Covered Entities are defined in the HIPAA rules as a) health care providers who transmit any health information electronically in connection with transactions, b) health plans, and c) health care clearinghouses. The University of Washington Medicine (UWM) is a Covered Entity, which includes the University of Washington Medical Center (UWMC), the primary hospital of education for UWM. A breach was reported on 11/27/2013 of UWM, which included the exposure of electronic protected health information (e-PHI) for roughly 90,000 individuals. The breached e-PHI ranged from a combination of patient names, medical record numbers, dates of service, charges/bill balances, addresses, phone numbers, dates of birth, social security numbers, insurance identification, and Medicare numbers. The breach occurred after an employee downloaded an email attachment containing malicious malware that compromised the organization’s IT systems.
The investigation conducted by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) found that not all affiliates of UWM were adopting the organization-wide policies and procedures, including the process of completing system-level risk assessments, and retaining documentation. Furthermore, UWM did not make reasonable efforts to ensure that all affiliates were adopting and executing its policies and procedures. Failure to ensure that these controls were in place and implement policies and procedures to prevent, detect, contain, and correct security violations ultimately led to a monetary settlement of $750,000, a corrective action plan, and annual reports on the organization’s compliance efforts. The settlement was based on the civil money penalty (CMP) structure prescribed by the HITECH Act (2009) and enacted by the Omnibus Final Rule (2013). The CMP structure is based on a tiered system related to each level of culpability (Unknowing, Reasonable Cause, Willful Neglect – Corrected, Willful Neglect – Not Corrected). Each violation (or e-PHI record) may account for up to $50,000 in CMP, capped at $1,500,000 for violations of an identical provision in a calendar year. Unfortunately, the OCR does not discriminate or show mercy for small organizations. The size and stature of a company has no effect on the CMP structure. Rather, CMP is based on the amount of e-PHI/PHI compromised in the breach and the culpability level of the violator in response to the breach.
How to Protect Your Organization from a Data Breach
- Implement preventative, detective, and corrective controls and review/audit your controls regularly.
- Test your control environment against the HHS OCR HIPAA Audit Protocol using an independent third party.
- Complete an organization-wide security risk assessment on at least an annual basis. Consider utilizing the Security Risk Assessment Tool provided by the HHS OCR and HHS Office of the General Counsel (OCG).
- Require organization-wide Information Security awareness training and ensure compliance to training, to prevent costly errors.
- Implement a third-party risk management program to manage your business associates, gain assurance over their control environment, monitor your sensitive data, and baseline service levels. Be sure to ask your business associates if they have a SOC report available over their services, to validate that their controls are operating effectively.