Featured Video
This Week in Quality Digest Live
FDA Compliance Features
Jon Speer
What’s the difference?
Ann Cleland
Physical well-being and confidentiality depend on it
Anna Abram
Public dockets will solicit feedback from patients, consumers, health providers, and state governments
Richard Pazdur
In oncology drug development, government, regulatory medicine, and cancer advocacy
Dirk Dusharme @ Quality Digest
Self-climbing stairs, after-sales service, and can you be too concerned about quality?

More Features

FDA Compliance News
Strategic investment positions EtQ to accelerate innovation efforts and growth strategy
The FDA’s RMAT designation goes live
Awards help states implement multiyear produce-safety systems
The future of medical product development?
Manage risk while meeting regulatory requirements and compliance
FDA believes you can use openFDA to create products that promote public health
Company headquarters and 30 jobs in Dayton, operations in Europe, stay in place

More News

Michael Causey

FDA Compliance

Risk Management Programs: What the Latest Wave of HIPAA Fines Means

It was a busy year for Health and Human Services

Published: Tuesday, December 20, 2016 - 12:34

The Department of Health and Human Services (HHS) hit hospitals and other healthcare delivery networks hard in the pocketbook with a wave of big fines zeroing in on security risk management issues between July and October. Is this the end of the fine tsunami? Don’t bet on it.

In the most recent example, St. Joseph Health (SJH) agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules following reports that files containing electronic protected health information (ePHI) were publicly accessible through internet search engines for more than a year, ending in 2012. SJH, a nonprofit, integrated Catholic healthcare delivery system sponsored by the St. Joseph Health Ministry, will pay a settlement amount of $2.14 million and adopt a comprehensive corrective action plan.

Identifying the problem isn’t enough

“Entities must not only conduct a comprehensive risk analysis, but also evaluate and address potential security risks when implementing enterprise changes impacting ePHI,” said HHS’ Office for Civil Rights (OCR) Director Jocelyn Samuels in an Oct. 18, 2016, HHS press release. “The HIPAA Security Rule’s specific requirements to address environmental and operational changes are critical for the protection of patient information.”

Clearly, HHS and OCR are stepping up enforcement on a number of document protection and e-data security issues. It’s probably time for some hospitals to step up their game. Likewise, drug and medical device manufacturers face some of the same challenges in terms of data management, so it’s no stretch to imagine the OCR will turn its enforcement flashlight on them one of these days, too.

It’s important to note that no vendor (or “business associate”) can accurately declare itself as “HIPAA compliant.” However, the ones that demonstrate an understanding of the act’s requirements should be able to assure drug and device makers that they’re in safe hands.

Returning to OCR’s most recent activity, in addition to the $2.14 million settlement, SJH must implement a corrective action plan that requires the organization to conduct an enterprisewide risk analysis, and develop and implement a risk management plan. Once that’s complete, the hospital network must revise its policies and procedures, and train its staff on them. The Resolution Agreement and Corrective Action Plan may be found on the OCR website.

HHS had a busy summer

HHS was active this summer, too. In July, The University of Mississippi Medical Center (UMMC) agreed to settle multiple alleged violations of HIPAA. OCR’s investigation of UMMC was triggered by a breach of unsecured electronic protected ePHI that potentially exposed approximately 10,000 individuals. During the investigation, OCR concluded that UMMC was aware of various risks and vulnerabilities to its systems as far back as April 2005, yet no significant risk management activity occurred until after the breach, due largely to organizational deficiencies and insufficient institutional oversight. That kind of action, or lack thereof, doesn’t exactly make the OCR think an organization is acting in good faith.

UMMC was told to pay a resolution amount of $2.76 million and adopt a corrective action plan to help assure future compliance with HIPAA Privacy, Security, and Breach Notification Rules.

Also in July, Oregon Health & Science University (OHSU) settled potential HIPAA violations. OCR reported that it found widespread and diverse problems at OHSU, which will be addressed through a comprehensive, three-year corrective action plan. The settlement includes a monetary payment by OHSU to the Department for $2.7 million. OCR’s investigation began after OHSU submitted multiple breach reports affecting thousands, including two reports involving unencrypted laptops and another large breach involving a stolen unencrypted thumb drive.

As if the fines weren’t enough, OSHU’s problems were broadcast far and wide in local and national press coverage. OCR’s investigation uncovered evidence of widespread vulnerabilities, including the storage of ePHI of more than 3,000 individuals on a cloud-based server without a business associate agreement. OCR found significant risk of harm to 1,361 of these individuals due to the sensitive nature of their diagnoses. OHSU performed risk analyses in 2003, 2005, 2006, 2008, 2010, and 2013, but OCR concluded that these analyses did not cover all ePHI in OHSU’s enterprise, as required by the security rule. Although the analyses identified vulnerabilities and risks to ePHI located in many areas of the organization, OHSU did not act in a timely manner to implement measures to address these documented risks and vulnerabilities to a reasonable and appropriate level.

Are life sciences firms next?

In other words, identifying a potential problem is never enough. HHS, like the Food and Drug Administration (FDA), always expects to see a clear corrective and preventive action (CAPA) plan with clear documentation that shows a life sciences or healthcare organization has a vise-like grip on e-data security.

According to the OCR, OHSU also lacked policies and procedures to prevent, detect, contain, and correct security violations, and failed to implement a mechanism to encrypt and decrypt ePHI, or an equivalent alternative measure, for ePHI maintained on its workstations, despite having identified this lack of encryption as a risk.

As mentioned earlier the OCR will likely one day focus on medical device and pharmaceutical manufacturers. Learn how implementing an automated quality management system like AssurX can add an additional layer of protection against a potential multimillion fine against your company.

First published Nov. 14, 2016, on the AssurX blog.


About The Author

Michael Causey’s picture

Michael Causey

James Michael Causey’s been a journalist since he started his own neighborhood newspaper in the 1970s. In addition to quizzing FDA officials for the past 10+ years, he’s also interviewed political satirist Art Buchwald, FCC Chairman Reed Hundt, SEC Chairwoman Mary Schapiro, and is the past president of the Washington Independent Writers. Causey is the editor and publisher of eDataIntegrityReport.com and is a contributing writer on the AssurXblog.