With the proliferation of mobile and cloud computing, data security threats are a constant state of things, especially in health care. Cloud storage of electronic health records (EHR) has helped to improve quality and efficiency of care by allowing all of your doctors and specialists to seamlessly access your records and medical history. It has also increased the importance of proper HIPAA compliance. But, that shouldn’t lessen the importance of including your staff and physical records in your HIPAA Risk Assessment. This year, we have seen the largest HIPAA settlement to date for failure to maintain compliance – and it’s got nothing to do with cloud computing.
The Memorial Healthcare System in South Florida recently settled their case for $5.5 million dollars after failing to recognize that a former employee’s login credentials were being used to access over 80,000 patient records over the course of a year.
Here are the details according to the U.S. Department of Health and Human services report:
MHS reported to the HHS Office for Civil Rights (OCR) that the protected health information (PHI) of 115,143 individuals had been impermissibly accessed by its employees and impermissibly disclosed to affiliated physician office staff. This information consisted of the affected individuals’ names, dates of birth, and social security numbers. The login credentials of a former employee of an affiliated physician’s office had been used to access the ePHI maintained by MHS on a daily basis without detection from April 2011 to April 2012, affecting 80,000 individuals. Although it had workforce access policies and procedures in place, MHS failed to implement procedures with respect to reviewing, modifying and/or terminating users’ right of access, as required by the HIPAA Rules. Further, MHS failed to regularly review records of information system activity on applications that maintain electronic protected health information by workforce users and users at affiliated physician practices, despite having identified this risk on several risk analyses conducted by MHS from 2007 to 2012.
“Access to ePHI must be provided only to authorized users, including affiliated physician office staff” said Robinsue Frohboese, Acting Director, HHS Office for Civil Rights. “Further, organizations must implement audit controls and review audit logs regularly. As this case shows, a lack of access controls and regular review of audit logs helps hackers or malevolent insiders to cover their electronic tracks, making it difficult for covered entities and business associates to not only recover from breaches, but to prevent them before they happen.”
In another recent violation, a Washington D.C. family services employee, who happened to also be a felon, decided to “outsource” some of her workload by mailing confidential medical records containing personal health information (PHI) to a local student she hired via facebook to transcribe notes. “It’s the responsibility of the organization engaging subcontractors to ensure only carefully selected individuals have access to the organization’s sensitive data.”
The HIPAA Security Rules can’t be taken lightly by any HIPAA covered entity. While EHRs are a critical piece of the security puzzle, breaches and violations can result from physical and administrative failures as well. How can a smaller organization possibly hope to gain a thorough picture of their current security and know where there are gaps?
Great Lakes Computer is now offering a HIPAA Risk Advisor tool that is both easy to use and cost-effective. Delivered from the cloud, the tool includes an automated security risk assessment as well as a dedicated HIPAA security expert to navigate you through the entire process and provide a risk and gap analysis with recommendations to improve security. Great Lakes Computer can then apply our IT expertise to remediate weaknesses.