Cyber Attack at Community Health Systems Affects 4.5 Million Patients-Could This be a New Trend?

Patricia's Photos 013By George F. Indest III, J.D., M.P.A., LL.M., Board Certified by The Florida Bar  in Health Law

On August 18, 2014, Community Health Systems, a Tennessee-based hospital chain that has 206 hospitals in 29 states, announced that its computer system was hacked. According to a number of news reports, an outside group of hackers, originating in China, used highly sophisticated malware and technology to steal 4.5 million patients’ non-medical data. The hackers were able to obtain patients’ names, Social Security numbers, addresses, birth dates, and telephone numbers.

According to the Orlando Sentinel, in Florida, St. Cloud Surgical Associates, St. Cloud Medical Group, and Urology Associates of St. Cloud were among the practices where medical data was stolen. The article did not mention how many patients in Florida were affected. Click here to read the story from the Orlando Sentinel.

How Community Health Systems will Handle Being Hacked.

According to The New York Times, Community Health Systems believes the attacks happened from April to June 2014. The company will be notifying affected patients and agencies under the Health Insurance Portability and Accountability Act (HIPAA).

The hospital system is now working with a security company to investigate the incident and help prevent future attacks. Federal law enforcement agents are also investigating the incident. Click here to read the entire article from The New York Times.

Because this breach affected more than 500 individuals, it will soon be posted on the Office for Civil Rights (OCR) Department of Health and Human Services’ (HHS) Wall of Shame. The law requires that any breach involving 500 or more individuals be publicly posted. To learn more on the Wall of Shame, click here for my previous blog.

Protect Your Practice As Best You Can From Cyber Attacks.

Cyber hacking in the medical community appears to be a crime of opportunity. Quickly there are becoming two types of companies: those that have been hacked and those that will be hacked.

While there is no way to guarantee protection from extrusion and external sources, there are steps that can be taken. For medical practices, many of these are required as part of a HIPAA risk assessment. Some areas to focus on include:

–    Background checks;
–    Comprehensive policies and procedures;
–    Vigilance when it comes to monitoring and data-leakage prevention tools; and
–    Employee education.

Medical practices are going to become bigger targets as the health care industry transitions to electronic health records. In addition, the hacking community is figuring out it is easier to hack a hospital or private practice, than it is a bank and you get the same information. To learn more on HIPAA risk assessments, click here.

Comments?

How do you protect your medical practice from hackers? Do you have regular risk assessments? Why or why not? Please leave any thoughtful comments below.

Contact a Health Law Attorney Experienced in Defending HIPAA Complaints and Violations.

The attorneys of The Health Law Firm represent physicians, medical groups, nursing homes, home health agencies, pharmacies, hospitals and other health care providers and institutions in investigating and defending alleged HIPAA complaints and violations and in preparing Corrective Action Plans (CAPs).

For more information about HIPAA violations, electronic health records or corrective action plans (CAPs) please visit our website at www.TheHealthLawFirm.com or call (407) 331-6620 or (850) 439-1001.

Sources:

Perlroth, Nicole. “Hack of Community Health Systems Affects 4.5 Million Patients.” The New York Times. (August 18, 2014). From: http://nyti.ms/1pFpujC

Kutscher, Beth. “Chinese Hackers Hit Community Health Systems; Other Vulnerable.” Modern Healthcare. (August 18, 2014). From: http://bit.ly/1BxsLqH

Jacobson, Susan. “St. Cloud Medical Patients’ Information Among Millions Stolen in Cyber Attack.” (August 18, 2014). From: http://www.orlandosentinel.com/business/os-hospital-data-breach-st-cloud-20140818,0,3157319.story

Rose, Rachel. “Protecting Your Medical Practices From Cyber Threats.” Physicians Practice. (July 17, 2014). From: http://www.physicianspractice.com/blog/protecting-your-medical-practice-cyberthreats

About the Author: George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law. He is the President and Managing Partner of The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. www.TheHealthLawFirm.com The Health Law Firm, 1101 Douglas Ave., Altamonte Springs, FL 32714, Phone: (407) 331-6620.

“The Health Law Firm” is a registered fictitious business name of George F. Indest III, P.A. – The Health Law Firm, a Florida professional service corporation, since 1999.
Copyright © 1996-2014 The Health Law Firm. All rights reserved.

