HIPAA Security Rule Compliance Urged by OCR

HIPAA Security Rule Compliance Urged by OCR to Reduce Vulnerability to Hacking and Ransomware

Office for Civil Rights warns healthcare providers, business associates, insurers against perils of non-compliance

HIPAA Security Rule compliance is essential to safeguard against hacking, ransomware, and other security incidents that lead to costly data breaches throughout the healthcare industry. Healthcare providers, business associates, and insurers must take Security Rule requirements and Patient Right of Access under the Privacy Rule much more seriously. Recent warnings from the Department of Health and Human Services (HHS) and the Office for Civil Rights (OCR) urge immediate action.

Violations settled in July, August, and September 2024 offer vital lessons for all healthcare organizations.

STAT: Conduct Regular Risk Assessments, Remediate Vulnerabilities, and Develop Incident Response Plan

In a press release of July 1, 2024, the Office for Civil Rights announced a settlement with Heritage Valley Health System, which provides healthcare in Pennsylvania, Ohio, and West Virginia. The settlement concerns potential violations of the Security Rule of the Health Insurance Portability and Accountability Act (HIPAA) following a ransomware attack on the healthcare provider.

The OCR investigation found multiple violations of the HIPAA Security Rule at Heritage Valley Health System, including:

• Failure to conduct a compliant risk analysis to determine the potential risks and vulnerabilities to electronic protected health information (ePHI).
• Failure to implement a security incident response plan to respond to security events, such as ransomware attacks, that damage systems containing ePHI.
• Failure to implement policies and procedures to allow only authorized users to access ePHI.

Under the terms of this settlement, Heritage Valley Health System will pay $950,000 to the OCR and implement a corrective action plan that will be monitored by the OCR for three years. Heritage Valley will take specified steps to achieve HIPAA Security Rule compliance and protect the security of electronic protected health information. These mandatory actions include:

• Risk Assessment. Conduct an accurate and thorough risk assessment to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI.
• Remediation. Implement a risk management plan to address and mitigate security risks and vulnerabilities identified in the risk assessment.
• Documentation. Review, develop, maintain, and revise its written policies and procedures as needed to comply with the HIPAA Rules.
• Training. Train the Heritage Valley Health System workforce on the required HIPAA policies and procedures.

STAT: Take Patient Right of Access Seriously, Create Compliant Policy and Procedures, and Train Employees

Another common HIPAA violation is a delay of timely access to medical records, which violates the HIPAA Privacy Rule’s Right of Access provision. Providers have 30 days to respond to and fulfill such requests. One 30-day extension is allowable in certain circumstances but is not the norm.

In a press release on August 1, 2024, the OCR announced a civil monetary penalty of $115,200 collected against American Medical Response (AMR), a provider of emergency medical services across the U.S. The penalty is the result of an OCR investigation into a complaint that AMR had failed to provide a patient with timely access to their medical records, in violation of the HIPAA Privacy Rule.

The complaint alleged that the healthcare provider failed to provide a patient with timely access to their medical records despite multiple requests by the patient. The OCR investigation found that AMR indeed had failed to provide the required timely access.

As a result of the investigation, American Medical Response sent the patient a copy of their requested records and amended internal procedures to streamline and track Right of Access requests more effectively in order to comply with the Privacy Rule.

Healthcare providers and other covered entities are permitted to charge reasonable fees for filling patient record requests, and updated fee guidance is available from the OCR to assist providers in developing compliant procedures.

STAT: Beyond HIPAA, Make Sure Disability Practices and Procedures are Fully Compliant

An August 5, 2024 press release announced settlement of a complaint alleging that the New Jersey Imaging Network refused to perform a mammogram during a scheduled appointment because the patient was in a wheelchair. The OCR investigation and findings resulted in a voluntary settlement agreement designed to ensure the healthcare provider becomes and remains compliant with civil rights laws. Such laws guarantee the right of individuals with disabilities to “fully and equally enjoy any right, privilege, advantage, or opportunity enjoyed by others receiving an aid, benefit, or service, including access to medical diagnostic equipment.” 

This agreement requires New Jersey Imaging Network to take the following actions, which will be monitored by the OCR for a period of two years.

• Policies and Procedures. Revise existing policies and practices to make appointments available during normal business hours to all patients. Document requests for mobility assistance or other reasonable accommodations. Provide patients with a description of available accommodations and notify them of their rights under the law.
• Process. Develop a process for individualized assessment of patients who may require reasonable accommodations.
• Training. Train employees on the new policies to ensure they understand (1) the appropriate practices and procedures for interacting with and accommodating individuals with disabilities, (2) techniques for safely assisting individuals with limited mobility to ensure their safe access to and use of medical equipment and examination tables, and (3) the New Jersey Imaging Network’s various non-discrimination and non-retaliation obligations.
• Notification. Notify patients, staff, and the public of rights and protections afforded them by federal law, including the process for filing a disability-based discrimination complaint with HHS.

In the same vein, a press release of September 12, 2024 announced OCR findings that the San Juan Capestrano Hospital in Puerto Rico failed to provide a patient with a sign language interpreter in violation of the Rehabilitation Act (Section 504) and Affordable Care Act (Section 1557), which prohibit discrimination on the basis of disability. This situation is in the early stages of resolution among the parties.

STAT: Implement Full HIPAA Security Rule Compliance to Safeguard Patient Data and ePHI

In a July 1, 2024 statement, OCR Director Melanie Fontes Rainer emphasized that “Hacking and ransomware are the most common type of cyberattacks within the healthcare sector. Failure to implement the HIPAA Security Rule requirements leaves healthcare entities vulnerable and makes them attractive targets to cyber criminals.”

The OCR urges healthcare providers, business associates, health plans, and clearinghouses to “take the following steps to mitigate or prevent cyberthreats:”

• Review all vendor and contractor relationships to ensure business associate agreements are in place as appropriate and that they address breach/security incident obligations.
• Integrate risk analysis and risk management into business processes.
• Conduct risk assessments regularly, and also when preparing to implement new technologies, install new hardware or software, and introduce business operations.
• Ensure audit controls are in place to record and examine information system activity, and conduct regular reviews of information system activity to detect suspicious activity promptly.
• Employ multi-factor authentication to ensure only authorized users are accessing protected health information.
• Encrypt PHI to guard against unauthorized access.
• Incorporate lessons from security incidents and data breaches into the overall security management process.
• Provide training specific to employees’ roles and job responsibilities on a regular basis and reinforce with employees their crucial role in protecting data privacy and security.

Implementing the above compliance actions represents a giant step toward reducing your risk of HIPAA violations that lead to hacking, ransomware schemes, phishing exploits, and other security breaches. Additional important lessons can be learned from HIPAA violations settled earlier this year.

Summary

HIPAA Security Rule compliance is essential to safeguard against hacking, ransomware, and other security incidents that lead to costly data breaches throughout the healthcare industry. Healthcare providers, business associates, and insurers must take Security Rule requirements and Privacy Rule Patient Right of Access requirements much more seriously, and recent warnings from the HHS Office for Civil Rights urge immediate action toward that objective.

Understanding why other covered entities have been investigated and penalized for non-compliant behaviors provides important insights into how organizations can reduce vulnerabilities, strengthen security safeguards, and avoid HIPAA violations. For assistance in converting these insights into positive actions for your organization, contact our experienced team of cybersecurity and compliance experts at 24By7Security.