While the world might still be in varying states of chaos with regard to a multitude of topics, when it comes to HIPAA fines and enforcement of regulations, things are getting back on track.
As the global pandemic settled into our daily lives and it became clear that the sharing of information could be lifesaving, the Office for Civil Rights (OCR) relaxed how strict they were with enforcing HIPAA, specifically with regard to COVID-19.
Months later, we are still seeing leniency with HIPAA enforcement as it relates to the pandemic, but as things are starting to get back to ‘normal’, OCR is still reaching settlements for previous HIPAA violations. In fact, they just reached a settlement with the city of New Haven, Connecticut, that included a $202,400 civil monetary penalty following a breach of the protected health information (PHI) of only 498 patients caused by a 2017 HIPAA violation. There is also a corrective action plan requirement in place. We say ‘only 498’ patients not with disregard to each one of them being significant, but to emphasize that this was not the type of breach that may make news headlines for a large number of people or records compromised. The point is, it can happen to anyone, on any scale, and there will be repercussions to consider – and the smaller the business, the harder the hit may be felt.
The New Haven settlement was the result of a security incident regarding a former employee (who had been fired) returning to the health department and logging into her old computer. Her credentials had been left active, and she was able to access the site using her keys, log on, and download information onto a USB drive. Additionally, she removed boxes of personal items and paper documentation. She was accompanied by a union representative, and the incident was reported by a student intern who was present at the time.
The damage continued as she also shared her credentials with an intern (not believed to be the one who reported the incident) who was able to access PHI on the network long after the termination.
The names, contact information, birthdates, sexually transmitted disease results, and demographic details were all data that was included in the breach.
“Medical providers need to know who in their organization can access patient data at all times,” said OCR Director Roger Severino, in a statement. “When someone’s employment ends, so must their access to patient records.”
The points of discussion for this breach are a few things. First, we see that discrepancies or violations are not being overlooked as they were for a large part of this year. Not to insinuate it was the wild west or a lawless society, but there was a sense of leniency among the healthcare industry and government regulations. Second, this was a ‘small breach’ comparatively speaking to the many we hear about on the news, but it still came with a relatively large financial fine – and that doesn’t include the additional expenses associated with the breach. Finally, and one of the most critical parts of this story, was that it was all done internally by trusted individuals who should have known better and were entrusted to do the right thing. Had it not been for the student intern, this may have gone undiscovered much longer.
The right people need to be in place, and equally important, so do the right policies.