HIPAA Breach Results in Highest Settlement in OCR History
The U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) announced earlier this month that is has entered into the largest settlement agreement in the history of the Department with Anthem, Inc., the largest Blue Cross and Blue Shield health benefit companies in the country. Anthem, Inc. agreed to pay $16 million to HHS and take substantial corrective action to settle numerous potential violations of both HIPAA Privacy and Security Rules after it exposed protected health information (PHI) for nearly 79 million people.
In March 2015 Anthem filed a breach report with OCR after they discovered that their Information Technology (IT) systems were infiltrated by cyber-attackers who had gained access to their systems after an Anthem employee opened a phishing email. This email released an undetected continuous persistent threat attack that permitted the cyber-attackers to access their systems from December 2014 through the end of January 2015. This attack opened access that ultimately resulted in the PHI of nearly 79 million people to be stolen.
OCR’s investigation revealed that Anthem failed to conduct an enterprise-wide risk analysis. Additionally, OCR determined that Anthem “failed to have sufficient policies and procedures to regularly review IT system activity, identify and respond to suspected or known security incidents, and failed to implement adequate minimum access controls to prevent impermissible access to electronic PHI.”
As part of the settlement, Anthem must comply with a Corrective Action Plan (CAP) for a period or two years. As part of that CAP, Anthem must conduct an “accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all ePHI held by Anthem.” This risk assessment must be submitted to OCR for review and approval. The CAP includes the review, revision, and distribution of all written policies and procedures addressing Information System Activity Review and Access Control for systems containing ePHI. The CAP requires regular and ongoing reporting to OCR for actions taken under the Plan and for any reportable events.
The day following the Anthem, Inc. settlement press release, OCR and the Office of the National Coordinator for Health Information Technology (ONC) announced that they have strengthened the Security Risk Assessment (SRA) Tool to improve functionality. The SRA is designed for use by small to medium sized health care providers to help them identify risks and vulnerabilities to ePHI within their practices. All HIPAA covered entities and business associations are required to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI in their organizations.
Ambulance services should conduct a comprehensive Risk Analysis of their systems. This Risk Analysis should include all provisions and requirements under HIPAA. While this settlement highlights the significant risks associated with ePHI and IT systems, there remains significant risks to PHI in non-electronic forms as well. This settlement is a great illustration of how apathy or reduced focus can result in potentially devastating results.
Contact the American Ambulance Association (AAA) with questions or assistance regarding any HIPAA related or other ambulance service compliance issue.