Search right to access

Small and midsized enterprises (SMEs) continue to be targeted by ransomware, phishing and other cyberattacks; the consequences of which could be devastating. Those consequences include putting SMEs out of business, which is unfortunately the case for one small medical practice in Battle Creek, Michigan, as reported by HIPAAJournal.

The reality is that the effects of these attacks could be significantly mitigated with a bit of planning. Just maintaining good backups can go a long way. Of course, there are a number of other steps that SMEs can take to more comprehensively defend against these attacks.

The reports about the Michigan practice explain that the malware encrypted the system that maintained patient records and that the owners refused the attacker’s demands for payment. Refusing to pay these demands is not uncommon. The Federal Bureau of Investigation, which provides guidance on preventing ransomware attacks, does not encourage paying ransom. In some cases, ransomware attack victims have recovered their data after paying the ransom, however, there is no guarantee of that in a particular case. In fact, in some cases, after making the requested ransom payment, attackers have been known to request more money to unlock the data. Note also that payments of ransom to persons or entities on a U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) sanction list could be prosecuted.

When the Battle Creek physicians did not succumb to demands for payment, the attackers deleted all of the encrypted files. Reports indicate that no patient data had been accessed or exfiltrated (removed) from the practice’s systems, however, some patients may have lost all or a portion of their medical records.  The practice is schedule to close at the end of this month.

SMEs certainly can improve their defenses to prevent and minimize the effects of an attack, however, they also need to be prepared to respond to an attack when it happens. Maintaining a written incident response plan is critical. This is particularly true for health care providers and other HIPAA covered entities and business associates. The federal Office for Civil Rights has provided guidance for dealing with ransomware attacks. Notably, the guidance provides that when PHI (protected health information) is encrypted in such an attack, it is presumed to be a breach and notification required unless the entity determines the incident constitutes a low probability of compromise. The guidance adds that:

Although entities are required to consider the four factors listed above in conducting their risk assessments to determine whether there is a low probability of compromise of the ePHI, entities are encouraged to consider additional factors, as needed, to appropriately evaluate the risk that the PHI has been compromised. If, for example, there is high risk of unavailability of the data, or high risk to the integrity of the data, such additional factors may indicate compromise. In those cases, entities must provide notification to individuals without unreasonable delay, particularly given that any delay may impact healthcare service and patient safety.

Taking steps to prevent an attack is important, but all SMEs, including those in the healthcare sector, also need to be prepared to respond to these and similar kinds of attacks. Failure to take these steps could have substantial effects on the business, including causing the business to close.

As wearable and analytics technology continues to explode, professional sports leagues, such as the NFL, have aggressively pushed into this field. (See Bloomberg). NFL teams insert tiny chips into players shoulder pads to track different metrics of their game. During the 2018-2019 NFL season, data was released that Ezekiel Elliot ran 21.27 miles per hour for a 44-yard run, his fastest of the season. The Dallas Cowboys are not alone as all 32 teams throughout the league can access this chip data which is collected via RFID tracking devices. Sports statistics geeks don’t stand a chance as this technology will track completion rates, double-team percentages, catches over expectation, and a myriad of other data points.

There are obvious questions and concerns about the use of this technology, and not just at the professional level. Wearables can be found at all levels of sports and athletic activities, including at colleges and high schools. At the professional level, the NFL is unique in that it allows teams to use the chip data during contract negotiations. However, players do not have full access to this information, unless specifically granted by individual teams. This is important since there is much debate over who truly owns this data. And, for a variety of reasons, players and athletes want to know where their information is stored, how it is stored, whether and how it might be used and disclosed, who has access to it, and what safeguards are in place to protect it. Major League Baseball and the Players Association added Attachment 56 to the 2017-2021 Collective Bargaining Agreement to address some of these concerns. But, again, these and other questions are not unique to professional ball players.

See the source imageWith devices ranging from wearable monitors to clothing and equipment with embedded sensors, professional teams, colleges and universities, local school districts, and other sports and athletic institutions, as well as the companies that provide the wearables, can now collect massive amounts of data such as an athlete’s heart rate, glucose level, breathing, gait, strain, or fatigue. On the surface, this data may relate to an athlete’s performance and overall wellness, which may be somewhat apparent to onlookers without the aid of the device. However, alone or aggregated, the data may reveal more sensitive personal information relating to the athlete’s identity, location, or health status, information that cannot be obtained just by closely observing the individual. When organizations collect, use, share, or store this data, it creates certain privacy and security risks and numerous international, federal, and state data protection laws may apply. Any sports or athletic organization that develops a wearable device program, or has reason to believe that these devices are being used by coaches and others to collect similar data, should be mindful of these risks and regulatory issues.

