TN Business Associate Pays $2.3 Million in HIPAA Violations

Ouch! $2.3 million penalties assessed against a TN Business Associate, CHSPSC LLC.  The breach occurred in 2014 when the attackers were able to get into systems through a VPN (Virtual Private Network) using compromised admin credentials. The investigation is now complete, and penalties have
now been assessed by the Office for Civil Rights.   These were the 5 major HIPAA violations:

1. CHSPSC failed to prevent unauthorized access to ePHI, in violation of 45 C.F.R. §164.502(a), and the hackers continued to steal ePHI (electronically protected health information) of 6,121,158 individuals until August of 2014. The violation falls under the Use and Disclosures of ePHI. A Covered Entity or a Business Associate must NOT disclose protected health information except as permitted or required.
2. CHSPSC failed to respond to a known security incident from April 18, 2014, to June 18, 2014, and to mitigate the harmful effects of the security breach, document the breach, and its outcome. The FBI notified CHSPSC of the persistent cyber-hacking threat to their information systems. The
   Business Associate was in violation of 45 C.F.R.§164.308(a)(6)(ii). We must identify and respond to all suspected or known security incidents. We must have a security incident response policy and procedure for identifying and responding to all suspected or known security incidents. All security incidents, whether breach reportable or not, should be documented and mitigated.
3. CHSPSC had failed to conduct an accurate and thorough security risk analysis to identify the risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI, in violation of Security Rule 45 C.F.R. § 164.308(a)(1)(ii)(A). It is especially important to conduct an accurate and thorough Risk Analysis which includes vulnerability scans.  Vulnerability scans should be performed periodically on servers and workstations as this could identify open ports and credential issues.  We must ensure our Risk Analysis and Risk Management Processes are on-going as our environment operations change.
4. The Business Associate failed to implement technical policies and procedures permitting access to only authorized individuals to information systems and software programs containing ePHI (electronically protected health information) maintained by CHSPSC. HIPAA violation of 45 C.F.R. §164.312(a). This is part of Access Control policies and procedures that were not implemented. This includes that only those who should have access actually have access based on their job role, unique ID, automatic log-off, encryption, and decryption where it should be applied.
5. Information System & Activity Review policies and procedures were not implemented to ensure that information system activity records were regularly reviewed that include security incident tracking reports, log reviews, and so forth, violation of 45 C.F.R. § 164.308(a)(1)(ii)(D).This is part of the Information System Activity Review which is required and must be implemented. We must regularly review records of information system activity to include audit logs, access reports, and security incident tracking. We must document that our systems and software programs have been reviewed. In addition,  it is important to periodically review audit logs such as log in monitoring. Log in monitoring is an addressable item; however, the BA (Business Associate) failed to address log in monitoring as a reasonable and appropriate safeguard to apply.  According to the security rule, if it is a reasonable and appropriate safeguard to apply, we must implement the safeguard. 

What does it mean to be HIPAA compliant? How do you make a ‘good faith’ effort in HIPAA compliance to avoid huge penalties? Making a ‘good faith’ effort in HIPAA compliance consists of the following:

• Current HIPAA Privacy & Security Policies
• Security Risk Assessment/Analysis
• Security Risk Work Management Plan
• Signed Business Associate Agreements
• HIPAA training

If you are a Privacy/Security Officer, Doctor, or in upper management, join us in our 6-hour intense HIPAA compliance camp on October 30, 2020, where we break down HIPAA compliance to better assist you and your team in making the ‘good faith’ effort. A link is provided below to register.

CLICK HERE to register to Advanced HIPAA & Cybersecurity

Remember to: “Protect What You Collect and make a ‘good faith’ effort in HIPAA compliance!”