On September 17, 2012, the Department of Health and Human Services (“HHS”) announced that it had reached an agreement with two health care providers who were operating as a single affiliated covered entity for purposes of HIPAA (collectively referred to as the “Providers”) to settle potential violations of the Security Rule of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). The HHS Office for Civil Rights (“OCR”) initiated its investigation after the Providers filed a breach report as required by the Breach Notification provisions of the Health Information Technology for Economic and Clinical Health Act (“HITECH”).
The underlying facts involved the theft of an unencrypted personal laptop containing the electronic protected health information (“ePHI”) of 3,621 patients and research subjects of the Providers. The ePHI included patient prescriptions and other clinical information. OCR investigated the report and found that the Providers had continually failed over an extended period of time to take necessary steps to comply with several requirements under the HIPAA Security Rule. In particular, OCR found that the Providers failed in their HIPAA compliance in the following ways:
- The Providers failed to demonstrate that they conducted a thorough analysis of the risk to the confidentiality of ePHI maintained on portable devices.
- The Providers’ security measures were not sufficient to ensure the confidentiality of ePHI that they created, maintained and transmitted using portable devices.
- The Providers failed to adequately adopt or implement policies and procedures concerning or governing (i) security incident identification, reporting and response; (ii) restriction of access to ePHI to authorized users of portable devices; and (iii) receipt and removal of portable devices into, out of and within the facilities.
- The Providers did not implement an equivalent, reasonable and appropriate alternative measure to encryption to ensure confidentiality of ePHI.
As a result, HHS and the Providers entered into a Resolution Agreement whereby the Providers agreed to pay HHS a $1,500,000 settlement, in three annual installments of $500,000, and to perform the following obligations under a Corrective Action Plan (“CAP”):
- Develop, maintain and revise, as necessary, written policies and procedures relating to:
- Administrative, physical and technical safeguards for all portable devices that contain or are used to access the Providers’ ePHI;
- The completion of an accurate and thorough risk analysis;
- Risk management measures;
- Device and media controls; and
- Device and media encryption.
The policies and procedures must include procedures for implementing security measures sufficient to reduce the risks and vulnerabilities identified by the risk analysis, identifying and responding to security incidents, mitigating harmful effects of security incidents, tracking the receipt and removal of electronic media containing the Providers’ ePHI, specifying proper use of workstations that access the Providers’ ePHI, encrypting and decrypting portable devices containing ePHI and applying sanctions to workforce members who violate the policies and procedures.
- Obtain HHS’s approval of the policies and procedures; distribute them to all workforce members who have access to ePHI within 60 days of HHS’s approval and to new workforce members within 15 days of beginning service; obtain a written or electronic compliance certification from each workforce member; and assess, update and revise, as necessary, the policies and procedures at least once annually and more frequently if appropriate. The Providers shall not permit any existing or new workforce member to access ePHI until the workforce member has signed or provided the appropriate compliance certification.
- Train each workforce member who has access to and uses ePHI on the HIPAA policies and procedures, obtain certification from each workforce member that the training was received and review and update such training at least annually and more often as needed. The Providers shall not permit any existing or new workforce member to use or access ePHI until the workforce member has provided training certification.
- Designate, and obtain HHS’s approval of, an independent monitor (“Monitor) to review the Providers’ compliance with the CAP. The Monitor shall perform at least two unannounced visits to the Providers’ facilities to determine whether the Providers’ workforce members are complying with the Providers’ policies and procedures, investigate reports of noncompliance with the CAP and prepare semiannual reports concerning the Providers’ compliance to HHS.
- Investigate potential instances of workforce member noncompliance with policies and procedures and report any confirmed failures to comply to the Monitor.
- Submit an implementation report to HHS documenting compliance with the terms of the Resolution Agreement.
In the press release announcing this enforcement action, OCR noted that the Providers’ actions demonstrated a long-term organizational disregard for the requirements of the Security Rule. OCR Director Leon Rodriguez stressed the importance of compliance with the Security Rule at every level of an organization, saying that “in an age when health information is stored and transported on portable devices such as laptops, tablets, and mobile phones, special attention must be paid to safeguarding the information held on these devices. This enforcement action emphasizes that compliance with the HIPAA Privacy and Security Rules must be prioritized by management and implemented throughout an organization, from top to bottom.”
In light of this development, coupled with other recent enforcement actions (see our previous alerts here and here), covered entities, regardless of size or type, should take the necessary steps to ensure that their HIPAA compliance programs are effective, including:
- Conducting a risk assessment to determine where vulnerabilities exist in current practices and systems;
- Reviewing policies and procedures affecting privacy and security to ensure that they are thorough and complete;
- Training workforce members who have access to ePHI on the details of HIPAA policies and procedures;
- Actively monitoring compliance, particularly when there is a material change in processes, personnel or functions; and
- Considering the use of encryption or other appropriate technical safeguards for all media and devices that store, transmit or maintain ePHI, even if those devices are not owned or issued by the covered entity.
More information on this enforcement action, including the Resolution Agreement and the HHS press release, is available at:
http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/meei-agreement.html.
Hall Render’s HIPAA Impact Series has provided in-depth analysis of HIPAA issues and developments since the passage of HITECH. Our HIPAA Impact Series may be accessed at www.hallrender.com/impact.
If you need additional information about HIPAA/HITECH, please contact Mark Swearingen at (317) 977-1458 or mswearingen@hallrender.com, Chad Wilson at (317) 977-1473 or cwilson@hallrender.com or your regular Hall Render attorney.
