Resolution Agreement: 21st Century Oncology, Inc. (undated); HHS Press Release (Dec. 28, 2017)
HHS’s Office for Civil Rights (OCR) has announced a settlement with a health care provider (a HIPAA covered entity) after the protected health information (PHI) of over 2.2 million individuals may have been impermissibly accessed in attacks on the provider’s network database. OCR asserted that the provider had failed to (1) conduct an accurate and thorough risk analysis; (2) implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level; and (3) implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident-tracking reports. Also, the provider allegedly disclosed PHI to third-party vendors without a written business associate agreement.
In addition to making a payment of $2.3 million, the provider agreed to a two-year corrective action plan (CAP) requiring it to (1) complete a risk analysis and risk management plan; (2) account for its business associates and provide OCR with copies of business associate contracts; and (3) revise, subject to OCR approval, its policies and procedures for establishing, modifying, and terminating access to PHI and reviewing information system activity. The provider also agreed to adopt a plan to internally monitor its adherence to the CAP and to engage an independent, qualified third-party to investigate, assess, and make specific determinations in written reports regarding the provider’s compliance with the CAP.
EBIA Comment: This is the first resolution agreement publicly announced in several months, but the size of the settlement payment and the strict terms of the CAP indicate that OCR continues to take HIPAA privacy and security compliance seriously. More robust audit controls might have enabled this provider to discover the unauthorized disclosures before the FBI did—potentially avoiding OCR’s investigation and the attendant ramifications. OCR explains the importance of audit controls and related compliance considerations in its January 2017 cybersecurity newsletter. For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Sections XX.D (“Resolution Agreements”), XXX.B (“Administrative Safeguards”), and XXX.D (“Technical Safeguards”). You may also be interested in our upcoming webinar “Learning the Ropes: An Introduction to HIPAA Privacy & Security” (live on 1/17/18).
Contributing Editors: EBIA Staff.