A California-based healthcare provider was hit with a $3 million HIPAA settlement regarding two breaches involving misconfigured IT by The U.S. Department of Health and Human Services (HHS). This is a recent series of hefty penalties issued in HIPAA cases.
On Thursday, Cottage Health, which operates several hospitals, agreed to pay the fine and implement a corrective action plan in the wake of an investigation into the breaches that affected a total of 62,500 individuals. An California attorney general had reached a $2 million settlement with Cottage Health.
David Holtzman a privacy attorney and vice president of compliance at security consulting firm CynergisTek states that other covered entities and business associates should learn from this latest HHS Office of Civil Rights (OCR) enforcement action.
Information systems are constantly updated, patched or upgraded, which makes it imperative to change management policies and procedures in place when enacting changes in the information system or its environment.
In 2013 the first of the two Cottage Health breaches occurred and affected more than 50,000 patients, arose when electronic protected health information on a server was accessible from the internet.
“The OCR’s investigation determined that security configuration settings of the Windows operating system permitted access to files containing ePHI without requiring a username and password,” OCR states.
In 2015 a second breached occurred impacting more than 5,000 individuals, due an a server being misconfigured following an IT response to a troubleshooting ticket, exposing unsecured ePHI over the internet. This ePHI included patient names, addresses, dates of birth, Social Security numbers, diagnoses, conditions and other treatment information, the agency notes.
OCR says its investigation revealed many failures of Cottage Health such as
- Conduct an accurate and thorough risk assessment;
- Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level;
An resolution agreement with Cottage Health and OCR called for healthcare providers to take a number of corrective actions, including:
- Conduct an enterprise wide risk analysis;
- Develop and implement an enterprise wide risk management plan to address and mitigate any security risks and vulnerabilities identified in the risk analysis;
- Implement a process for evaluating environmental and operational changes that affect the security of the entity’s ePHI;
- Maintain and revise as necessary – and distribute to its workforce – written policies and procedures to comply with federal privacy and security standards;
Consequentially after the agreement was reached, Health has completed a third-party audit of data systems and implemented additional measures to secure private information.
In 2018, OCR signed settlements in 10 HIPAA cases, and another case, where they were granted summary judgment before an HHS administrative law judge. The 11 cases had a combined $28.7 million in penalties, although Cottage Health paid its penalty in 2019.
OCR notes in that the total amount levied in 2018 enforcement actions surpassed its previous record of $23.5 million in 2016. That year, OCR issued 13 settlements, plus one civil monetary penalty case.
In 2018, OCR signed its largest individual HIPAA settlement so far – a $16 million resolution agreement and corrective action plan with Anthem Inc. in reference to a cyberattack detected in 2015 that impacted nearly 79 million individuals.
That settlement was three times as large as the the agency’s previous record settlement of $5.5 million in 2016 with Memorial Healthcare System in a breach case involving tax fraud.
Although some experts question if OCR should “count” the settlement with Cottage Health in its 2018 enforcement action tally because the penalty for the settlement signed in 2018 was paid in 2019.
Although OCR signed the resolution agreement with Cottage Health in December, the resolution agreement indicated that the entity had until Jan. 30, 2019, to pay up.
There have been a handful of other exceptions, yet mostly in enforcement actions involving administrative law judgements or civil monetary penalties levied against entities.
In June 2018 OCR announced that an HHS administrative law judge ruled in favor of OCR in a HIPAA investigation case involving three breaches, which required that the Univeristy of Texas an MD Anderson Center pay $4.3 million in civil money penalties for HIPAA violations. The money has not yet been collected by HHS because the ruling is being appealed by MD Anderson.
Moreover, in 2011, OCR issued a $4.3 civil monetary penalty against Cignet Health for violations of the HIPAA Privacy Rule involving the Prince George’s County, Maryland-based clinic’s failure to provide 41 patients with access to their medical records and then failing to cooperate with federal investigators. But Cignet ended up filing for bankruptcy and did not have to pay the penalty.
As for predictions about OCR’s enforcement activities in 2019, Nahra says: “I would expect enforcement activity to continue to move along at its regular pace. Whether they hit some dollar amount is somewhat independent of that – it just goes to how quickly cases resolve and how much money they can get in specific instances.”
According to Holtzman, HIPAA covered entities and business associates should take notice” when OCR engages in high-profile enforcement actions.
At the same time, some in the healthcare industry bemoan that the HIPAA rules are a burdensome government mandate, patients and their families want to be able to sleep safe at night knowing there is accountability for failing to have basic information security safeguards for their health information.