On May 15, the US Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with a small California healthcare provider that conducts magnetic resonance imaging and related services. The settlement concerns potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Breach Notification and Security Rules.
The resolution follows an OCR investigation into a breach involving an unsecured server that stored the medical images of 21,778 individuals. OCR initiated a compliance review after receiving notice that the provider experienced unauthorized access to its Picture Archiving and Communication System (PACS), which is used to store, retrieve, manage, and access radiology images.
The investigation found that the provider had not conducted a HIPAA-required risk analysis and failed to issue breach notifications to affected individuals within 60 days of discovering the breach, as required by law.
As part of the settlement, the provider agreed to pay $5,000 and implement a corrective action plan, which OCR will monitor for two years. The provider also committed to improving compliance with HIPAA Security and Breach Notification Rules by taking the following actions:
- Providing required breach notifications to affected individuals, HHS, and the media;
- Submitting to OCR its most recently completed risk analysis to include all electronic media, regardless of its source or location (i.e. electronic equipment, data systems, programs, off-site data storage, and applications) that contains, stores, transmits, or receives electronic protected health information (ePHI);
- Developing and implementing a risk management plan to address and mitigate any security risks and vulnerabilities identified in its risk analysis;
- Developing, maintaining, and revising, as necessary, written policies and procedures to comply with the HIPAA Rules; and
- Providing workforce training on HIPAA policies and procedures to all workforce members that have access to ePHI.
“Cybersecurity threats affect large and small covered healthcare providers,” said OCR Acting Director Anthony Archeval. “Small providers also must conduct accurate and thorough risk analyses to identify potential risks and vulnerabilities to protected health information and secure them.”
Compliance Perspective
Issue
The Office for Civil Rights (OCR) enforces the HIPAA Privacy, Security, and Breach Notification rules, which establish standards that covered entities and business associates must follow to protect the privacy and security of protected health information (PHI). OCR encourages organizations to mitigate cybersecurity risks by identifying where ePHI is stored and transmitted, conducting regular risk analyses, implementing risk management processes, maintaining audit controls, monitoring system activity, restricting and authenticating access to ePHI, encrypting data when appropriate, incorporating lessons learned from security incidents, and providing workforce training based on job responsibilities. For breaches involving 500 or more individuals, covered entities must notify affected individuals, the Secretary of Health and Human Services, and the media without unreasonable delay and no later than 60 days after discovery.
Discussion Points
- Review and update policies and procedures related to HIPAA, PHI, and the Privacy, Security, and Breach Notification rules. Ensure they include processes for conducting regular risk analyses, identifying and addressing security vulnerabilities, and issuing timely breach notifications to individuals, HHS, and, when required, the media. Procedures should clearly define responsibilities, timelines, and documentation requirements following the discovery of a breach.
- Train appropriate staff on HIPAA requirements, including the Security Rule, breach notification obligations, and risk analysis procedures. Emphasize timely reporting requirements and educate staff on recognizing and responding to potential breaches. Provide training upon hire, annually, and whenever relevant policy or technology changes occur.
- Conduct periodic audits to confirm compliance with HIPAA policies and procedures, assess staff understanding of breach response protocols, and ensure risk analyses are being conducted, documented, and acted upon. Use audit findings to address any gaps in breach detection, reporting, or mitigation.
*This news alert has been prepared by Med-Net Concepts, Inc. for informational purposes only and is not intended to provide legal advice.*