Presumably at this point HIPAA, HITECH and the Omnibus Regulation have been published, digested and everyone is in full compliance with the requirements that have been set forth. Even the parts the Office of Civil Rights (OCR) hasn’t really defined. OCR is moving ahead with its mandatory auditing programs and audits continue to be of primary concern, both under HIPAA and the Meaningful Use II requirements. However the recent corrective action plan issued by OCR in regards to Idaho State University has some differences from the prior plans which may be attributable to the new breach analysis requirements or the underlying premise that we have all had enough time to learn how to comply with HIPAA and we better take compliance seriously.
OCR has had 13 corrective action plans through the current time period. Each of these has dealt primarily with significant breach issues. In the Idaho State University claim, Idaho State was a hybrid entity. It did not maintain a hospital or other major medical center but did have various clinics where treatment was provided. Idaho State notified OCR in 2011 that when it had taken down a server in the Department of Family Medicine, the server’s firewall had been deactivated. When it was re-commissioned the firewall was not put back in place and remained inactive for at least 9 months. Although Idaho State investigated this matter it determined that no information had been lost or inappropriately accessed when the firewall was absent. However, in an excess of caution, Idaho State decided to report this matter to OCR. There were over 17,000 patient records on the server and this voluntary report kicked off an OCR investigation.
OCR has consistently indicated that any investigation of a complaint is not self limiting; it is not exclusively an investigation of the Complaint itself but of the policies, practices and procedures of the entity being investigated. OCR subsequently determined that there were significant issues at Idaho State, including the failure to identify who was and was not part of the hybrid entity, therefore failing to identify who would be subject to the HIPAA regulations. There are also issues with training and an alleged failure by Idaho State to conduct the appropriate the security risk analysis for security management from “April 1, 2007 until November 26, 2012.” OCR determined that Idaho State failed to adequately implement security measures to reduce the risk and vulnerabilities for the same time frame or to implement procedures to regularly review records of information systems activity, i.e., failed to audit. Representatives of Idaho State have stated publicly that they had in fact conducted risk analysis but it simply wasn’t enough to meet the standards of OCR and that they were unable to locate supporting documents which would have showed underlying policy and planning relating to the risk analysis requirements. Ultimately, OCR fined Idaho State $400,000 as a result of this matter and placed a somewhat unusual requirement on the University, specifically that it complete a compliance gap analysis. In other words, in order to comply with this corrective action plan, Idaho State now has to complete a security risk analysis on steroids. After completion of such an analysis the University has indicated that it will be going to each clinic doing training and making sure the policies and procedures are correctly implemented.
The moral of this story is that no entity, big, small, hybrid or a standard CE is going to be exempt from required audits, security measures and the pressure for compliance that OCR is indicated will be ramping up and continuing in the future. In this instance, no breach occurred and Idaho State was fined $400,000 for the potentiality of a breach and for failing to do a lot of things many CEs have failed to do.