• The OCR and The Rest of the Breach Story

  • In August 2016, I wrote an article entitled “A Tale of Two Breach Letters”. The article addressed two major breaches of Protected Health Information (PHI) which within the Greater Phoenix Valley- Banner Health and Valley Anesthesiology (VAPC) that took place within a two-month timeframe.

    Consequently, my neighbor was notified by both organizations that her PHI was a part of their reported breaches.

    In my original article, it was discussed that my neighbor was concerned about the information or lack of information, provided to her. There were several areas of concern noted; the letter did not include any information pertaining to identity theft or credit monitoring services as did Banner Health’s letter, the letter did not include the same information that was posted on their website notice. One glaring fact is the website notice stated “some social security numbers” may have been comprised. However, the letter stated “your social security number and financial information were not included in these computer systems”.  

    After a call to the phone number provided in the letter, she was told that information for the credit monitoring should have been provided and was given the information.

    Clearly upset and confused by the lack of transparency on the part of VAPC, she filed a complaint with the Office for Civil Rights (OCR), the enforcement agency under the U.S. Department of Health and Human Services, for HIPAA, (Health Insurance Portability and Accountability Act of 1996).

    My neighbor has given me permission to share the information contained within the communication from the OCR, which was dated February 3, 2017. The communication contained two letters, one directed towards my neighbor including information stating that there were other complaints pertaining to this breach. The OCR stated “in order to reduce duplication of efforts they had combined complaints” and provided a “Transaction Number”. This communication also stated the OCR may have to release the individual’s information under the Freedom of Information Act if requested by the public.

    The additional four-page letter was addressed to VAPC and their law firm. For the purposes of this article, I will only share information which is pertinent for the readers to obtain a greater understanding of the OCR.

    Along with the “Background” of the breach incident, the OCR provided an overview of the 14 potential violations by VAPC. On November 2, 2015, VAPC became a subsidiary of Sheridan Healthcorp, Inc. (Sheridan). For purposes, of post-acquisition, Sheridan had scheduled a risk security assessment, scheduled in June of 2016. VAPC stated the incident occurred on June 13, 2016.

    The results of hiring “a leading forensics firm to conduct a forensics investigation”, it was determined a third party had gained access to computer systems on March 30, 2016 through a remote desktop from an Internet Protocol (IP) address appearing from China. The user appeared to attempt to install malware on the Electric Health Records (EHR) software, Allscripts. The account was disabled with nine more foreign IP addresses attempting to use remote desktop protocols to access various parts of the VAPC computer system using administrator privileges.

    It’s worth noting the breach notification was received on June 13, 2016. The OCR notes a suspected additional breach dated on July 13,2016.

    The OCR provided the findings of the investigation:

    • VAPC did not provide a comprehensive enterprise-wide risk analysis report and a corresponding risk mitigation place as required by the Security Rule.

    • The copies of policies furnished, had been either revised or instituted after the incident.

    • The documents provided were “high level statements and lack the necessary granularity for effective implementation”.

    • User access procedures included an exception that stated “NON-HIPAA and Non-Sox applications should follow this procedure, but are not a must.”

    • VAPC reported because of the incident is took the following corrective actions:

                a) Disabled or reset passwords for comprised accounts;
                b) Centralized logging for key systems, such as firewall and servers;
                c) Backlisted foreign IP address;
                d) Tightened firewall rules;
                e) Whitelisted service provider IP addresses;
                f)  Implemented complex password policies;
                g) Reset user passwords universally;
                h) Installed a VPN device for remote access;
                i)  Rebuilt six comprised servers;
                j)  Replacement of firewall to newer technology;
                k) Rebuilding of workstations to enhanced standards.

    Despite the above corrective actions taken by VAPC, the OCR determined that the following corrective actions are needed to bring VAPC into compliance within the HIPAA Security Rule:

    • Conduct a comprehensive and current security risk analysis.
    • Implement a corresponding risk management/mitigation plan to address the findings of the report.
    • Document evident of implemented security awareness training program, to include training material (not just email reminders) and record of completion by workforce and management.
    • Clarification as to why non-ePHI applications are not governed by the same user access review procedures.

    Furthermore, the OCR states; “Please note that after a period of six months has passed, OCR may initiate and conduct a compliance review of VAPC related to its compliance with 45 C.F.R. 164.308 (a) (1) (ii) (A) Risk Analysis and 164.308 (a) (1) (ii) (B), Risk Management.

    Additionally, the OCR provided a paragraph defining the Breach Notification Rule: “In the event that a covered entity discovers a breach of unsecured protected health information, it is required to notify each individual whose unsecured protected heath information has been, or is reasonably believed by the covered entity is required to provide substitute notice, if necessary, and notify prominent media outlets service the state of jurisdiction and the Secretary of HHS, respectively, if there is a breach of unsecured protected health information involving more than 500 residents of a State or jurisdiction.”

    How many covered entities do not notify those that their protected health information has been breach? What is the downside to not notifying those who have been impacted by a breach of 500? I would imagine that no covered entity would like to find out!

    Judith is an accredited Certified HIPAA Professional (CHP). As the owner of JAL, Judith is your subject matter expert providing guidance to organizations within HIPAA, GLBA, False Claim and other regulatory agencies. Judith provides reasonable and appropriate compliance policies, procedures within your Compliance Program. As a guru in compliance, Judith delivers compliance employee training programs, and participates in educational speaking engagements for the industries who handle Protected Health Information. To read more about the world of compliance subscribed to JAL’s insightful newsletter at www.jalconsultantsaz.com.

    Follow JAL:

    Twitter @ judithconsult

    Instagram judithconsult   

    “Copyright” © JAL Consulting 2017