Risk //

Compliance

7/27/2016
05:30 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

HHS Penalizes Philadelphia Healthcare Organization For HIPAA Violation

Catholic Health Care Services of the Archdiocese of Philadelphia agrees to pay $650,000 fine over 2014 data breach.

Organizations that provide services to entities handling personal health information and health records—like doctors offices and hospitals—for some time now have been required to comply with the security and privacy requirements of the Health Information Portability and Accountability Act (HIPAA).

But thus far, the Office of Civil Rights (OCR) at the US Department of Health and Human Services, which is responsible for administering the rules, has taken few steps to enforce HIPAA.

That may finally be changing.

The OCR recently reached a settlement with Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) over the 2014 theft of a mobile device containing unencrypted protected health data on over 400 hundred patients at a nursing home.

The settlement requires CHCS to pay a $650,000 fine and adopt a corrective action plan to protect against something similar happening again. The plan calls on CHCS to implement formal risk analysis and risk management procedures and to develop and maintain a written security policy covering topics like data encryption, password management, incident response, device control, log-in monitoring, and disaster recovery.

“Business associates must implement the protections of the HIPAA Security Rule for the electronic protected health information they create, receive, maintain, or transmit from covered entities,” said Jocelyn Samuels, director of the OCR in a statement announcing the settlement.

CHCS provides living services like housing, care management, and in-support programs for seniors in the Philadelphia area. It is the first business associate—or organization that provides services to HIPAA-covered entities—to face enforcement action for a security violation under the statute.

Odia Kagan, an attorney with the law firm Ballard Spahr LLP in Philadelphia, says the OCR enforcement action highlights the need for business associates to properly address how they handle protected health information (PHI) under HIPAA.

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada July 30 through Aug. 4, 2016. Click for information on the conference schedule and to register.

“They should conduct periodic risk assessments to ascertain the vulnerabilities to PHI going through their systems, both externally and internally,” Kagan says. In addition they should make sure to implement written policies and procedures for protecting the confidentiality, integrity, and availability of PHI in their systems, she says.

Going forward, business associates should expect more such audits and enforcement action from the OCR -- and it won’t always take a breach to initiate one, Kagan cautions.

The OCR recently launched Phase 2 of its HIPAA audit program and it has already sent out emails to some 167 covered entities notifying them of being selected for a formal desk audit, she says. The desk audits will focus on how well the covered entities have complied with requirements like making privacy notices available to patients, the access they provide to PHI, the timeliness and content of their breach notifications, and whether they conduct periodic audits of business associate compliance.

According to the OCR, the second phase of its HIPAA audit program scheduled for later this year will involve not only covered entities but also their business partners, Kagan says.

Such developments should encourage business associates to pay attention not just to the prospect of an audit but also to the likely outcome of one. “If business associates adequately prepare by taking the right steps to protect PHI, they would be well positioned to do well in an audit, even if one does occur,” she says.

Related stories:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
mtscompany
50%
50%
mtscompany,
User Rank: Apprentice
8/24/2016 | 1:00:36 AM
Medical Transcription Service Company
Follow the proper guidelines of HIPAA and give more security to the patient data....
S551
50%
50%
S551,
User Rank: Apprentice
8/16/2016 | 1:45:25 PM
Complete incompetence by leadership
Was anyone fired?  Many lost their jobs at the archdiocese for no reason.  This is total incompetence. 
5 Reasons the Cybersecurity Labor Shortfall Won't End Soon
Steve Morgan, Founder & CEO, Cybersecurity Ventures,  12/11/2017
Oracle Product Rollout Underscores Need for Trust in the Cloud
Kelly Sheridan, Associate Editor, Dark Reading,  12/11/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2017
A look at the biggest news stories (so far) of 2017 that shaped the cybersecurity landscape -- from Russian hacking, ransomware's coming-out party, and voting machine vulnerabilities to the massive data breach of credit-monitoring firm Equifax.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.