Below is a non-exhaustive list of some of these laws: Continue Reading As Wearable Technology Booms, Sports and Athletic Organizations at all Levels Face Privacy Concerns

The California Consumer Privacy Act (CCPA), passed in 2018 and taking effect January 1, 2020, is considered the most expansive state privacy law in the United States, and sparked a flurry of state privacy law legislative proposals, in particular in Washington state. This January, a group of state senators in Washington introduced the Washington Privacy Act, SB 5376 (WPA), slightly updated in late February. On March 6th, the bill passed the Senate with a nearly unanimous vote, and now heads to the House for review. If approved, the WPA will take effect July 31, 2021.

Unlike other states that are modeling their bills largely on the CCPA (e.g. Hawaii, Maryland, New Mexico), the WPA would establish more GDPR-like requirements on businesses that collect personal information related to Washington residents. In fact, the WPA’s legislative findings explicitly state that Washington residents “deserve to enjoy the same level of privacy safeguards”, as those afforded to EU residents under the GDPR. In addition to requirements for notice, and consumer rights such as access, deletion, and rectification, the WPA would impose restrictions on use of automatic profiling and facial recognition.

Below are key aspects of the WPA:

  • Jurisdictional Scope. The WPA would apply to legal entities that conduct business in Washington or produce products or services intentionally targeted to residents of Washington, and that satisfy one or more following thresholds: Controls or processes data of 100,000 consumers or more; or Derives over 50% of gross revenue from the sale of personal information and processes or controls personal information of 25,000 consumers or more. The bill includes exemptions for personal data regulated by HIPAA, HITECH, or the GLBA, and data sets maintained for employment record purposes. Personal data is defined vaguely to include any information relating to an identified or identifiable natural person.
  • Consumer Rights. Washington residents are afforded the power to request that controllers of their personal data:
    • provide them with confirmation whether their personal information is being processed by the controller or sold to a third-party;
    • provide them with a copy of the personal data undergoing process;
    • correct inaccurate personal data;
    • delete their personal data under specified circumstances
      (g. personal data is no longer necessary in relation to the purpose for which it was collected, the processing is for direct marketing purposes, personal data has been unlawfully processed).
  • In general, businesses in the U.S. are used to needing only implied or negative consent from customers with respect to the collection and use of their data. The WPA would require consent to be a “clear affirmative act establishing a freely given, specific, informed, and unambiguous indication of a consumer’s agreement to the processing of personal data relating to the consumer, such as by a written statement or other clear affirmative action.”
  • Controllers and Processors. In general, controllers determine the purposes and means of processing personal data, while processors process personal data on behalf of the controllers. Thus, under the WPA, controllers would be responsible for meeting the requirements of the WPA, while processors are responsible for following the instructions of their controllers and assisting them with meeting the requirements of the law. Contracting between the parties will be critical.
  • Controllers must be transparent and accountable for processing of personal data by making a “meaningful,” “clear,” and “reasonably accessible” privacy notice available (although the language in the bill is less than clear). Notice must include: the categories of personal data collected, the purpose for which personal data is disclosed to third parties, the rights the consumer may exercise, the categories of personal data shared with third-parties, the categories of third-parties with whom the controller shares data.
  • Risk Assessments. Controllers must conduct and document risk assessments covering the processing of personal data prior to the processing of such personal data whenever there is a change in processing that materially impacts the risk to individuals, and on at least an annual basis regardless of changes in processing.
  • A controller in violation of the law is subject to an injunction and liable for a civil penalty of not more than $2,500 for each violation or $7500 for each intentional violation.

 It is worth noting that unlike California’s CCPA which leaves open the possibility of application to employee data, the WPA explicitly states that a protected “consumer” does not include an employee or contractor of a business acting in their role as an employee or contractor. Moreover, as already mentioned above, data sets maintained for employment record purposes are exempt from the jurisdictional scope. That said, the WPA is not yet final, and could be revised during the legislative process to include employee data.

States across the country are contemplating ways to enhance their consumer privacy and security protections. For example, we recently spotlighted New Jersey in two posts (available here and here), detailing several NJ Assembly bills relating to privacy and security, currently under consideration.   Organizations, regardless of their location, should be assessing and reviewing their data collection activities, building robust data protection programs, and investing in written information security programs (WISPs).

