A couple of recent Department of Health and Human Services (HHS) legal settlements emphasize paperwork over security, showing that a healthcare entity’s approach to safeguarding data must be holistic: yes, you need to use encryption, and lock doors, and hide screens from potential medical data peeping-toms…but you also need to make sure that you’ve followed protocols regarding the creation of policies and other actions deemed obligatory by the HHS.
Not doing so “will cost you.”
$31,000 For Not Producing a Business Associate Agreement
According to databreaches.net, the Center for Children’s Digestive Health (CCDH), an Illinois-based pediatric center (their website is, appropriately enough, tummydocs.com), was fined more than $30,000 for being unable to produce a business associate (BA) agreement. The document is supposed to contractually guarantee that the BA will properly guard patient data, among other things.
Per my reading of the HHS’s resolution agreement, not having this document effectively means that the HIPAA covered-entity (CCDH, in this instance) illegally disclosed sensitive patient info to a third party.
What prompted the HHS to see if the BA agreement existed? The BA in question, FileFax, Inc., was caught discarding hundreds of medical files in a dumpster. Unsurprisingly, this prompted everyone, from the HHS to the Attorney General, to see if FileFax was storing any other sensitive info (an, undoubtedly, whether these were properly secured).
$400,000 For Lack of a Risk Assessment
Similarly to CCDH, the Metro Community Provider Network (MCPN) in Denver, Colorado settled with the HHS over what feels like paperwork; more specifically in this case, for not conducing a risk assessment.
Apparently, a hacker obtained thousands of PHI (protected health information) in 2012 via phishing, the con where a person sends email pretending to be someone the victim knows and trusts. It looks like the phishing attempt was strongly enabled by the hacker accessing MCPN’s employee email accounts.
The government has gone after MCPN purportedly for the lack of a risk assessment. Again, a risk assessment is not something that one traditionally files under the banner of “data security.” And, it is dubious whether a risk assessment would have revealed the vulnerability used by the phisher. But, it’s importance is not unjustified. After all, if you don’t know where your weaknesses lie, how are you going to defend yourself against them?
HIPAA / HITECH has always impressed that a security risk assessment and other “non-active security procedures” are an important part of securing a covered-entity’s patient data. And, they’re backing it up with a message that many can understand.
Related Articles and Sites: