Part Two of “Managing Your Business Associates & Agreements”

The Office for Civil Rights (OCR) imposed the largest financial penalty in 2020 of $2.3 million and resolves a case involving 5 potential violations of the HIPAA Rules, including a breach of the electronic Protected Health Information (ePHI) of 6,121,158 individuals by a Business Associate.

Business Associate, Charles Hilton and Associates, which handles collections for University of Pittsburgh Medical Center (UPMC), announced that hackers had gained access to the email accounts of some of its employees between April and June 2020. The investigation revealed the compromised accounts contained the Protected Health Information of UPMC patients, some of which was potentially viewed or obtained by the attackers. Both University of Pittsburgh Medical Center (UPMC) and the law firm Charles Hilton and Associates are now facing a class action lawsuit over the breach.

CHSPSC LLC is Tennessee-based management company that provides services to many subsidiary hospital operator companies and other affiliates of Community Health Systems, including legal, compliance, accounting, operations, human resources, IT, and health information management services. The provision of those services requires access to ePHI, so CHSPSC is classed as a Business Associate and is required to comply with the HIPAA Security Rule.

On April 10, 2014, CHSPSC suffered a cyberattack by an advanced persistent threat group known as APT18. Using compromised admin credentials, the hackers remotely accessed CHSPSC’s information systems via its virtual private network (VPN) solution. CHSPSC failed to detect the intrusion and was notified by the Federal Bureau of Investigation on April 18, 2014 that its systems had been compromised.

Despite being notified by the FBI in April 2014 that its systems had been compromised, the hackers remained active in its systems for 4 months, finally being eradicated in August 2014. During that time, CHSPSC failed to prevent unauthorized access to ePHI, in violation of 45 C.F.R. §164.502(a), and the hackers continued to steal ePHI.

OCR investigators found CHSPSC had failed to conduct an accurate and thorough security risk analysis to identify the risks to the confidentiality, integrity, and availability of ePHI, in violation of 45 C.F.R. § 164.308(a)(1)(ii)(A).

While the dsyfer tool is not an information technology system tool; it is an automated platform which manages your organizations Business Associate Platform by providing Business Associate Risk Assessments, at intervals you choose for your program.

Are unsure how to handle your Business Associates and their Agreements?

Dsyfer can help.

For more information, call a dsyfer client service member at 480.779.4653 or email info@sybersafe.com