CMS fines in 2017. “Those who cannot remember the past are condemned to repeat it.”
Author George Santayana wrote these words in his philosophy text The Life of Reason published in 1905. There are several variations of this quote but they all mean the same thing. One must learn the lessons that history teaches and apply them to current endeavors.
The Centers for Medicare & Medicaid Services (CMS) has released the first fines for 2017 with some very familiar themes. Both cases (in fact every CMS fine case) contain one common issue – lack of a proper Risk assessment process.
The Children’s Medical Center of Dallas was fined $3.2 million for two separate Protected Health Information (PHI) breach incidents arising from the lack of encryption on end devices that occurred three years apart. CMS fined Children’s for among other things “a failure to implement Risk management plans.”
Memorial Healthcare System (MHS) was fined $5.5 million for a breach reported in 2012. Memorial grants access to affiliated physicians’ offices and vendors to its PHI systems. Memorial did not have a process in place to audit accounts from those third-party groups. IN 2011, an affiliated physician’s office of MHS has an employee leave. Unfortunately, the user account was never removed from Memorial system(s), and was used for over a year to access PHI. CMS noted “MHS failed to regularly review records of information system activity on applications that maintain electronic protected health information by workforce users and users at affiliated physician practices, despite having identified this risk on several risk analyses conducted by MHS from 2007 to 2012.”
Both Children’s and MHS had policies in place that addressed the specific issues, but no follow-up (audits) occurred to ensure the policies were being enforced. The Risk assessment process should have shown the lack of audits being performed and instituted the corrective actions being taken to mitigate those risks. There is no value in written policies and a risk assessment process if audits and mitigation tasks are ignored. CMS determines this (and fines) as a failure of the Risk assessment process. Remember, Trust but Verify!
The HIPAA Security rules imposed a Risk assessment process on every Covered Entity. The purpose was to force an organization to review the entire system at least annually, identify appropriate risk levels, develop mitigation plans utilizing the risk levels, execute those plans, then ‘rinse and repeat.’ Business risks are like an ever-growing onion, get through one layer only to discover another layer below. This process goes on as long as you are in business.
I ride motorcycles. I know it sounds inappropriate, the risk guy riding a motorcycle, right? However, I equate riding to the Risk assessment process. On a motorcycle, you are always evaluating your risk and exposures and taking corrective actions in real time to avoid those risks. I also take a motorcycle safety course every two years as a refresher to make sure I am up to date with the latest techniques in risk avoidance.
I use the same methodology in any Risk assessment process. Build the process from a good base and then evaluate, identify, classify, mitigate, ‘rinse and repeat.’
Every CMS fine levied includes an inadequate Risk assessment process. I am confident in saying that CMS assumes if the Risk assessment process is correctly instituted, then a business would not come to their attention and be investigated. Hence, one of the main reasons they have included a statement about the Risk assessment process being deficient in all their recent press releases regarding fines.
We only know what groups CMS has investigated based on negative findings. CMS does not publish the results of any cleared investigations. We will never know who avoided penalties but you can be certain that their risk assessment process must have been deemed to be working or CMS would have fined them.
At some point, I will tell you how being on a submarine is the ultimate in risk assessment and avoidance, but that is for another post….