 

The California Consumer Privacy Act (CCPA), which goes into effect January 1, 2020, is considered the most expansive state privacy law in the United States. Organizations familiar with the European Union’s General Data Protection Regulation (GDPR), which became effective on May 25, 2018, certainly will understand CCPA’s implications. Perhaps the best known comprehensive privacy and security regime globally, GDPR solidified and expanded a prior set of guidelines/directives and granted individuals certain rights with respect to their personal data. The CCPA seems to have spurred a flood of similar legislative proposals on the state level.

Since the start of 2019, at least six state legislatures have already introduced privacy laws mirrored largely on the CCPA.   Below are some of the highlights of each state legislative proposal:

  • Hawaii – SB 418, introduced on January 24 by two Democrat senators, the Hawaiian bills contains similar consumer rights and requirements for businesses as the CCPA. The current bill text does not include a definition for “business”. Although this will likely be remedied, if left as is, the Hawaiian bill would have a broader reach than the CCPA, which only applies to entities that do business in the state of California.
  • Maryland SB0613, introduced on February 4 by Senator Susan Lee (D), includes similar consumer rights as those in the CCPA, but its right of deletion (popularly known as the “right to be forgotten”) is more extensive as it limits the circumstances under which an organization can deny such a request. Also notable, the bill prohibits discrimination against a consumer for exercising his/her rights and financial incentives for processing personal information.
  • Massachusetts – SD.341, presented by Senator Cynthia Creem in early February, this proposal combines key aspects of the CCPA together with aspects of Illinois’s Biometric Information Privacy Act (BIPA). This bill would allow Massachusetts consumers a private right of action if their personal information or biometric information (referred to separately in the bill) is improperly collected. Moreover, similar to the Illinois Supreme Court’s recent holding regarding the BIPA, under the proposed bill, Massachusetts consumers may not have to demonstrate actual harm to seek damages.
  • Mississippi – HB 2153, a house bill that was quickly squashed, was the closest in structure to the CCPA, pulling direct language from the California law. Although the Mississippi bill did not succeed, it still signifies how state legislators across the U.S. are considering consumer privacy.
  • New Mexico – SB176, introduced on January 19 by Senator Michael Padilla (D), attempts to balance consumer privacy without stifling “innovation and creativity” of companies. Although language differs, key components of the CCPA are present in the New Mexico bill (g. right of access, right of deletion, right to opt out, private right of action).

In addition to the CCPA-like proposals discussed above, other states are also considering unique ways to enhance consumer data privacy for their residents. For example, New York legislators recently introduced at least 4 different consumer privacy related bills, including one on biometric privacy (SB 547) and another that would regulate businesses’ collection and disclosure of personal information (S00224).  And several North Dakota legislators, in mid-January, introduced a consumer privacy bill, HB 1485, exclusively focused on the prohibition of disclosure of an individual’s personal information without “express written consent”.

Finally, a group of senators in Washington State, in January, introduced the “Washington Privacy Act,” SB 5376 (WPA). That bill would establish more GDPR-like requirements on businesses that collect personal information related to Washington residents. In addition to requirements for notice, and consumer rights such as access, deletion, and rectification, the WPA would impose restrictions on use of automatic profiling and facial recognition.

This state level activity could prompt Congress to move more quickly with one of its proposed bills, the latest being the Data Care Act, which proposes to hold large tech companies, specifically “online service providers”, responsible for the protection of personal information. Much of the private sector, including the Internet Association, comprised of the leading tech companies, is pushing for a federal approach to consumer privacy to prevent the “patchwork of state laws” that has arisen in the area of data breach notification law.  Not even three months in, 2019 is already gearing up to be a busy year for consumer privacy law.

 

In light of several large-scale breaches of late, the New Jersey General Assembly is taking steps to enhance the state’s data breach notification requirements. In late February, Assembly Bill 3245 (AB 3245), introduced by Assembly Members Ralph Caputo and Carol Murphy, was unanimously approved by both the Assembly and the Senate, and is now headed to Governor Phil Murphy for signing. In short, if signed, AB 3245, would require businesses to notify consumers of online account security breaches.

New Jersey’s data breach notification law requires businesses to notify consumers of a breach of their personal information. Currently the law defines personal information as an individual’s first name or first initial and last name linked with any one or more of the following data elements:

  • Social Security number;
  • driver’s license number or State identification card number;
  • account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.

