Help Me With HIPAA: Enforcement and More News (Ep 265)

 July 31, 2020

By  Anton Kiorolgo

Share Help Me With HIPAA with one person this week!

Thanks to our donors.  We appreciate your support!

If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com.

Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA

Enforcement: Agape OCR Settlement

[09:34]As I was preparing for this podcast a new settlement announcement popped up in the news. It is an important one because it deals with another small provider. The first one this year was a single doctor which came out right before the Rona shutdown. We discussed it back then in March. Wow, how much has happened since we recorded that episode!

The interesting thing is the next case is another small provider which are the only two announced so far in 2020. We all know that just because they haven’t been released doesn’t mean that in a normal year they wouldn’t have been more released already.

This group is one that has a business name and then a dba name. Metropolitan Community Health Services (Metro), doing business as Agape Health Services is a Federally Qualified Health Center( FQHC) providing a variety of discounted services to the underserved population in rural North Carolina. According to the Agape website they provide Integrated Medical, Dental, Behavioral Health & Pharmacy Services for Adults and Children.  They employ around 43 people and serve about 3,100 patients annually. OCR mentions that those facts were taken into consideration when determining a settlement amount.

As usual, the press release statement gives you a clue  what they had a problem with in this case.Health care providers owe it to their patients to comply with the HIPAA Rules. When informed of potential HIPAA violations, providers owe it to their patients to quickly address problem areas to safeguard individuals’ health information.Roger Severino, OCR Director

What happened?

Agape reported a data breach to OCR on June 9, 2011. Again, a very old case. They don’t even show you how many cases that are this old are still out there. You can only see the last two years on the data breach info site. Clearly, the backlog still exists.

Something interesting is they reported the breach under Metropolitan Community Health Services so if you search for Agape NC data breach you will not find it on the breach portal. It isn’t clear if they were using the Agape name back then.  At this point, there isn’t a lot of information about this breach that popped up under either name in searches. It isn’t clear exactly what happened in the settlement like it usually is explained in these documents.

All we know is that they reported a breach that had something to do with email impacting 1,263 patients. They are paying $25K plus going on a 2 year CAP.

What are the findings?

[17:33]The settlement document goes right into the investigation indicated language about the privacy and security failures. Yet again, we see why the title of the announcement points out a small group didn’t do a lot of things they were supposed to do.Small Health Care Provider Fails to Implement Multiple HIPAA Security Rule RequirementsOCR’s investigation revealed longstanding, systemic noncompliance with the HIPAA Security Rule. Specifically, Metro failed to conduct any risk analyses, failed to implement any HIPAA Security Rule policies and procedures, and neglected to provide workforce members with security awareness training until 2016.OCR announcement

As you would expect in these cases the list is pretty much the same as always when those terms are used in the announcement language.

They failed to:

  • Implement HIPAA Security Rule policies and procedures (note the word implement)
  • Provide workforce HIPAA Security Awareness and Training until June 30, 2016 (2016 really after a breach notification in 2011)
  • Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI

Basically, they didn’t do any of the Security Rule work. A problem we see over and over in smaller provider offices. Well, we actually see it in large ones don’t we?

What is in the CAP?

[26:35]Nothing here that was a surprise really for a standard enforcement CAP. We have seen it over and over again. They have to do the work required under supervision and on a timeline. There is a reason we always tell our clients it takes about 2 years from when you start working with us until you feel like you have it under control, assuming you stick with it the whole time. These two year CAPs cover the basics found in the investigation but you end up getting all of your program up to date when you go through this.

There is a little bit of specific details that we haven’t seen before plus a step that I don’t recall seeing either. That could just be memory issues, but they certainly are more specific that I am used to seeing.

Here we go. First we have the Risk Analysis and Risk Management section:

MCHS shall conduct and complete an accurate, thorough, enterprise-wide analysis of security risks and vulnerabilities that incorporates all electronic equipment, data systems, programs and applications controlled, administered, owned, or shared by MCHS or its affiliates that are owned, controlled or managed by MCHS that contain, store, transmit or receive MCHS ePHI. As part of this process, MCHS shall develop a complete inventory of all electronic equipment, data systems, off-site data storage facilities, and applications that contain or store ePHi which will then be incorporated in its Risk Analysis.

That has some very important specifications in there. I have to assume it is about trying to guide them to understand they should not do a gap analysis or a quick scan. That seems even more clear when you see the next requirement.

Within 30 days of the Effective Date, MCHS shall submit to MCHS the scope and methodology by which it proposes to conduct the Risk Analysis. HHS shall notify MCHS whether the proposed scope and methodology is or is not consistent {the Security Rule}.

They are adding in that step maybe to save some time for everyone as they keep doing it wrong. I have seen the cases where you can tell they kept asking for a proper SRA only to get something else each time. Again, something we have discussed many times. There is a great deal of confusion as to what a SRA should include. I had a discussion with someone about it just this week. It is not a gap analysis or a simple network scan.

After the plan is approved they have 120 days to submit the report to OCR. My team is listening to this at some point and feeling stressed about meeting that deadline. Unless there are resources devoted to getting this done in a timely manner we struggle to get everything done in 120 days when they are starting from scratch like this. I will point out here they only have to do the SRA in this timeframe because the recommended action plans come after this analysis is approved.

Then the whole review loop begins until HHS is happy with the report. Although there is something else specific in the loop discussion. If HHS is unhappy with the report they will tell you to try again but this statement doesn’t seem to have always been this specific:

If HHS requires revisions to the Risk Analysis, HHS shall provide MCHS with a detailed, written explanation of such required revisions and with comments and recommendations in order for MCHS to be able to prepare a revised Risk Analysis.

Once it is approved they submit their risk management plan with a timeline for getting it done. The plan gets approved by HHS and they go forth to do the work. But then there is another little anomaly I noticed. The last part of the risk management requirements says something a little different.

