HHS Resolution Agreement: Cottage Health (Dec. 12, 2018); HHS News Release (Feb. 7, 2019)
HHS’s Office for Civil Rights (OCR) has announced a $3 million settlement with a group of hospitals after OCR received two breach notifications involving unsecured protected health information (PHI) of more than 60,000 individuals. The first breach arose from a contractor’s removal of electronic security protections from a computer server, permitting access to files containing PHI without a username and password. The second breach occurred when a server was misconfigured following a response to a troubleshooting ticket, exposing unsecured PHI over the Internet. The breached PHI included patient names, addresses, dates of birth, social security numbers, diagnoses, conditions, and other treatment information. OCR’s investigation revealed that the hospitals failed to conduct an accurate and thorough risk analysis; implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level; perform an evaluation in response to environmental or operational changes affecting the security of PHI; or obtain a written business associate contract with a contractor that maintained ePHI on their behalf.
In addition to the settlement payments, the hospitals agreed to a corrective action plan (CAP). The CAP requires the hospitals to conduct an enterprise-wide risk analysis and adopt a corresponding risk management plan, each subject to OCR review and approval. The hospitals must also implement a process to regularly evaluate environmental or operational changes affecting the security of PHI. Subject to OCR approval, privacy and security policies and procedures must be implemented, distributed to workforce members, and incorporated into the hospitals’ privacy and security training program.
EBIA Comment: This settlement provides a reminder of the hazards associated with computer servers. Because servers can store large amounts of PHI, violations can affect many individuals and lead to significant settlement payments—including a $4.8 million settlement in May 2014 and a $2.14 million settlement in October 2016. Particular attention should be paid to servers’ configuration and security settings. Whenever changes are made to a device capable of storing or processing PHI, an evaluation should be undertaken to identify and address vulnerabilities to PHI. For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Sections XX.D (“Resolution Agreements”), XXX.B.1 (“Standard: Security Management Process”) and XXX.B.8 (“Standard: Evaluation”). You may also be interested in our recorded webinar “Learning the Ropes: An Introduction to HIPAA Privacy & Security” (recorded on 2/20/19).
Contributing Editors: EBIA Staff.