On June 26, 2015, Meritus Health reported to the U.S. Department of Health and Human Services’ Office for Civil Rights a potential privacy breach associated with protected health information (PHI). The incident was found in May during a routine compliance and self-audit. During the investigation it was found that an employee of one of their business associates had inappropriately accessed patient records. While business associates may have access to the protected health information held by covered entities (organizations that are subject to HIPAA regulations, including the Privacy Rule) they should be limited in scope to the patient files they are working on. In this situation, the employee was reviewing PHI for patients not in their scope of work.
Keith Fricke, principal consultant at tw-Security states,
“People are the weakest link in security; behavior contrary to company policy and poor choices in how privileged access is used will always be a risk.”
The patient information that was potentially compromised includes:
- Names
- Age
- Gender
- Medical record number
- Health insurance information
- Certain clinical information, such as treatments and/or diagnosis
According to Meritus, there doesn’t seem to be any misuse of the information that was viewed. Meritus issued the following statement regarding future plans to secure PHI:
“To help prevent something like this from happening again, we are working to further strengthen controls related to vendor access to patient information, and we are enhancing our existing system monitoring capabilities with regard to vendor access.”
Even though Meritus had a compliance check and self-audit policy in place, they realize the need to increase the monitoring of business associates. It is incumbent on the covered entities to use due diligence in assuring their business associates have proper procedures in place to keep PHI secure.
According to Andrew Hicks, health care practice director at risk management consulting firm, Coalfire,
“The HIPAA Omnibus Rule not only mandates that business associates comply with HIPAA regulations but covered entities must gain ‘satisfactory assurances’ that their business associates and the business associates downstream subcontractors have a mature security program in place to protect their covered entity customers ePHI. However, the fact remains that most business associates – large and small – do not have strong controls in place when it comes to people, processes and technology so these breaches are going to continue.”
Data security is becoming more complex and difficult to manage as organizations not only try to manage in-house data security but also manage vendors who access information that they are responsible for – as is the case with health care professionals, covered entities, and the vendors, business associates, they work with.
Contact us for assistance with data security on retired data containing devices for your organization and your business associates. Our services include data destruction reporting and compliance plan creation to help your organization minimize a risk of breach in at least one area of the data storage chain.