Volume 16, Issue 1
SPRING 2019
Security Shredding News Serving the Security Shredding & Records Storage Markets
Visit us online at www.SecurityShreddingNews.com
HIPAA Reports Record Number of Enforcements in 2018
E
By Ken McEntee
nforcement actions for violations of the Health Insurance Portability and Accountability Act (HIPAA) set a record last year, according to the U.S Department of Health and Human Services Office for Civil Rights (OCR) concluded an all‑time record year in enforcement activity. In 2018, OCR settled 10 cases - including a case involving a defunct record storage company - and was granted summary judgment in a case before an administrative law judge, together totaling $28.7 million from enforcement actions. This total surpassed the previous record of $23.5 million, set in 2016, by 22 percent. In addition, OCR also achieved a $16 million settlement with Anthem Inc., the largest individual HIPAA settlement ever. The settlement was almost three times larger than the previous record of $5.5 million reached in 2016. “Our record year underscores the need for covered entities to be proactive about data security if they want to avoid being on the wrong end of an enforcement action,” said OCR Director Roger Severino. OCR’s final settlement of 2018 occurred in December, when Cottage Health, of Santa Barbara, Calif., agreed to pay $3 million to OCR and to adopt a substantial corrective action plan to settle potential violations of the HIPAA rules. Cottage Health operates Santa Barbara Cottage Hospital, Santa Ynez Cottage Hospital, Goleta Valley Cottage Hospital and Cottage Rehabilitation Hospital, all in California. OCR received two notifications from Cottage Health regarding breaches of unsecured electronic protected health information (ePHI) affecting more than 62,500 individuals, one in December 2013 and another in December 2015. OCR said the first breach arose when ePHI on a Cottage Health server was accessible from the internet. OCR’s investigation determined that security configuration settings of the Windows operating system permitted access to files containing ePHI without requiring a username and password. As a result, patient names, addresses, dates of birth, diagnoses, conditions, lab results and other treatment
information were available to anyone with access to Cottage Health’s server. The second breach occurred when a server was misconfigured following an IT response to a troubleshooting ticket, exposing unsecured ePHI over the internet. This ePHI included patient names, addresses, dates of birth, social security numbers, diagnoses, conditions, and other treatment information. OCR’s investigation revealed that Cottage Health failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of the ePHI; failed to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level; failed to perform periodic technical and non-technical evaluations in response to environmental or operational changes affecting the security of ePHI; and failed to obtain a written business associate agreement with a contractor that maintained ePHI on its behalf. “The Cottage settlement reminds us that information security is a dynamic process and the risks to ePHI may arise before, during and after implementation covered entity makes system changes,” Severino said. In addition to the $3 million settlement, Cottage will undertake a robust corrective action plan to comply with the HIPAA Rules. Here are OCR’s other settlements and judgements from 2018:
Filefax Inc.
I
n January 2018, OCR settled for $100,000 with Filefax Inc., a now-closed medical records maintenance, storage and delivery services provider based in Northbrook, Ill. OCR’s investigation found that Filefax impermissibly disclosed protected health information (PHI) of about 2,150 people by leaving the PHI in an unlocked truck in the Filefax parking lot, or by granting permission to an unauthorized person to remove the PHI from Filefax and leaving the PHI unsecured outside the Filefax facility. Consequences for HIPAA violations don’t stop when a business closes, OCR said. In February, 2018, a receiver appointed to liquidate the assets of Filefax agreed to pay $ 100,000 out of the receivership estate to the OCR to settle the HIPAA violations. Although Filefax shut its doors during the course of OCR’s investigation into alleged HIPAA violations, it could not escape its obligations under the law, OCR said. On February 10, 2015, OCR received an anonymous complaint alleging that an individual transported medical records obtained from Filefax to a shredding and recycling facility to sell on February 6 and 9, 2015. OCR opened an investigation, which confirmed that an individual had the left medical records of about 2,150 patients at the shredding and recycling facility, and that these medical records contained Continued on page 3