Since our last update in January, health care organizations across the country posted 165 breaches of PHI affecting 500 or more individuals. Most of the breaches (78 percent) were caused by unauthorized access or hacking. The percentage of breach investigations due to theft increased slightly (from 12 percent to 15 percent), but the overall number of breach investigations decreased slightly (from 180 investigations in the second half of 2017 to 165).
ASCs can take important steps to help prevent these sorts of breaches and limit their liability. ASCs are encouraged to review and update policies and procedures frequently to prevent unauthorized access, improper disposal, and loss and theft of PHI. ASCs also can review the OCR website to review enforcement actions and consider how they can avoid the mistakes made by others.
Below are selected enforcement actions that highlight a few precautions ASCs can take.
What Happened: Five separate security breaches at various FMCNA facility locations occurred in a six-month span between February and July 2012. Due to failure to conduct an accurate risk analysis, there were not adequate policies and procedures in place to address several security vulnerabilities. FMCNA paid a $3.5 million settlement.
Take Away for ASCs: OCR Director Roger Severino pointed out the lack of any “enterprise-wide risk analysis,” highlighting the importance of developing a centralized information security plan that can be implemented across multiple facilities. Each of the FMCNA-covered entities had slightly different infractions—from impermissible disclosures to inadequate tracking of hardware and electronic media—but in all cases, there was a failure of alignment with defined policies and procedures to address security incidents. Together, several smaller incidents over the course of a few months resulted in millions in settlement charges.
What Happened: Filefax, a company in Northbrook, Illinois, claimed to provide storage, maintenance and delivery services for medical records. An OCR investigation, however, revealed that Filefax had left PHI of 2,150 individuals in an unlocked truck at a shredding and recycling facility. Filefax paid a $100,000 settlement and, subsequently, closed.
Take Away for ASCs: It is imperative that ASCs consider the entire continuum of any PHI they handle, including proper vetting of any outside entities that might handle PHI. In this instance, there were numerous impermissible access points, such as transporting in the unlocked truck, and granting an unauthorized person permission to remove PHI from Filefax. Also worth noting, the Filefax closing during the course of the investigation did nothing to alter the result, as entities are responsible for HIPAA obligations regardless of their operating status.