In December, the U.S Department of Health and Human Services Office of Civil Rights (“OCR”) imposed a civil penalty of $548,265 against a healthcare facility (the “Facility”) in Colorado for a series of HIPAA violations.

The first violation stemmed from a data breach in 2017 resulting from a phishing attack that compromised an employee’s email account. OCR’s investigation revealed that the breach occurred because the 2-factor authentication (“2FA”) feature on the employee’s email account had been disabled by the IT department and was not reactivated. While 2FA is not explicitly required by HIPAA (it is, however, recommended to add an extra layer of security by requiring multiple login credentials to access data), it was the method of security chosen by the Facility and was not properly enabled at the time of the attack. According to OCR, the second breach occurred in 2020 because two employees granted unknown third parties access to their email accounts by accepting 2FA access requests that neither employee initiated.

OCR also determined that the Facility violated HIPAA by failing to train nursing students on clinical rotation who had access to PHI, as well as failing to complete a risk analysis to determine the risks and vulnerabilities to ePHI in the organization’s information technology systems. Among other things, risk analyses are intended to discover and address precisely these types of issues, i.e., whether 2FA (or any other security tools) are disabled or otherwise not functioning as they should, or whether employees are properly safeguarding access to data.

The Facility is now liable for over half-a-million dollars for failing to implement HIPAA-mandated policies and procedures, which are designed to prevent incidents like these. Simply having appropriate HIPAA documentation and training programs in place could have saved the Facility from much, if not all, of the liability here, even if the breaches nevertheless occurred. After all, accidents do happen. But if they happen because you weren’t prepared, that’s when you face a fortune in fines from the OCR.

Questions or concerns about your HIPAA compliance practices? Please contact us at (646) 213-9044 or Admin@AndrieuxLaw.com.