Are You Ready for HIPAA and HITECH Audits?

The Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) is launching a pilot program this month to make sure covered entities are in compliance with HIPAA privacy and security rules and breach notification standards, according to the OCR. The OCR will perform up to 150 audits to assess HIPAA compliance.

The HITECH Act requires HHS to perform periodic audits to check for HIPAA compliance. The audits will be conducted from November 2011 through December 2012. Initially these audits will likely focus on hospitals and insurance companies, but HMEs could also be a target.

Though early audits are likely to be educational, in order to get a basic assessment of where providers stand in regards to HIPAA, that doesn’t mean there won’t be repercussions for violations. Because the privacy rule has been established since 2001 and the security rule has been established since 2003, providers can not be completely excused for missteps.

HIPAA violations can result in severe penalties (per section 1177 of HIPAA) including:

• a fine of up to $50,000, or up to 1 year in prison, or both; (Class 6 Felony)
• if the offense is committed under false pretenses, a fine of up to $100,000, up to 5 years in prison, or both; (Class 5 Felony)
• if the offense is committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, a fine up to $250,000, or up to 10 years in prison, or both. (Class 4 Felony)
• Civil fines can also be imposed by the Secretary of DHHS with a maximum is $100 for each violation, with the total amount not to exceed $25,0000 for all violations of an identical requirement or prohibition during a calendar year. (Class 3 Felony).

Since the final rule for the HITECH Act hasn’t been finalized, the OCR can only expect providers to make decent judgments about the provisions in the interim final rule.

Providers need to review where they’re at with privacy and security compliance and make any improvements. This pilot program of audits will likely be expanded (and the more violations the OCR encounters, the larger the likelihood of strict enforcement), so all providers should be aware of current practices and how to ensure compliance.

For more information about HIPAA and other healthcare audits, visit www.TheHealthLawFirm.com.

By |2024-03-14T10:00:27-04:00June 1, 2018|Categories: Health Care Industry, HIPAA, Hitech Act, The Health Law Firm Blog|Tags: , , , , , , |Comments Off on Are You Ready for HIPAA and HITECH Audits?

Alleged HIPAA Privacy Violations at the Center of a Recent Physician Group Settlement with HHS

By George F. Indest III, J.D., M.P.A., LL.M., Board Certified by The Florida Bar in Health Law

A small physician group has reached a settlement with the United States Department of Health and Human Services (HHS) Office for Civil Rights (OCR) over alleged Health Insurance Portability and Accountability Act of 1996 (HIPAA) violations. The settlement was reached on April 17, 2012 and requires Phoenix Cardiac Surgery (PCS) to pay OCR $100,000 and enter into a one-year corrective action plan (CAP).

The Resolution Agreement and Corrective Action Plan can be viewed here.

HIPAA Complaint Against PCS Stemmed from Internet Calendar Postings

OCR’s investigation of PCS was launched in 2009 after a complaint was received. Click here to view a HIPAA complaint that you can file online. The complaint alleged that PSC had disclosed protected health information (PHI) on patients on the Internet. After investigating the complaint, the OCR alleged that PCS violated the HIPAA privacy and security rules. According to the OCR, PCS posted clinical and surgical appointments on a publicly accessible, Internet calendar. The OCR also alleged that PCS employees e-mailed protected health information to their personal e-mail accounts.

Furthermore, PCS allegedly did not have adequate administrative, physical and technical safeguards in place to protect patient data. The OCR alleged that PCS did not appoint a security officer as required by HIPAA or perform an accurate and thorough risk assessment, also required by HIPAA. The CAP required by the settlement will require PCS to implement policies to ensure full compliance with HIPAA’s privacy and security rules.

Are You In Compliance with HIPAA?

The Health Insurance Portability and Accountability Act of 1996, sometimes referred to as the Kennedy-Kassenbaum Act, was enacted into law as Public Law (P.L.) 104-191, 110 Stat. 1936. Among its many different provisions, it included basic minimums to ensure the privacy of personal medical information. Its main privacy provisions are codified in federal law in different sections of the U.S. Code.

Medical Practices Should Use Caution When Working With Electronic Health Information

This case provides a good example of the downside of information technology (IT). While electronic health information assists in increasing accessibility and efficiency, it can also increase a practice’s risk of violating HIPAA’s Privacy Rule and Security Rule.

