cloud Talent
Lisa Morgan, Freelance Writer,  11/23/2020
News
What Comes Next for the COVID-19 Computing Consortium
Joao-Pierre S. Ruth, Senior Writer,  11/24/2020
News
Top 10 Data and Analytics Trends for 2021
Jessica Davis, Senior Editor, Enterprise Apps,  11/13/2020
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
Why Chatbots Are So Popular Right Now
In this IT Trend Report, you will learn more about why chatbots are gaining traction within businesses, particularly while a pandemic is impacting the world.
Slideshows
Flash Poll