HIPAA Compliance Investigations And The Insider Threat

I’ve been getting a lot more questions about HIPAA and HITECH lately from folks I’ve never met, but who have concerns about the security and privacy of their health information (“protected health information” or “PHI” as referenced within HIPAA/HITECH), businesses that are trying to understand how to protect PHI according to the regulatory requirements, and a growing number who express frustration with the unsecure ways in which clients, customers, patients and business partners are sharing information with them.  There just are not enough hours in the day to answer them all, but  I decided I’d start sharing some of the questions, and my corresponding answers, that seem to be topics that a wide range of readers may be interested in.

I was recently contacted by someone who had a question about a recent HIPAA complaint against Rowan Regional Medical Center in North Carolina.  The Department of Health and Human Services (HHS) Office of Civil Rights (OCR) has just reopened the investigation, which was closed last month, and she wanted to know what it might mean that OCR has reopened the investigation; that it seemed unusual to have an investigation into HIPAA non-compliance closed, and then to re-open it again so soon.

Having a HIPAA investigation re-opened is not that surprising to me, and could be an indication of a very wide range of possibilities.  First, are a few thoughts based upon the content of the January 8 news report:

  • The original investigation was spawned by an employee complaint from August, 2010, about some specific individuals that “inappropriately used and disclosed her protected health information and a hospital employee harassed her and her family.”
  • Initially the investigators found no “violation of patient privacy rights.”  This indicates, to me, that investigators may have reviewed whether or not specific HIPAA requirements, directly involved within the scope of the specific complaint, had been violated.  The requirements within that scope of review may have been found satisfactory.  However, there could still be other problems elsewhere in the organization, outside the review, that were not part of that initial scope.  It is likely a full HIPAA audit was not done as part of the investigation; it would be literally almost impossible to do such full audits given how many complaint violations the OCR conducts each year.
  • It is important to keep in mind that covered entities can be doing everything possible to protect information, by having policies, procedures, training, physical and technical controls in place.  But, they have to give their workers enough access to information to do their job responsibilities.  It is a fact of human nature that some people will do bad things with their authorized access if they are sufficiently motivated; this is the insider threat.
  • The insider threat is very real, for all organizations.  We must have a level of trust in employees to do their jobs and not abuse their authorized access to information.  But, as numerous incidents have shown over the years, some employees will be tempted to abuse that trusted authorization and do bad things, even though they may have received training and know that there are policies against doing such wrong actions.  Entire books have been written on the seemingly endless motivations for workers to exploit their authority and do bad things.
  • It’s possible that the initial complaint investigation, for the scope of activities involving the incident about which the complaint arose, did not reveal any HIPAA/HITECH violations.
  • The indication that those workers involved were required to have more training may indicate adequate training was not in place to begin with; however, sending workers to training is also a common type of activity that is part of disciplinary requirements that typically accompany other disciplinary actions.  The news report indicates all employees must undergo training, so it would seem to imply the additional training was part of corrective disciplinary actions.
  • Following this initial complaint audit, there may have been managers within the OCR who reviewed the case and, perhaps based upon notes, work papers or other types of related documentation, may have decided that a broader, more comprehensive HIPAA compliance audit was called for.
  • While it sounds like, from this report, disclosure of PHI did indeed happen, it doesn’t necessarily mean that the hospital management know about that disclosure until after the complainant file her grievance.  If insiders have access to information, they also may have access to try and cover up their actions.  So, HITECH is certainly also a consideration. However, it is not clear that the hospital had willful neglect and did not act appropriately and in compliance with HIPAA to the incident.

Of course these points are made speculatively using the information from the report.  There is a lot of other information that needs to be obtained to provide a full picture of the situation.  At this point in time I’m just one of the blind men describing an entire elephant by touching only a part of it, as is everyone else who does not have the full details involved with this situation.

Something to know and keep in mind is that whenever auditors review specific incidents they typically limit the scope of their review to that particular situation.  And then provide their findings of that situation.  However, during the course of an audit, the auditors involved should note, per good audit practices, other situations/evidence/documentation/etc that they saw during the course of their audit that may be outside of the audit scope, but their findings will only be based upon the scope of the audit.  Good management of auditing agencies, when reviewing the audit reports, should then open another audit, for a different scope of review, if those notes indicate such action is warranted.

It certainly sounds like Alexander, the aggrieved in the Rowan Regional Medical Center situation, has been through a terrible situation.  And certainly her claims against the employees seem legitimate and appropriate.  However, without seeing the actual initial complaint audit and associated work papers and evidence, I cannot speculate about the true reason why another investigation has been opened.

  • It could be the result of another, new complaint from a different individual.
  • It could be the result of another, new complaint from the same individual.
  • It could be the result of another incident that has occurred since the original audit.
  • It could be the result of a business associate of the hospital filing a complaint.
  • It could be because the hospital did not provide the required follow-up information as may have been required as a result of the first audit.
  • It could be the result of new evidence that has just been discovered.
  • It could simply be the result of a  manager at OCR reviewing recent cases and determining, based upon notes within the original audit work papers, that a more comprehensive audit should be done.

I’ve been doing HIPAA work ever since HIPAA was signed into law.  I’ve been doing audits for over two decades, and I’ve done over 200 information security and privacy program HIPAA compliance reviews over the past few years.   And I continue to help covered entities and business associates and their subcontractors to have effective safeguards in place, in compliance with HIPAA and HITECH through my HIPAA compliance service.  In my experience, it would not be out of the ordinary for another audit or investigation, likely with wider scope, to be opened up soon following the initial audit.

Hopefully the Rowan Regional Medical Center truly is doing all they can to prevent another incident such as this from happening.   The new investigation, if looking at the full HIPAA compliance program, should reveal this.  But this situation points out the significant need to address the insider threat in order to prevent security incidents and privacy breaches.

The insider threat is significant in all organizations, but hard impossible to eliminate completely.  However, organizations can significantly reduce the associated risks, and demonstrate due diligence for implementing safeguards, by doing the following:

  • Establish a position responsible for information security, privacy and compliance.
  • Establish, implement and consistently enforce information security and privacy policies and supporting procedures.
  • Provide effective, regular information security and privacy training, supplemented with ongoing awareness communications.
  • Perform periodic risk assessments and compliance audits and then take action to remediate the findings.
  • And very importantly and key to success: Communicate, regularly, strong executive support for the information security and privacy compliance program.

Tags: , , , , , , , , , , , , ,

Leave a Reply