In June 2023, the US. The Department of Health and Human Services (HHS) reached an agreement with Yakima Valley Memorial Hospital over a significant breach of privacy and security rules. Specifically, HHS found that several security guards had inappropriately accessed the private records of up to 419 patients.
This settlement demonstrated administrative and internal security is essential to Covered Entities and Business Associates. We will discuss these controls and what they mean for HIPAA-regulated organizations.
Physical and Insider Threats Under HIPAA
HIPAA sets specific requirements for Covered Entities and Associates to safeguard PHI. While we’ve often discussed cybersecurity as it relates to HIPAA, it’s also just as critical to have measures in place to prevent unauthorized individuals that work under a CE or BA from viewing or stealing information they are not supposed to have.
Generally speaking, here are some of the expectations related to protection against physical security threats and insider threats:
Physical Security Threats
- Facility Access Controls: CEs and BAs must implement policies and procedures to limit physical access to their electronic information systems and the facility or facilities they are housed in while ensuring that properly authorized access is allowed.
- Workstation and Device Security: Policies and procedures should be in place to specify the proper functions to be performed, how those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstations that can access e-PHI. Device and media controls must also be in place to govern the receipt and removal of hardware and electronic media that contain e-PHI into and out of a facility and the movement of these items within the facility.
- Access Control and Validation Procedures: There should be procedures to control and validate a person’s access to facilities based on their role or function, including visitor control and access to software programs for testing and revision.
- Personnel Security: Organizations must implement procedures to ensure that all staff members have appropriate access to electronic protected health information and to prevent those workforce members who do not have access from obtaining access. This includes implementing procedures for terminating access to ePHI when the employment of a workforce member ends or as required by determinations made as specified in the entity’s sanction policy.
- Information Access Management: Ensure that only the minimum necessary access is granted to employees to perform their roles effectively. This principle limits the potential for insiders to misuse or leak data.
- Security Awareness and Training: All workforce members should receive training and standard security policies and procedures updates. This includes reminders about security, protection from malicious software, login monitoring, and password management.
- Incident Response and Reporting: Procedures should be in place to identify, respond to, and report security incidents and mitigate harmful effects.
- Regular Risk Analysis and Management: Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of e-PHI held by the covered entity or business associate. Implement security measures sufficient to reduce threats and vulnerabilities to a reasonable and appropriate level.
In the case of Yakima Valley, the primary issue was that security guards (who have no reason to access PHI) were doing so with credentials gained during their job.
What Are HIPAA Administrative Controls?
A different but parallel requirement for organizations to follow includes managing administrative controls. These differ from physical security controls in that they refer to training, policy creation and enforcement, and access management rules. These may overlap with physical security but do exist on their own.
Under the HIPAA Security Rule, Covered Entities (CEs) and Business Associates (BAs) are required to meet some of the following administrative requirements:
- Security Management Processes: Implement policies and procedures to prevent, detect, contain, and correct security violations. This includes risk analysis, management, sanction and punitive policies, and regular system reviews.
- Assigned Security Responsibility: Designate a security official responsible for developing and implementing the policies and procedures required by the Security Rule.
- Workforce Security: Implement policies and procedures to ensure that all workforce members have appropriate access to ePHI and prevent those who should not have access from obtaining access to ePHI.
- Information Access Management: Implement policies and procedures for authorizing access to e-PHI. These procedures should establish access consistent with the Privacy Rule to limit uses and disclosures of ePHI to the “minimum necessary.”
- Security Awareness and Training: All workforce members (including management) should receive periodic security updates and training. This should include procedures for guarding against, detecting, and reporting malicious software and monitoring login attempts and reporting discrepancies.
- Contingency Plan: Establish policies and procedures for responding to an emergency or other occurrence (like fire, vandalism, system failure, or natural disaster) that damages systems that contain e-PHI. This includes data backup, disaster recovery, and emergency mode operation plans.
- Evaluation: Perform periodic evaluations to see if any changes in business or the law affect the security of e-PHI.
- Business Associate Contracts and Other Arrangements: CEs and BAs must enter into contracts to ensure that these BAs will appropriately safeguard e-PHI. The agreement must detail the uses and disclosures of e-PHI by the BA.
While administrative controls might seem unrelated to the Yakima Valley case, consider that the offending individuals could access this data freely. This means there was a breakdown of credential and access control–an administrative issue.
Penalties for Breaches Due to Insiders or Lack of Administrative Controls
HIPAA will typically include standard penalties for data breaches and HIPAA violations. However, there is some flexibility regarding how these penalties are applied. Furthermore, HHS wants healthcare organizations to meet their regulatory requirements, which means that they can help organizations remediate issues… if that organization is willing to do that work.
In the case of Yakima Memorial, the Office for Civil Rights (OCR, the office within HHS managing HIPAA compliance) decided to reach an agreement limiting fines to $240,000.
Additionally, OCR and HHS expect Yakima Memorial to adhere to a set of requirements, including:
- Conduction of accurate risk analysis to determine internal risk profiles, especially those associated with insiders and service providers.
- Develop Risk management plans to address the specific issues that led to this security breach.
- Maintain written HIPAA procedures.
- Enhance existing HIPAA training and education with updated policies and procedures.
- Review third-party service provider and vendor contracts, and ensure that any existing and future relationships only exist with a Business Associate Agreement (BAA).
These corrective actions have been made public through the HHS website and detail some of the issues that arose with these actions.
Stay Ahead of HIPAA Regulations with Continuum GRC
Continuum GRC is a cloud platform that can take something as routine and necessary as regular vulnerability scanning and reporting under FedRAMP and make it an easy and timely part of business in the public sector. We provide risk management and compliance support for every major regulation and compliance framework on the market, including:
- NIST 800-53
- FARS NIST 800-171
- SOC 1, SOC 2
- PCI DSS 4.0
- IRS 1075
- COSO SOX
- ISO 27000 Series
- ISO 9000 Series
And more. We are the only FedRAMP and StateRAMP Authorized compliance and risk management solution worldwide.
Continuum GRC is a proactive cyber security® and the only FedRAMP and StateRAMP Authorized cybersecurity audit platform worldwide. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and find out how we can help your organization protect its systems and ensure compliance.