All medical practices that utilize electronic health information need to ensure that they have effective IT security, education, policies and procedures in place to protect themselves from HIPAA’s violations.

Contact a Health Law Attorney Experienced in Defending HIPAA Complaints and Violations

The attorneys of The Health Law Firm represent physicians, medical groups, nursing homes, home health agencies, pharmacies, hospitals and other healthcare providers and institutions in investigating and defending alleged HIPAA complaints and violations and in preparing Corrective Action Plans (CAPs).

For more information about HIPAA violations, electronic health records or corrective action plans (CAPs) please visit our website at www.TheHealthLawFirm.com or call (407) 331-6620 or (850) 439-1001.

Sources Include:

HHS Press Office. “HHS Settles Case with Phoenix Cardiac Surgery for Lack of HIPAA Safeguards.” U.S. Department of Health and Human Services. (Apr. 17, 2012). Press Release. From
http://www.hhs.gov/news/press/2012pres/04/20120417a.html

Lewis, Nicole. “Online Calendar Mistakes Cost Doctors Group $100,000.” Information Week. (Apr. 23, 2012). From
http://www.informationweek.com/news/healthcare/security-privacy/232900727

Sterling, Robyn. “HHS Settlement for Lack of HIPAA Safeguards.” Proskauer Privacy Law Blog. (Apr. 25, 2012). From
http://www.jdsupra.com/post/documentViewer.aspx?fid=e548966a-d7eb-4f47-a0af-de15db487dbb/

About the Author:  George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law.  He is the President and Managing Partner of The Health Law Firm, which has a national practice.  Its main office is in the Orlando, Florida, area.  www.TheHealthLawFirm.com  The Health Law Firm, 1101 Douglas Ave., Altamonte Springs, FL 32714, Phone:  (407) 331-6620.

OCR Releases Results From First Round of HIPAA Audits

By George F. Indest III, J.D., M.P.A., LL.M., Board Certified by The Florida Bar in Health Law

The Office for Civil Rights’ (OCR) has release information on the initial round of mandated audits of Health Insurance Portability and Accountability Act (HIPAA) covered entities. The OCR announced official details concerning the audits at an OCR and National Institute of Standards and Technology (NIST) conference held June 6, 2012.

Initial HIPAA Audits Started November 2011.

As required by the HITECH Act, the OCR began auditing selected covered entities’ compliance with the privacy and security provisions of HIPAA and its implementing regulations in November 2011. The OCR selected 150 covered entities to be audited in the pilot phase by KPMG LLP (KPMG). KPMG is the audit contractor chosen by the OCR to perform HIPAA audits. The first 20 audits concluded in March 2012. More audits will continue to occur this year.

HIPAA Audit Process.

The HIPAA audit process was drafted by the OCR and KPMG in November 2011. Entities selected for an audit receive a notification letter from OCR and are asked to provide documentation to the auditor. Every audit includes a site visit. After the site visit and initial investigation, KPMG recommends suggested modifications for the entity to meet compliance standards in a draft audit report. The entity will have an opportunity to respond to the draft audit report, citing any findings made by KPMG that may be incorrect. KPMG then summarizes final results in a final audit report. The final audit report details how the audit was conducted; what the findings were and; what actions the covered entity is taking in response to those findings.

HIPAA Audit Results.

The results of the initial round of audits revealed that small covered entities had a lot more issues than large ones. Six of the 20 audited entities were small entities (e.g., $50 million or less in revenue). However, these small entities represented 66% of the deficiency findings. Additionally, the OCR reported that health care providers had more problems than plans or clearinghouses. A disproportionate number of the deficiencies were by health care providers. While providers represented 50% of the 20 audited entities, they were responsible for 81% of the deficiency findings.

The OCR also announced that the majority of the findings were related to the Security Rule. OCR indicated that this is partially attributable to more of the audit protocol focusing on security than privacy or breach notification.

To view the OCR’s presentation on HIPAA audit findings, click here.

Contact Health Law Attorneys Experienced in Audits of Health Providers.

The Health Law Firm represents physicians, medical practices, hospitals, and other health providers in audits, including Medicare audits, Medicaid audits, and HIPAA audits. The Health Law Firm also assists health providers in establishing compliance with HIPAA regulations. If you have received notification of an impending audit contact The Health Law Firm immediately.

