$1.25 million HIPAA fine issued to Arizona's largest employer

Banner Health, the largest employer in Arizona, announced today it's recently paid a $1.2 million HIPAA fine for a breach that was originally detected in November 2016.

This post will cover what happened, how Banner Health is resolving the HIPAA violation, why their fine was so high, and what the HIPAA Security Rule is.

See also: HIPAA Compliant Email: The Definitive Guide

What happened

Banner Health is a nonprofit health system headquartered in Phoenix, Arizona. It's one of the largest nonprofit health systems in the country, with over 50,000 employees in six states. 

In November 2016, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) started an investigation into Banner Health upon receiving a report (sources unknown) that a bad actor had already gained access to millions of people's electronic protected health information (ePHI).

The hacker(s) accessed ePHI that included:

• Patient names
• Physician names
• Dates of birth
• Addresses
• Social Security numbers
• Clinical details
• Dates of service
• Claims information
• Lab results
• Medications
• Diagnoses and conditions
• Health insurance information

In total, the sensitive information of 2.81 million Americans was breached.

The results of the investigation found overwhelming evidence of long term, rampant noncompliance with the HIPAA Security Rule across Banner Health, enterprise-wide.

Violations of the HIPAA Security Rule include:

• The lack of an analysis to determine risks and vulnerabilities to ePHI across the organization.
• Insufficient monitoring of its health information systems’ activity to protect against a cyber-attack.
• Failure to implement an authentication process to safeguard its ePHI.
• Failure to have security measures in place to protect ePHI from unauthorized access when it was being transmitted across the internet.

Resolving the HIPAA violation

In order to resolve their grievous missteps with HIPAA compliance, Banner Health agreed to undergo a comprehensive corrective action plan. To make sure compliance with the HIPAA Security Rule is established, Banner Health also agreed to be monitored by OCR for two years.

Here's an overview of corrective action plan:

• Conduct an accurate and thorough risk analysis to determine risks and vulnerabilities to electronic patient/system data across the organization.
• Develop and implement a risk management plan to address identified risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI
• Develop, implement, and distribute policies and procedures for a risk analysis and risk management plan, the regular review of activity within their information systems, an authentication process to provide safeguards to data and records, and security measures to protect electronic protected health information from unauthorized access when it is being transmitted electronically
• Report to HHS within thirty (30) days when workforce members fail to comply with the HIPAA Security Rule.

Why did the HIPAA fine exceed $1 million?

According to the press release, we can infer the following reasons why the HIPAA fine for Banner Health exceeded $1 million:

• Conclusive evidence of long term, pervasive noncompliance with the HIPAA Security Rule, enterprise-wide, across Banner Health.
• Not being proactive in their efforts to regularly monitor system activity for hacking incidents.
• Absence of measures in place to sufficiently safeguard patient information from risk across the entire Banner Health network.

HIPAA Security Rule

The HIPAA Security Rule establishes national standards to protect the confidentiality, integrity, and availability of ePHI by requiring covered entities to implement physical, administrative, and technical safeguards to secure ePHI. It was established under the Health Insurance Portability and Accountability Act (HIPAA) in 2003.

The HIPAA Security Rule includes requirements for access control, audit controls, transmission security, and data integrity.

Covered entities must also conduct regular risk assessments, develop and implement security policies and procedures, and train their workforce on HIPAA security requirements.

The HIPAA Security Rule provides a framework for covered entities to secure ePHI, which is meant to ensure the confidentiality, privacy, and security of this sensitive information.