On February 7, 2019, the Department of Health and Human Services, Office for Civil Rights (OCR) released information about its settlement with Cottage Health, a California hospital system. Following two breach reports from Cottage Health, OCR conducted an investigation that concluded with a resolution agreement and a settlement for $3 million.
The first breach resulted from a Cottage Health contractor’s removal of electronic security protections from one of the system’s servers. This caused protected health information (PHI) of approximately 50,917 individuals to be available to anyone with access to Cottage Health’s server. The second breach, affecting 11,608 individuals, resulted from an employee misconfiguring a server, leading to PHI — including Social Security numbers — being accessible on the internet.
In its investigation, OCR determined that Cottage Health did not conduct a thorough and accurate risk assessment and failed to implement a risk management plan. In addition, highlighting that these security risk assessments are “living” documents, OCR found that Cottage Health did not periodically evaluate its technical and non-technical processes after environmental or operating changes that affected the security of its electronic PHI.
These breaches highlight two areas of compliance weakness for HIPAA covered entities and business associates: personnel and vendors. While there may not be a way to completely mitigate all risk that comes from the involvement of human actors and third-party vendors, an entity can take a number of steps to lessen its risk.
With respect to vendors, first and foremost, an entity must ensure that it has a HIPAA business associate agreement in place if PHI will be accessed, created or transmitted as part of the arrangement; OCR found that Cottage Health did not have a written business associate agreement with its contractor. A covered entity or business associate also should perform reasonable diligence of its potential vendors to ensure that they understand their privacy and security obligations and maintain robust HIPAA compliance programs.
Covered entities and business associates also are required to ensure that their workforces are trained in HIPAA compliance. In addition to education about regulatory requirements, an entity should train its personnel in the nuances of its compliance program specific to the services that it provides, the systems and processes that it employs, and the types of data that are relevant to an individual’s job duties.
As part of its release about the Cottage Health enforcement action, OCR tallied its 2018 settlements and cases from HIPAA enforcement actions, which totaled $28.7 million.