Recently, a university hospital reached a settlement of potential violations of the Health Insurance Portability and Accountability Act (HIPAA) following an investigation of a breach of unsecured Protected Health Information (PHI). PHI of nearly 1,700 individuals was impermissibly disclosed when the hospital’s network was attacked by a malware virus; the hospital did not have an acceptable firewall in place. In accordance with HIPAA regulations, the hospital disclosed the breach in 2013. Soon after, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR), initiated an investigation of the hospital, during which it was revealed that a risk analysis was not conducted until two years after the reported breach.
The hospital, designated as a Hybrid Entity under HIPAA, performed both covered and non-covered functions in its business interactions. However, it had not appropriately categorized all covered functions of its endeavors. Hybrid entities, in addition to complying with HIPAA requirements as a Covered Entity, must also properly analyze and delineate their covered and non-covered business functions. The hospital’s failure to accurately identify its covered functions through a thorough risk assessment resulted in the exploitation of the existing vulnerabilities at the center where the breach occurred.
The HIPAA Security Rule requires Covered Entities to create and maintain necessary administrative, physical and technical safeguards in order to address vulnerabilities and to protect individuals’ PHI. This hospital may have avoided the monetary settlement, and potentially the breach entirely, by recognizing and addressing the need for a firewall at one of its centers that maintained PHI. The hospital could have identified this vulnerability if it had conducted an appropriate, mandatory risk assessment.
If you or your practice require assistance in analyzing your business’ vulnerabilities, contact Frier Levitt for help to conduct a comprehensive risk assessment. An accurate and thorough evaluation of the risks and vulnerabilities in your environment may prevent both the likelihood of a breach, as well as limit the fines and penalties that may be imposed as the result of one.