The Office for Civil Rights has announced a settlement with an accounting firm in the amount of $175,000, payable over 2 years, resulting from a ransomware data breach accessing Protected Health Information the firm was hosting for clients. See - https://www.hhs.gov/press-room/hhs-ocr-bst-hipaa-settlement.html. In addition, a smattering if corrective action requirements are now looming over the firm, which I will lay out below.
Why is this notable? Seems a snooze-fest and the number being paid isn’t headline newsworthy? But, isn’t it? Look how ordinary this exposure is. And the expectation that any party to PHI take these precautionary measures. As the primary source, the covered entity, the crux of the responsibility lies with you. Sending today’s newsletter out to remind to conduct your annual Security Risk Assessment. Connect with your IT provider and discuss protective measures in place for cyber attacks. Discuss encryption. Work with compliance counsel on your administrative approach with your team. And, train on HIPAA.
You may have heard me wax on about OCR and how the office has changed directives to an office mandated to fine for non compliance. To avoid exposure, heed the guidance and let’s take preventative measures, because it is easy to fall on this agencies radar. OCR is soliciting tips from the general public - “If you believe that your or another person’s health information privacy or civil rights have been violated, you can file a complaint with OCR at https://www.hhs.gov/ocr/complaints/index.html.”
Additional requirements for the accounting firm settlement -
“OCR recommends that HIPAA covered health care providers, health plans, health care clearinghouses, and business associates implement the following steps to mitigate or prevent cyber-threats:
- Identify where ePHI is located in the organization, including how ePHI enters, flows through, and leaves the organization’s information systems.
- Periodically conduct, and update as needed, a risk analysis and develop and implement risk management measures to address identified risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.
- Ensure audit controls are in place to record and examine information system activity.
- Implement regular review of information system activity.
- Utilize mechanisms to authenticate users seeking access to ePHI.
- Encrypt ePHI in transit and at rest to guard against unauthorized access to ePHI when appropriate.
- Incorporate lessons learned from incidents into the organization’s overall security management process.
- Provide workforce members with regular HIPAA training that is specific to the organization and to the workforce members’ respective job duties.
The resolution agreement and corrective action plan may be found at https://www.hhs.gov/sites/default/files/hhs-ocr-bst-hipaa-settlement.pdf [PDF, 146 KB] “
|
|