By Matt Fisher, Healthcare Attorney
LinkedIn: Matthew Fisher
X: @matt_r_fisher
Host of Healthcare de Jure – #HCdeJure
Whenever an entity subject to HIPAA experiences a data breach, notification must be given to the Office for Civil Rights (OCR). Once OCR receives notification of a breach, an investigation will typically follow. That combination is a sure way for broader issues to be uncovered. That is the scenario that played out in the most recent settlement announced by OCR.
The Setup
Northeast Radiology, P.C. (Northeast) is a medical imaging center that stores information about its images in a Picture Archiving and Communication Systems (PACS) server. In March 2020, Northeast notified OCR that unauthorized access to the PACS server had been discovered. Since the images were of patients and included information about the patients, a breach was determined to have occurred.
Northeast’s notification indicated that the unauthorized access occurred from April 2019 through January 2020. Northeast determined that just under 300,000 patients had their information impacted.
The facts did not paint a great picture. Once unauthorized access to a system occurs, it’s easy for the impact to snowball and spread across a large number of individuals.
The Findings
The basics of the data breach notification are not necessarily unique. Unauthorized access unfortunately happens with a fair degree of frequency. Not discovering the intrusion for roughly 9 months was not a good showing.
As initially noted, the report kicked off an investigation by OCR. The investigation determined that Northeast did not conduct an accurate and thorough risk analysis of its system to understand where vulnerabilities existed and the types of issues that could arise.
The failure to do a risk analysis resulted in an agreement to pay $350,000 and enter into a corrective action plan that included 2 years of oversight by OCR.
What to Do
As announced by OCR, the settlement with Northeast is a continuation of the recent risk analysis initiative. It cannot be stated enough, but a risk analysis is fundamental to actually being able to implement security measures and demonstrate compliance with the HIPAA Security Rule. If issues are not known, how can policies and procedures be adopted?
While it is long past time to ensure that at least annual risk analyses are conducted, the recent proposed changes to the HIPAA Security Rule should underscore the absolute necessity of the analysis. The proposed changes would increase requirements around the risk analysis and ensure a truly comprehensive and thorough assessment of systems and operations occurs.
Are organizations ready for stepped up compliance with respect to the risk analysis? The answer is really unclear and honestly probably not. That means operations should be adjusted now and increased attention given to this basic building block of compliance.
This article was originally published on The Pulse blog and is republished here with permission.