Hard times on the HIPAA front

A trio of ugly situations means painful publicity for lazy or sloppy organizations

It's been a week of bad news for lazy or sloppy health care organizations. An employee fired after a security breach of protected health information filed a wrongful termination suit against his former employer, and it may have merit because of poor policies. A community health care provider hacked by a disgruntled employee may be dragged into a compliance quagmire because it's not clear that the organization took basic steps to revoke his access. And to top it off, the U.S. Department of Health and Human Services (HHS) is starting to swing the enforcement rule -- a dowdy part of the Health Insurance Portability and Accountability Act (HIPAA) that few people read -- like a scythe in a field of weedy policies and overgrown practices.

Worried about audits?

The first HIPAA audit by the HHS has been widely reported. Atlanta's Piedmont Hospital received notice of the audit, and much has been made of the information requested. But did we not see this coming?

With governance reform and example-making in legislative vogue (even if not entirely well-informed or evenly applied), it's surprising that some health care organizations behave as if nothing will come of the HIPAA rules. But audits are merely an examination; organizations ought to think more than a step ahead about discovery of failed controls or the immediate effect of a breach.

Covered entities are responsible

The Council of Community Clinics (CCC) in San Diego ought to ponder that difference as it deals with the aftermath of its recent breach. Jon Paul Oson, a former network administrator with privileged access, quit his job after a disagreeable performance evaluation. He then allegedly gained access to the CCC systems two month later, disabled the backup systems and then systematically destroyed patient data. For this, Olsen faces an indictment (download PDF), a fine of up to $500,000 and a career reduced to a pile of ash. [Just the career? Not if the affected patients get hold of him, I'd bet. -- Ed.]

Oson's the bad guy, obviously, but CCC is not out of the woods. An astute Computerworld reader asked, "Where is the line about the company he hacked being fined for HIPAA violations?" and noted that "if they were doing everything they were supposed to be doing, he [w]ould not have been able to get access ... after being terminated" and that they would have been "monitoring their logs and caught the fact that the backup wasn't working correctly."

The reader is right. When a systems or network administrator with broad access leaves an organization, hand-waving does not constitute proper revocation of access. Sure, the reality of working in a small organization means that separation of duties may be a luxury (and the HIPAA rules allow more leeway for small health care providers). However, that's no excuse for lack of monitoring to the degree that one simply does not know what the administrator installed or had access to, nor is it an excuse for failing to close off access before a new administrator arrives.

Sometimes an errant but trusted employee comes back to bite mere moments after termination, and the HIPAA enforcement rule (download PDF) allows for this. But the rule specifically notes that covered entities have 30 days to fix violations after discovery (§160.410 (b)(3)(ii)(A)). If an organization has an all-powerful administrator walk or be escorted out the door, one can instantly infer that there's an access violation, and that means the clock is ticking. If CCC took two months, then it has a problem.

1 2 3 Page 1
Page 1 of 3
7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon