Featured Product
This Week in Quality Digest Live
FDA Compliance Features
Michael King
Augmenting and empowering life-science professionals
Meg Sinclair
100% real, 100% anonymized, 100% scary
Alonso Diaz
Consulting the FDA’s Case for Quality program
Four data layers that matter
Kari Miller
Regulations and increased complexity are pushing the industry to adopt innovation more quickly

More Features

FDA Compliance News
Recognized among early adopters as a leading innovation for the life sciences industry
Streamlines annual regulatory review for life sciences
Facilitates quick sanitary compliance and production changeover
Creates one of the most comprehensive regulatory SaaS platforms for the industry
Company’s first funding round will be used to accelerate product development for its QMS and MES SaaS offerings
Showcasing tech, solutions, and services at Gulfood Manufacturing 2022
Easy, reliable leak testing with methylene blue
Now is not the time to skip critical factory audits and supply chain assessments
Google Docs collaboration, more efficient management of quality deviations

More News

Michael Causey

FDA Compliance

Risk Management Programs: What the Latest Wave of HIPAA Fines Means

It was a busy year for Health and Human Services

Published: Tuesday, December 20, 2016 - 11:34

The Department of Health and Human Services (HHS) hit hospitals and other healthcare delivery networks hard in the pocketbook with a wave of big fines zeroing in on security risk management issues between July and October. Is this the end of the fine tsunami? Don’t bet on it.

In the most recent example, St. Joseph Health (SJH) agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules following reports that files containing electronic protected health information (ePHI) were publicly accessible through internet search engines for more than a year, ending in 2012. SJH, a nonprofit, integrated Catholic healthcare delivery system sponsored by the St. Joseph Health Ministry, will pay a settlement amount of $2.14 million and adopt a comprehensive corrective action plan.

Identifying the problem isn’t enough

“Entities must not only conduct a comprehensive risk analysis, but also evaluate and address potential security risks when implementing enterprise changes impacting ePHI,” said HHS’ Office for Civil Rights (OCR) Director Jocelyn Samuels in an Oct. 18, 2016, HHS press release. “The HIPAA Security Rule’s specific requirements to address environmental and operational changes are critical for the protection of patient information.”

Clearly, HHS and OCR are stepping up enforcement on a number of document protection and e-data security issues. It’s probably time for some hospitals to step up their game. Likewise, drug and medical device manufacturers face some of the same challenges in terms of data management, so it’s no stretch to imagine the OCR will turn its enforcement flashlight on them one of these days, too.

It’s important to note that no vendor (or “business associate”) can accurately declare itself as “HIPAA compliant.” However, the ones that demonstrate an understanding of the act’s requirements should be able to assure drug and device makers that they’re in safe hands.

Returning to OCR’s most recent activity, in addition to the $2.14 million settlement, SJH must implement a corrective action plan that requires the organization to conduct an enterprisewide risk analysis, and develop and implement a risk management plan. Once that’s complete, the hospital network must revise its policies and procedures, and train its staff on them. The Resolution Agreement and Corrective Action Plan may be found on the OCR website.

HHS had a busy summer

HHS was active this summer, too. In July, The University of Mississippi Medical Center (UMMC) agreed to settle multiple alleged violations of HIPAA. OCR’s investigation of UMMC was triggered by a breach of unsecured electronic protected ePHI that potentially exposed approximately 10,000 individuals. During the investigation, OCR concluded that UMMC was aware of various risks and vulnerabilities to its systems as far back as April 2005, yet no significant risk management activity occurred until after the breach, due largely to organizational deficiencies and insufficient institutional oversight. That kind of action, or lack thereof, doesn’t exactly make the OCR think an organization is acting in good faith.

UMMC was told to pay a resolution amount of $2.76 million and adopt a corrective action plan to help assure future compliance with HIPAA Privacy, Security, and Breach Notification Rules.

Also in July, Oregon Health & Science University (OHSU) settled potential HIPAA violations. OCR reported that it found widespread and diverse problems at OHSU, which will be addressed through a comprehensive, three-year corrective action plan. The settlement includes a monetary payment by OHSU to the Department for $2.7 million. OCR’s investigation began after OHSU submitted multiple breach reports affecting thousands, including two reports involving unencrypted laptops and another large breach involving a stolen unencrypted thumb drive.

As if the fines weren’t enough, OSHU’s problems were broadcast far and wide in local and national press coverage. OCR’s investigation uncovered evidence of widespread vulnerabilities, including the storage of ePHI of more than 3,000 individuals on a cloud-based server without a business associate agreement. OCR found significant risk of harm to 1,361 of these individuals due to the sensitive nature of their diagnoses. OHSU performed risk analyses in 2003, 2005, 2006, 2008, 2010, and 2013, but OCR concluded that these analyses did not cover all ePHI in OHSU’s enterprise, as required by the security rule. Although the analyses identified vulnerabilities and risks to ePHI located in many areas of the organization, OHSU did not act in a timely manner to implement measures to address these documented risks and vulnerabilities to a reasonable and appropriate level.

Are life sciences firms next?

In other words, identifying a potential problem is never enough. HHS, like the Food and Drug Administration (FDA), always expects to see a clear corrective and preventive action (CAPA) plan with clear documentation that shows a life sciences or healthcare organization has a vise-like grip on e-data security.

According to the OCR, OHSU also lacked policies and procedures to prevent, detect, contain, and correct security violations, and failed to implement a mechanism to encrypt and decrypt ePHI, or an equivalent alternative measure, for ePHI maintained on its workstations, despite having identified this lack of encryption as a risk.

As mentioned earlier the OCR will likely one day focus on medical device and pharmaceutical manufacturers. Learn how implementing an automated quality management system like AssurX can add an additional layer of protection against a potential multimillion fine against your company.

First published Nov. 14, 2016, on the AssurX blog.


About The Author

Michael Causey’s picture

Michael Causey

James Michael Causey’s been a journalist since he started his own neighborhood newspaper in the 1970s. In addition to quizzing FDA officials for the past 10+ years, he’s also interviewed political satirist Art Buchwald, FCC Chairman Reed Hundt, SEC Chairwoman Mary Schapiro, and is the past president of the Washington Independent Writers. Causey is the editor and publisher of eDataIntegrityReport.com and is a contributing writer on the AssurXblog.