It says they shall annually conduct an accurate and thorough assessment, blah, blah, blah. So they expect it to happen annually. Nice point to get across to all of those who say they don’t have to do them except every 3 or 4 years. Annually is best, 3 years is a really long time in between.

The next bit is what got my attention. In the first analysis requirement it doesn’t mention BAs. In this round it specifically says they should include in their assessment of potential risks and vulnerabilities just as before but then it adds this bit:  and its engaged business associates. Not sure why that is added here and not included in the first pass. But, it is interesting to note.

The next section of the CAP covers the policies and procedures expected. We have mentioned before that they look at ALL of your privacy and security program when they do an investigation. There are no rules that say they will only look at the specific part that caused them to come knocking. Clearly, that is the case when they say the MCHS shall review and revise all of it’s written policies and procedures to comply with the Privacy, Security and Breach Notification Rules. It goes on to specifically mention all the sections that should be included for each rule. If you wonder what you should have in yours – check out this list.

Finally the CAP covers the expectations for training. I find it interesting that in all of these CAPs they expect training to take place within 30, 60 or 90 days of HHS’s approval of their policies and procedures. If that is the case, why is it that so many people only worry about training their workforce on the basic HIPAA stuff then make them read a bunch of documents to sign off that they understand? Most people don’t just read something and understand it with no further reiteration or definitions. Very few people are going to ask a lot of questions either. I think this is when things go horribly wrong in most organizations.

Of course, there are plenty of reporting requirements and other parts that are usually in these settlements. Being under these CAPs is not easy. Not at all.

This is only the second settlement announcement this year with only $125,000 worth of enforcement. Again, this is not the thing to fear. What you should be worrying about is all of the other things these cases bring on you if you haven’t done the work you are obligated to do under HIPAA.

More News

[46:42]Before this settlement came out I had queued up several news articles that relate to what we have been discussing over the last few months. Yes, it could be a moment where we enjoy being right but more than that it is information you can use to share with leadership and your team. Show them why you have been saying you believe what we are saying. Here we go with some quick ones to cover:

Breach Lawsuit Against Pediatric Dental Practice Dismissed

“A federal judge has dismissed a lawsuit filed against Sarrell Regional Dental Center for Public Health in the wake of a January 2019 ransomware attack that affected more than 391,000 individuals. The judge cited a lack of evidence that any data had been misused.”

Note that the attack was in Jan 2019. The inability to show potential harm has been done or can be done has kept many of these lawsuits out of court for years. But don’t get too excited about that idea. The landscape is changing.

Blackbaud security incident

If you have ever done anything in non-profits you have probably been working with or heard for blackbaud. Think of them as a non-profit organization’s management suite and consulting organization. In May, they got hit with a ransomware attack. In their announcement they say they “discovered and stopped one” . The thing is they really did stop it before everything was encrypted. That is great, right? Unfortunately, not anymore. As they continued they “ultimately expelled them from our system. Prior to our locking the cybercriminal out, the cybercriminal removed a copy of a subset of data from our self-hosted environment.”

Yes, as we have been discussing since the end of 2019 we are in a whole new world when it comes to ransomware. They did everything right here but guess what – they still had to pay.

Because protecting our customers’ data is our top priority, we paid the cybercriminal’s demand with confirmation that the copy they removed had been destroyed.

They do go on to say they don’t  think anything really happened to your data. But, that means they believe the criminals.

How would the same court treat the previous case if these were the specifics of the attack. Can they still say that there is no evidence of harm? We have to assume at some point one of these cases will hit the courts. The lawyers need to be working on ways to make the same argument under these circumstances.

Heartland Counseling Services announces potential contacts information breach[50:19]A case where it appears that a staff member sent an email where they were supposed to use BCC and used CC instead. That is such a serious issue when it happens but there is very little between a user and it happening other than themselves. We know about that, huh.

As we mentioned before, people are going to be overworked and stressed out about so many things these days. Mistakes will be made and some of them will be big.  But, what if you are dealing with a case where it isn’t a mistake?

The Insider Threat: A Growing Concern

We encouraged everyone to reevaluate their risks associated with insider issues after the economic crisis resulting from the pandemic. This interview with Randy Trzeciak, director of the National Insider Threat Center at Carnegie Mellon University, a researcher who kind of knows about these things, is very interesting. Here is one of the important points they include in the introduction to the video interview:

“The motivators of an insider who eventually goes on to harm an organization is someone who is trying to overcome financial need or financial stress,” Trzeciak says.

Michigan Man Arrested for 2014 Hack of UPMC HR Databases and Theft of Employees’ Personal Information

We just got the big news a few weeks ago about an arrest of an attacker who hacked the systems and pulled data from the human resources file at the University of Pittsburgh Medical Center and stole PII of over 65,000 UPMC employees. They have a 43-count indictment against the guy. He is only 29 right now so much younger back then.

What mistakes or insider access would it take for the same thing to happen in other offices today? The economy was moving pretty well in 2014 compared to the mess we are in today. This guy supposedly started selling the data on the dark web along with other PII he picked up somewhere since then until around 2017. They say they know of $1.7m in false tax returns that were filed using this one data grab.

Back then, we were just starting to see what damage could be done with tax return fraud. Kind of like ransomware exploded around 2016. This stuff exploded back then. Now, we have so many more things happening.

One other note: according to Krebs on Security the guy was now working for the government with access to way more stuff: FEMA IT Specialist Charged in ID Theft, Tax Refund Fraud ConspiracyGo to top

Get your business focused on securing information AND monitoring your systems for problems. If you are assuming things are ok, you are likely already in trouble.

Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word.  As always, send in your questions and ideas!

Subscribe to our newsletter now!