OCR Issues Guidances to Ensure Appropriate Sharing of Medical Information During Hurricane Florence
On September 13, 2018, OCR released a statement with suggested practices to ensure equal access to emergency services and appropriate sharing of medical information during Hurricane Florence. The statement suggested that emergency responders should consider adopting several practices to make sure all segments of the community are served. Suggested practices included employing qualified interpreter services, making emergency messaging available, and taking other reasonable steps to provide an equal opportunity to benefit from emergenct response efforts.
In addition, OCR stated that as part of his declaration of a Public Health Emergency (PHE), HHS Secretary Alex Azar waived sanctions and penalties under certain provisions of the HIPAA Privacy Rule that may otherwise apply to covered hospitals, including provisions that generally require covered entities to give patients the opportunity to agree or object to sharing information with family members or friends involved in the patient’s care. This waiver applies only to the emergency area and for the emergency period identified in the PHE declaration and only to hospitals that have instituted a disaster protocol. For more information about disclosing health information for public health emergency preparedness purposes, please see OCR's Emergency Preparedness Page.
Theft of University of Michigan Employee's Laptop Could Have Exposed Health Information of About 870 People
On June 3, 2018, a Michigan Medicine employee's personal laptop was stolen. The information stored on the laptop included data based on IRB-approved research studies at Michigan Medicine. The data could have included patient names, birthdates, medical record numbers, gender, race, diagonsis and other treatment-related information. The IRB approved the collection of limited patient information. However, in violation of the IRB approvals and Michigan Medicine policies, the employee downloaded and stored the research data on his personal laptop. As a precautionary measure, affected patients have been advised to monitor their medical insurance statemnts and for any potential evidence of fraudulent transactions.
Judge Rules in Favor of OCR and requires University of Texas MD Anderson Cancer Center to pay $4.3 million in civil penalties for HIPAA violations
The ALJ ruled that MD Anderson violated HIPAA Privacy and Security rules and granted summary judgmeent to OCR on all issues. This is only the second summary judgement victor in OCR's history of HIPAA enforcement. The case was decided after OCR investigated three separate data breach reports in 2012 and 2013 involving the theft of an unencrypted laptop and the loss of two unencrypted USB flash drives ontaining ePhi of over 33,500 individuals. OCR's investigation found that MD Anderson's own risk analyses had found that lack of device-level encryption posed a high risk to the security of ePHI, but did not begin to adopt an enterprise-wid solution to implement encryption of ePHI until 2011.
See the ALJ Decision.
OCR Newsletter Highlights Importance of Workstation Security
Covered Entities are obligated to adhere to the HIPAA Security Rule, which requires physical safeguards for all workstations that access electronic PHI (ePHI). Failure to take reasonable steps regarding physical security may have serious consequences. According to OCR, there are many low-cost physical security controls available to covered entities, such as privacy screens for computers and cable locks to deter theft. Port and device locks help prevent unauthorized copying of data to removable media and restrict exposure to malicious software. OCR also suggests covered entities utilize various cost-free physical security measures, including workstation screen positioning and locking rooms that store electronic equipment or media.
For more information about physical security strategies, see the May 2018 OCR Cyber Security Newsletter.
Ransomware Attack in Rochester, Minnesota Impacts More than 6,500 Patients, Affected Entity Responds Quickly
The ransomware attack was discovered on March 31, 2018. Immediately after the discovery, the affected entity took its systems offline to prevent the spread of the ransomware and limit the potential for further data theft. The entity targeted by the attack stated the patient information stored on the affected computers was not in a “human-readable” format. The entity did, however, notify all patients whose data was stored on affected devices of the breach, as a precaution. All systems have now been restored and additional layers of security and encryption have also been implemented to prevent further attacks or breaches.
Fresenius Medical Care North America Agrees (FMCNA) to Pay $3.5 million For ePHI Breaches
FMCNA has agreed to pay $3.5 million to the Office for Civil Rights (OCR). and to adopt a corrective action after five breach reports regarding ePHI (Electronic Protected Health Information). OCR found that FMCNA Covered Entities impermissibly disclosed the ePHI of its patients by providing unauthorized access for a purpose not permitted by the Privacy Rule. OCR also found that the Covered Entities failed to implement policies and procedures to safeguard the facilities and equipment that contained ePHI. On February 1, 2018, the parties agreed to a corrective action plan to prevent future disclosures.
FMCNA Resoultion Agreement and Comprehensive Corrective Action Plan
21st Century Oncology (21CO) Agrees to Pay $2.3 Million for Failure to Conduct Thorough Assessment of Vulnerabilities to ePHI
OCR investigation reveals that 21CO failed to conduct an acurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. Earlier investigations revealed that patient information was obtained by an unauthorized third party and determined that over 2.2 million individuals were affected by the impermissible access to their names, social security numbers, physicians' names, diagnoses, treatment, and insurance information. In addition to a $2.3 million monetary settlement, a corrective plan requires 21CO to complete a risk analysis and risk management plan, revise policies and pocedures, educate its workfoce on policies and procedures, provide all maintained BAA agreements to OCR, and submit an internal monitoring plan.