Excellus Health Plan has agreed to settle the charges of violating the HIPAA rules by paying a penalty of $5.1 million to the department of Health and Human Services (HHS). The New York based corporation that provides health insurance to over 1.5 million people in New York has also agreed to follow a corrective action plan for the next two years to address the potential violations.
This settlement between Excellus and the HHS is a result of an HHS investigation into the health plan’s compliance with the Healthcare regulation that deals with the privacy of patient’s health information. The investigation was triggered by the report of a data-breach of the health-plan’s networks back in 2015. The data breach resulted from a hacking incident, and was the largest breach of health records that year. The incident affected more than 9.3 million people.
As per the report filed by Excellus, the breach lasted for at least one and half years, during which, the hackers installed malware over the Excellus systems and went through the information stored over their networks. The intrusion began around December 2013, and ended in May 2015.
During this interval, the hackers compromised the information system of the health plan. Their actions might have resulted in the impermissible disclosure of the protected health information of millions of people, including names, addresses, date of birth, social security numbers, back account information, insurance claims, and treatment history.
Potential HIPAA violations by Excellus
Subsequently, the incident triggered an investigation by the Office of Civil Rights of the HHS in 2016 of the Health Plan’s compliance with the three HIPAA rules. The investigation indicated potential violations of several HIPAA provisions, including, the requirements to
- Conduct risk analysis of potential risk and vulnerabilities to ePHI.
- Implement security measures to mitigate the risks and vulnerabilities.
- Implement procedures to review records of information system activity regularly.
- Implement policies and procedures to ensure that only authorized people and software can access the information systems that maintain the health information.
- Prevent unauthorized access to the data.
According to Roger Severino, the former director of the Office of Civil Rights at the HHS, the hackers’ activities, which went undetected for over a year endangered the privacy of millions of people.
Along with this, the former director also stressed that healthcare entities need to step up their efforts to protect the privacy of health information from hackers.
How can you improve the security of your healthcare data
Specifically, two potential HIPAA violations stand out in the corrective action plan. Firstly, the failure to conduct a thorough risk analysis of the potential risk and vulnerabilities of their information system. And secondly, the failure to prevent the hackers from accessing the systems.
Unfortunately, this isn’t the biggest case of HIPAA violation resulting from insufficient access controls. The Memorial healthcare system paid $5.5 million and Anthem Inc., a whopping $16 million as penalty that resulted from the providers’ failure to prevent criminals from gaining access to ePHI.
Keeping this in mind, healthcare plans and providers need to consider if their access controls are sufficient, and if they meet the standards set the HIPAA rules.
HIPAA Security Standards: Technical Safeguards
The HIPAA Security rule requires all healthcare plans and providers to put in place necessary technical safeguard for protecting ePHI.
The list of necessary safeguards includes the following controls.
- Access control
- Audit controls
- Integrity
- Person authentication
- Entity authentication
- Transmission security
With this in mind, we have put in place a short list of safeguards and best practices that you can put in use easily.
Technical Safeguards to help improve your healthcare data security
-
Access controls
Put in place strict access controls to prevent unauthorized access. Consider implementing the following best practices.
- Implement role-based access
- Allow only authorized people to access patient data
- Assign unique user IDs to your workers
- Encourage employees to follow good password practices, such as using strong passwords, and changing passwords at regular intervals.
- Restrict physical access to office areas that store or use ePHI. Verify visitors’ identity before granting them access to such locations.
- Put in place a system to track user-activity over systems that store or access patient information.
- Restrict users from downloading and installing software
- Set up workstations to log-off automatically
- Monitor all physical access-points to discourage practices such as tailgating and badge-swapping.
-
Audit controls
Monitor and record all activities that involve electronic PHI.
-
Integrity
Ensure that no one alters or destroys protected health information without proper authorization. Also, you need to have systems in place to authenticate if PHI has been altered.
Another recommended method to protect the integrity of ePHI is to use encryption. Use encryption for all kinds of data, including data at rest, such as files, and data in transit, such as emails.
-
Person and entity authentication
Put in place a system to validate if the person, or entity, or the software trying to access the data is the one who it claims to be. In addition, consider implementing multi- factor authentication across your organization.
-
Transmission security
A similar system should be in place to guard against unauthorized transmission of information. Consider implementing the following suggestions.
- Put in place a system to detect deletion or modification of ePHI.
- Encrypt information before you transmit it.
- Store decryption tools separate from the encrypted PHI.
In Conclusion
Most importantly, appoint a person as the access granting authority of your organization. He or she, needs to ensure that only those persons, vendors, and automated processes (such as APIs) get access to your information-systems who have a legitimate purpose to access the data. Such an appointment would have two-fold benefits. Firstly, the process would help limit the people and processes accessing the information to a minimum necessary. And secondly, the person would be able to verify if the requesting party has put in place sufficient protections to safeguard the information.
Unfortunately, non-compliance with technical safeguards remains a common HIPAA violation among healthcare providers. As per Steve Adler of HIPAA Journal, failure to put in place sufficient access controls is among the most common violations.
To put it briefly, health plans and providers should not take the technical safeguards suggested under the HIPAA Security Rule lightly. Not just because of the enormous fines, but because the lack of these safeguards allows hackers to penetrate your systems, and endanger not just your networks, but patient’s protected health information as well.