On February 6, 2024, the Health and Human Services (HHS), Office of Civil Rights (OCR) announced a settlement with Montefiore Medical Center, a non-profit hospital system based in New York City for several potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. The $4.75 million monetary settlement and corrective action resolves multiple potential failures by Montefiore Medical Center relating to data security failures by Montefiore that led to an employee stealing and selling patients' protected health information over a six-month period. 1

Part of the relevant facts identified in the press release by OCR was that Montefiore conducted an internal investigation after receiving evidence from the New York Police Department of theft of protected health information. The investigation concluded that for two years, "one of their employees stole the electronic protected health information of 12,517 patients and sold the information to an identity theft ring. Montefiore Medical Center filed a breach report with OCR."2

The settlement terms include a monetary settlement of $4.75 million and a corrective action plan with a two-year monitoring by the OCR to ensure compliance with the law. The press release provides us with key takeaways to keep in mind when thinking about Health Insurance Portability and Accountability Act (HIPAA) compliance, specifically the OCR indicated the following: "OCR recommends that health care providers, health plans, clearinghouses, and business associates that are covered by HIPAA must implement safeguards to mitigate or prevent cyber threats.

These include:

  • Reviewing all vendor and contractor relationships to ensure business associate agreements are in place as appropriate and address breach/security incident reporting obligations.
  • Integrating risk analysis and risk management into business processes; and ensuring that they are conducted regularly, especially when new technologies and business operations are planned. Ensuring audit controls are in place to record and examine information system activity.
  • Implementing regular review of information system activity.
  • Utilizing multi-factor authentication to ensure only authorized users are accessing protected health information.
  • Encrypting protected health information to guard against unauthorized access.
  • Incorporating lessons learned from previous incidents into the overall security management process.
  • Providing training specific to an organization and job responsibilities and on a regular basis, and reinforcing workforce members' critical role in protecting privacy and security."3

We would additionally recommend that a review of systems to determine if those who should have access to name, date of birth, and full social security number be evaluated periodically to validate the correctness of access. This should also be kept in mind when offboarding procedures take place with employees who have access to high-risk files.

Reviewing the provided recommendations, there are various requirements that align with the Seven Elements of Effective Compliance Program as indicated by the Office of the Inspector General (OIG). Additionally, three initial bullets require an active analysis and assessment of your privacy and security programs in your institution to identify and correct weaknesses. Bullets four and five require security measures and tools that are discussed in HIPAA regulations and require an analysis to determine proper security parameters and authorizations depending on employee and staff roles. Lastly, the bottom two bullets are focused on how to incorporate past experiences and transmit lessons learned and proper training to your workforce. In sum, all these recommendations require an active monitoring of practices and day-to-day functions to identify and correct risks. Lastly, our additional recommendations fall in line with best practices that should be followed as regular audits and monitoring procedures for a proper compliance program.

Footnotes

1. HHS' Office for Civil Rights Settles Malicious Insider Cybersecurity Investigation for $4.75 Million | HHS.gov

2. HHS' Office for Civil Rights Settles Malicious Insider Cybersecurity Investigation for $4.75 Million | HHS.gov

3. HHS' Office for Civil Rights Settles Malicious Insider Cybersecurity Investigation for $4.75 Million | HHS.gov

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.