To contact The Health Law Firm, please call (407) 331-6620 or (850) 439-1001 and visit our website at www.TheHealthLawFirm.com.

Sources Include:

Greene, Adam H. and Rebecca L. Williams. “HIPAA Audits Results Released: We Still Have Work to Do.” JD Supra. (June 13, 2012). From: http://www.jdsupra.com/post/documentViewer.aspx?fid=dca67d93-c84d-4331-a327-fc394407d125

Sanches, Linda. “2012 HIPAA Privacy and Security Audits.” National Institute of Standards and Technology. (June 7, 2012). From: http://csrc.nist.gov/news_events/hiipaa_june2012/day2/day2-2_lsanches_ocr-audit.pdf

Saul, H. Carol. “Update on OCR HIPAA Audits.” Lexology. (May 29, 2012). From: http://www.lexology.com/library/detail.aspx?g=e5a886a7-1d24-4f90-a1a6-6a367e9fc3ba

About the Author:  George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law.  He is the President and Managing Partner of The Health Law Firm, which has a national practice.  Its main office is in the Orlando, Florida, area.  www.TheHealthLawFirm.com  The Health Law Firm, 1101 Douglas Ave., Altamonte Springs, FL 32714, Phone:  (407) 331-6620.

Preparing for HIPAA Audits

By George F. Indest III, J.D., M.P.A., LL.M., Board Certified by The Florida Bar in Health Law

The Office of Civil Rights (OCR) has recently released the initial results for the first round of HIPAA audits, as well as the HIPAA audit protocol. Covered entities need to review both the audit results and audit protocol to assist in preparing for the possibility of a HIPAA audit.

Tips to Prepare for a HIPAA Audit.

Although the first round of audits has concluded, HIPAA audits will continue to be conducted through December 2012. Covered entities that avoided the first round of HIPAA audits can learn from the results released by OCR. The OCR is also expected to release an audit protocol which will further assist covered entities in learning how to prepare for a HIPAA audit. The following tips should assist covered entities in preparing for and responding to a HIPAA audit.

To see a previous blog post regarding health care audits, click here.

Before the Audit:

  • All policies and procedures required by the HIPAA Privacy, Breach Notice, and Security Rules should be finalized and regulator-ready.
  • Assign individuals in your organization that can speak to each aspect of HIPAA implementation. Be sure they are aware of questions that may be asked by the OCR concerning compliance.
  • HIPAA’s Security Rule requires that covered entities periodically conduct a risk analysis.  The OCR recently released guidance on conducting such an analysis. This risk analysis guidance can be found here. The results of your risk analysis will likely be among the documents requested for review during an audit.  If you have not conducted a risk analysis in the last year, do so now. Evaluate the results and determine how to handle identified risks. Be sure to carefully document each step of the risk analysis process.
  • Train employees on compliance. Maintain documentation that every relevant employee has been trained.
  • Identify all of your vendors that handle protected health information. Negotiate business associate agreements with all such vendors.

During the Audit:

  • Respond to every notice provided by the OCR in a timely manner. All relevant personnel should receive copies of the OCR’s written notice of its intent to audit.
  • Appropriately respond to the draft audit report with any findings that you believe were unfair or inaccurate before the report is finalized. According to the OCR you should have ten days to respond.

After the Audit:

  • When audit is over, enforce compliance measures suggested by the OCR. To avoid further action taken by the OCR.

Contact Health Law Attorneys Experienced in Audits of Health Providers.

The Health Law Firm represents physicians, medical practices, hospitals, and other health providers in audits, including Medicare audits, Medicaid audits, and HIPAA audits. The Health Law Firm also assists health providers in establishing compliance with HIPAA regulations. If you have received notification of an impending audit contact The Health Law Firm immediately.

To contact The Health Law Firm, please call (407) 331-6620 or (850) 439-1001 and visit our website at www.TheHealthLawFirm.com.

About the Author:  George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law.  He is the President and Managing Partner of The Health Law Firm, which has a national practice.  Its main office is in the Orlando, Florida, area.  www.TheHealthLawFirm.com  The Health Law Firm, 1101 Douglas Ave., Altamonte Springs, FL 32714, Phone:  (407) 331-6620.

Go to Top