In 2017, South Florida-based Memorial Healthcare System (MHS) paid the U.S. Department of Health and Human Services $5.5 million to settle potential violations of the HIPAA privacy and security rules and agreed to implement a robust corrective action plan. During a recent webinar, CISO Rich Leon outlined 10 areas MHS has addressed to beef up its privacy protections.
In its description of the settlement, HHS noted that the protected health information of 115,143 individuals had been impermissibly accessed by MHS’ employees and impermissibly disclosed to affiliated physician office staff. The log-in credentials of a former employee of an affiliated physician’s office had been used to access the ePHI maintained by MHS on a daily basis without detection from April 2011 to April 2012, affecting 80,000 individuals. Although it had workforce access policies and procedures in place, six-hospital MHS failed to implement procedures with respect to reviewing, modifying and/or terminating users’ right of access, as required by the HIPAA rules, according to HHS.
This example highlighted the need for organizations to implement audit controls and review audit logs regularly, HHS noted.
Leon said that MHS has worked to raise awareness about privacy requirements through extensive training and video campaigns and has implemented privacy monitoring systems and managed privacy services. He also said MHS changed its privacy motto to “Privacy is Everyone’s Responsibility” to remind people that they wanted to obligate other entities that are accessing PHI at MHS.
During the webinar he spoke of 10 potential weaknesses and what MHS has done to address them.
1. No Automated Periodic Access Review Process. MHS has implemented a quarterly automated periodic access review process for employees, physicians, students and vendors, Leon said. It also has created a monthly, automated periodic access review process for non-employed physicians office staff, ACOs and population health organizations. This process wasn't automated or well-documented before the breach, he noted. “We are dialing in deeper trying to get this as close to perfect as possible,” he said.
2. Limited or Inaccurate User Identity Data. MHS now has comprehensive identity data available to the privacy program. Extensive metadata has been added for non-employees.
3. No Dedicated Privacy Department. MHS has hired Pascale Prepetit as corporate director of privacy, and he has created a team to work on privacy issues.
4. Flood of Access Requests for Physicians and Their Staff. MHS now has a strict and binding Enterprise Systems Access Policy with defined sanctions for policy violations. Every new organization it works with must identify the leaders in their organization who will be responsible for monthly verifications. “Those entities are bound to a monthly access verification process and a yearly re-certification process,” he said.
5. Lack of Documentation of Vendor Access and Business Associate Agreement Tracking. All vendors are now comprehensibly vetted, including a privacy checklist review before they obtain access. “We say, ‘no BAA, no access'" to PHI, Leon said.
6. Limited IT Resources for Provisioning and De-provisioning Users. MHS now has a dedicated System Access Team that manages all automated and manual provisioning processes. The team also manages the periodic access review process.
7. Lack of Adequate Sanctions of Policy Violations. MHS adopted a zero tolerance policy for privacy violations. The privacy program investigates all violations. Employment terminations have occurred. “That was a challenge,” Leon said. We had to have discussions around impacting the rights of employees.”
8. No Dedicated IT Security Team. Leon said he has worn many hats in IT at MHS over the years, but now he is laser-focused on privacy and security as CISO. He also has a manager of IT security.
9. Lack of Tools to Support a World Class Privacy Program. MHS put out a request for proposal for a privacy monitoring solution partner, and chose FairWarning in 2017. A plan of action is in place for eight monitored sources and eight enforced policies.
10. Solely Reactive Privacy Monitoring Program. MHS has contracted with FairWarning Managed Privacy Services and seen a reduction of false positive investigations, he said.
Looking Ahead
MHS is working with accountable care organizations, population health programs, and providers in its Epic Community Connect program. It is obligating those entities to do their own privacy review of access outside of their patient roster/list. Leon said MHS has identified a need to continue to obtain and document identity data for rapidly moving organizations with high turnover. They must document their workflows and defined access rules to maintain the “Minimum Necessary Standard.”
Leon said he keeps his eyes on technology enhancements that might help with the privacy program. For instance, he is interested in building location awareness into privacy monitoring, as well as developing risk scoring for roles, salary ranges, shifts and locations.