AB 3245 would add to the above list of data elements:

  • user name, email address, or any other account holder identifying information, in combination with any password or security question and answer that would permit access to an online account. 

This amendment would keep New Jersey in line with other states that have similarly enhanced their data breach notification laws to address online breaches, including Alabama, Arizona, California, Florida, Illinois, Nebraska, Nevada, South Dakota and Wyoming.

“Protecting the security of online accounts is important for consumers, as a breach of security of these accounts can lead to the compromise of personal information and expose consumers to identity theft,” said Caputo (D-Essex). “If an individual’s personal information has become unwillingly available to someone else, they have the right to know as quickly as possible.”

New Jersey is on the forefront of consumer privacy and security law with other related bills recently introduced including AB 4902, which creates new obligations for commercial entities whose online website or services are accessed by individuals, and AB 7974 that regulates the use of a customer’s GPS data.  Be on the look out for our full update on some of New Jersey’s other initiatives, coming later this week.

In 2018, Delta paved the way in airport terminal development, by introducing the first biometric terminal at the Hartsfield-Jackson Atlanta International Airport where passengers can use facial recognition technology from curb to gate. Delta now offers members of its Sky Club airport lounges to enter using fingerprints rather than a membership card or boarding pass. Other airlines use biometric data to verify travelers during the boarding process with a photo-capture. The photograph is then matched through biometric facial recognition technology to photos that were previously taken of the passengers for their passports, visas, or other government documentation.

Though the use of a fingerprint or facial scan aims to streamline and expedite the travel process and strengthen the security of air travel, it also presents heightened security risks for biometric data on a larger sale. As the use of biometric data increases, the more expansive the effects of the data breach becomes. While it’s possible to change a financial account number, a driver’s license number or even your social security number, you can’t change your fingerprint or your face, easily anyway. Furthermore, in the past, facial recognition software had not been able to accurately identify people of color, raising concerns that individuals may be racially profiled.

Yet, many argue that biometric-based technologies can be used to help solve vexing security and logistics challenges concerning travel. For example, in 2016, Congress authorized up to $1 billion collected from certain visa fees to fund implementation of biometric-based exit technology. That was followed by President Trump’s executive order signed in March 2017 directing the Department of Homeland Security to expedite implementation of biometric entry-exit tracking system for all travelers to the United States. As it stands, we are likely to see a rapid expansion of biometric technology used by airlines and other businesses in the travel industry, so prepare your picture perfect travel face!

Notably, the use of biometric data is growing across all industries and in a variety of different applications – e.g., premises security, time management, systems access management. But, so is the number of state laws intending to protect that data. States such as Illinois, Texas, and Washington are leading the way with others sure to follow. Regulations include notice and consent requirements, mandates to safeguard biometric information, and obligations notify individuals in the event biometric information is breached. And, litigation is increasing. The Illinois Supreme Court recently handed down a significant decision, for example, concerning the ability of individuals to bring suit under the Illinois Biometric Information Privacy Act (BIPA). In short, individuals need not allege actual injury or adverse effect, beyond a violation of his/her rights under BIPA. The decision is likely to increase the already significant number of suits, including putative class actions, filed under the BIPA.

Companies, regardless of industry, should be reevaluating their biometric use practices, and taking steps to comply with a growing body of law surrounding this sensitive information.

On February 25, 2019, California Attorney General Xavier Becerra and Senator Hannah-Beth Jackson introduced Senate Bill 561, legislation intended to strengthen and clarify the California Consumer Privacy Act (CCPA), which was enacted in June of 2018. If enacted, this would be the second amendment to the CCPA, following an earlier amendment in September of 2018 that Governor Jerry Brown signed into law Senate Bill 1121, which also clarified and strengthened the original version of the law.

As we reported previously, the CCPA will apply to any entity that does business in the State of California and satisfies one or more of the following: (i) annual gross revenue in excess of $25 million, (ii) alone or in combination, annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices, or (iii) derives 50 percent or more of its annual revenues from selling consumers’ personal information. Under the CCPA, key consumer rights will include:

  • A consumer’s right to request deletion of personal information which would require the business to delete information upon receipt of a verified request;
  • A consumer’s right to request that a business that sells the consumer’s personal information, or discloses it for a business purpose, disclose the categories of information that it collects and categories of information and 3rd parties to which the information was sold or disclosed;
  • A consumer’s right to opt-out of the sale of personal information by a business and prohibiting the business from discriminating against the consumer for exercising this right, including a prohibition on charging the consumer who opts-out a different price or providing the consumer a different quality of goods or services, except if the difference is reasonably related to value provided by the consumer’s data.

