The final HIPAA enforcement action for 2018 between Cottage Health and OCR reaffirmed yet again that entities must conduct a thorough and accurate Risk Assessment to assess and reduce risks and vulnerabilities to it's ePHI. ePHI is not found just in the EHR, but may be found on hard drives, medical modalities and devices, servers, email accounts, etc. Additionally, OCR once again has sent a costly reminder that Risk Assessment is not enough - you must then mitigate those risks or put compensating controls in place
to prevent unauthorized access to ePHI.
This resolution agreement was also another reminder that obtaining satisfactory assurances that your third party vendors WILL safeguard the ePHI of the practice is required. Business Associate Agreements must be executed, but should never be entered into lightly. What proof exists that the Business Associate can or will actually conduct business in keeping with the tenets of the HIPAA rules?
In the Cottage Health Resolution Agreement OCR found that:
CH failed to conduct an accurate and thorough analysis of the potential risks and vulnerabilities to the ePHI held by CH. See 45 C.F.R. § 164.308(a)(l)(ii)(A).
CH failed to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with § 164.306(a). See 45 C.F.R. § 164.308(a)(l )(ii)(B).
CH failed to perform a technical evaluation in response to CH’s contractor installing Windows OS. See 45 C.F.R. § 164.308(a)(8).
CH failed to obtain satisfactory assurances from a particular contractor, in the form of a written business associate agreement, that the contractor would appropriately safeguard ePHI that the contractor maintained on behalf of CH. See 45 C.F.R. §§ 164.308(b) and 164.502(e).