Bryan Cave – How to Avoid Being the Next OCR Target for a HIPAA CMP
Healthcare Business Associates
Business Associates Beware! OCR Means Business
In June 2016, OCR entered into its first settlement agreement with a business associate, Catholic Health Care Services of the Archdiocese of Philadelphia (“CHCS”), for potential violations of the HIPAA Laws by failing to protect electronic protected health information (“EPHI”) of nursing home residents. The smartphone of a CHCS employee was stolen and contained EPHI. The smartphone was not password protected, and the EPHI was unencrypted. The EPHI of more than 400 residents included social security numbers, diagnostic and treatment information, medications, and the names of family members and legal guardians. OCR determined that CHCS had failed to perform a HIPAA Security Risk Assessment and implement a risk management plan regarding compliance with the HIPAA Laws, and that CHCS didn’t have policies and procedures as required under the HIPAA Security Rule. The settlement included a penalty of $650,000 and a corrective action plan for two years, which will be monitored by OCR….
How to Develop a HIPAA Incident Response Team
Covered entities and business associates are required to identify and report breaches of unsecured protected health information (“PHI”) and security incidents. “Breach” is defined as the acquisition, access, use, or disclosure of PHI in a manner not permitted under the HIPAA Laws which compromises the security or privacy of the PHI, and is not one of the breach exclusions.1 Breach applies to both paper and electronic PHI. “Security Incident” means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of electronic PHI (“EPHI”) or interference with the entity’s system operations in its information system.2 The Federal Office for Civil Rights (“OCR”) has recommended that covered entities and business associates have incident response teams capable of identifying and handling breaches and security incidents.3 Incident response plans and policies should be developed, reviewed annually, and approved by management….
Ransomware May Be a Reportable HIPAA Breach
In 2016, more than 4000 ransomware or other malware attacks are occurring daily, a 300% increase since 2015. There have been reports of six hospitals that have been victims of ransomware in 2016. Ransomware is a type of malicious software used by cyber actors to deny access to an entity’s systems and/or data. Ransomware may spread to shared storage drives and other systems. The systems and data are held hostage until a ransom is paid….
Understanding The Responsibilities and Liabilities of Business Associates at a Glance (2015)
The Health Information Technology for Economic and Clinical Health (“HITECH”) Act modified the Health Insurance Portability and Accountability Act (“HIPAA”) by expanding the definition of “Business Associates” and their responsibilities and liabilities. Pursuant to HITECH and HIPAA Business Associates are required to . . .