SB 561’s amendments include:

  • Expands a consumer’s right to bring a private cause of action. Currently, the CCPA provides consumer a private right of action if their nonencrypted or nonredacted personal information is subject to an unauthorized access and exfiltration, theft, or disclosure because the covered business did not meet its duty to implement and maintain reasonable safeguards to protect that information. The amendment broadens this provision to grant consumers a private right of action if their rights under the CCPA are violated.
  • Removes language that allows businesses the opportunity to cure an alleged violation within 30-days after being notified of alleged noncompliance.
  • Removes language allowing a business or third party to seek the opinion of the Attorney General for guidance on how to comply with the law. Instead, the amendment specifies that the Attorney General may publish materials that provide businesses and others with general guidance on how to comply with the law.

With an effective date of January 1, 2020 (and regulations not yet proposed), it is expected that additional amendments will be negotiated, drafted, and published. Last month, the California Attorney General’s Office began the CCPA rulemaking process with a six-part series of public forums, allowing all interested persons the opportunity to provide their comments on the new law.

SB 561 comes just days after the AG Becerra together with Assemblymember Mark Levine announced Assembly Bill 1130 to strengthen California’s existing data breach notification law. No doubt, California is leading the way in U.S. data privacy and security law.

Below are some of our helpful resources on the CCPA and other key California privacy and security law developments:

 

Co-Author: Gabrielle Bruno

Government agencies, businesses, hospitals and universities are the frequent targets of staggering data breaches that can affect millions of individuals. But K-12 schools are also at risk for cyber attacks as they rely more on technology for day-to-day operations and typically maintain a wealth of sensitive information about their students, teachers, administrators and other staff.

News reports of cyber attacks on schools surface regularly. A phishing attack on San Diego Unified School District in California enabled hackers to steal Social Security numbers and addresses of more than 500,000 students and district staff. Discovered in October 2018, this far-reaching incident occurred between January 2001 and November 2018. And generally, data breaches are on the rise – a recent report found that nearly half a billion consumer records containing sensitive personal information were hacked in 2018, in comparison to 198 million sensitive records in 2017.

To address these gathering cyber threats against schools, the New York State Department of Education (“SED”) recently proposed new regulations that will, once adopted, require school districts and state-supported schools to develop and implement robust data security and privacy programs to protect any personally identifiable information (“PII”) relating to students, teachers and principals.

The SED’s regulation is comprised of a number of key sections, including:

  • Parent’s Bill of Rights. Each school must publish a parent’s bill of rights on its website. Schools must also include the bill of rights in every third party contract where a third party contractor will receive PII. Schools will be required to establish a clear path for parents to communicate and file complaints about breaches or unauthorized releases of student data, including a challenge to the accuracy of the student data.
  • Data Security and Privacy Standard and Plan. The National Institute for Standards and Technology Cybersecurity Framework (“NIST CSF”) is the standard for school security policies. Additionally, each time a school enters into a third party contract with an entity that will receive PII, a data security and privacy plan must be provided. The plan must outline, among other things, how the third-party contractor will safeguard PII consistent with the school’s data security and privacy program. All officers or employees of the third-party contractor who have direct access to PII must receive training on applicable federal and state law.
  • Training for Educational Agency Employees. Information privacy and security awareness training, online or in person, must be provided annually by schools to their officers and employees that have access to PII.
  • Data Protection Officer Appointment. Every school is required to appoint a Data Protection Officer (“DPO”), filled by a new or existing employee, that is responsible for implementing all required security and privacy policies and procedures. The DPO will serve as the point of contact within the school on all data security and privacy matters.
  • Reports and Notifications of Breach and Unauthorized Release. Regarding any breach or unauthorized release of PII, third-party contractors must report to all affected schools without unreasonable delay but in no case no more than seven calendar days from the date of discovery. After a third-party breach notification, or after independent discovery by the school itself, the affected school must notify SED within 10 calendar days. Regardless of where the breach or unauthorized release was discovered, the school must notify affected individuals without unreasonable delay but in no case no more than 14 calendar days from the date of discovery. If, however, notification would expose an ongoing vulnerability or interfere with a law enforcement investigation, the notification may be delayed until no later than seven calendar days after the vulnerability has been remedied or the investigation has concluded.
  • Chief Privacy Officer’s Powers and Responsibility. The Chief Privacy Officer (“CPO”) of SED will have access to all records, audits, and documents within a school regarding the PII of individuals. Additionally, the CPO will have the authority to require schools to perform privacy and security risk assessments at any given time.
  • Third Party Contractor Civil Penalties. After each breach or unauthorized release of PII by a third-party contractor, the civil penalty will be up to $10 per affected student, teacher, and principal. It will be the CPO’s responsibility to investigate each breach or unauthorized release from a third party entity.

After the required 60 day public comment period for the proposed regulation, it will likely be presented for permanent adoption to the Board of Regents during its May 2019 meeting. If adopted by the Board of Regents, the regulation will be effective July 1, 2019.

Over the past thirty days, the Office for Civil Rights (“OCR”) has reached three HIPAA breach resolutions, signaling to organizations that are covered entities and business associates under HIPAA, the importance of instituting basic best practices for data breach prevention and response.

On November 26th, the OCR announced a settlement with Allergy Associations of Hartford, P.C. (Allergy Associations), a health practice specializing in allergies, due to alleged HIPAA violations resulting from a doctor’s disclosure of patient information to a reporter. A doctor from Allergy Associations was questioned by a local television station regarding a dispute with a patient, and disclosed the patients’ protected health information (PHI), the investigation found. The OCR concluded that such disclosure was a “reckless disregard for the patient’s privacy rights”. Allergy Associations agreed to a monetary settlement of $125,000 and corrective action plan that includes two years of monitoring HIPAA compliance.

» A well thought out media relations plan together with regular security and awareness training, even for doctors, would go a long way toward reducing these risks.

Again on December 4th, the OCR announced that it had reached a settlement with the physician group, Advanced Care Hospitalists PL (ACH) in Florida, over alleged HIPAA violations resulting from the sharing of protected health information (PHI) with a vendor. According to OCR’s announcement, ACH engaged an unnamed individual to provide medical billing services without first entering into a business associate agreement (BAA). While it appeared the individual worked for Doctor’s First Choice Billing (“First Choice”), First Choice had no such record of this individual or his activities. ACH later became aware that the patient’s PHI was visible on First Choice’s website, with nearly 9,000 patients’ PHI potentially vulnerable. In the settlement ACH did not admit liability, but agreed to adopt a robust corrective action plan including the adoption of business associate agreements, a complete enterprise-wide risk analysis, and comprehensive policies and procedures to comply with the HIPAA rules. In addition ACH agreed to a $500,000 payment to the OCR.

» This is not the first time the OCR has reached settlements with covered entities over not having business associate agreements in place. Covered entities should consider a more formal vendor assessment and management. That is, certainly make sure there is a BAA in place, but also assess the business associate’s policies, procedures, and practices.

And finally, on December 11th, the OCR announced a settlement with Pagosa Springs Medical Center (PSMC), a critical access hospital in Colorado, for potential HIPAA privacy and security violations. The settlement is in response to a complaint that a former employee of PSMC continued to have remote access to the hospital’s scheduling calendar which included patients’ electronic protected health information (ePHI), after termination of his employment relationship. OCR’s investigation revealed that PSMC did not have a business associate agreement in place with its web-based scheduling calendar vendor, or with the former employee. PSMC agreed to implement a two-year corrective action plan which includes updates to its security management and business associate agreement, policies and procedures, and workforce training. In addition, PSMC agreed to an $111,400 payment to the OCR.

“It’s common sense that former employees should immediately lose access to protected patient information upon their separation from employment,” said OCR Director Roger Severino.  “This case underscores the need for covered entities to always be aware of who has access to their ePHI and who doesn’t.”

»This is a lesson for all businesses – when employees leave the organization (or are moved from a position that permits access to certain protected information), immediate changes should be made to their access – this includes physical and electronic access.

This series of recent settlements serves as a reminder of the seriousness in which the OCR treats HIPAA violations. In October, in honor of National Cybersecurity Awareness Month, the OCR together with the Office of the National Coordinator for Health Information Technology jointly launched an updated HIPAA Security Risk Assessment (SRA) Tool to help covered entities and business associates comply with the HIPAA Security Rule. This is an excellent tool to help organizations conduct an enterprise-wide risk analysis. Alternatively, our HIPAA Ready product provides a scaled approach for midsized and smaller healthcare practices and business associates. In the end, healthcare organizations and their business associates need to address basic best practices including: terminating employee access in a timely manner, maintaining proper business associate agreements, and having a plan for media relations.