On April 22, 2014, the Department of Health and Human Services (“HHS”) announced that it reached settlements with two covered entities arising from alleged violations of the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy and Security Rules. Both settlements involve the theft of unencrypted laptops and follow investigations in which the Office for Civil Rights (“OCR”) found ongoing deficiencies in HIPAA compliance. These cases mark the 19th and 20th HIPAA enforcement actions taken by HHS since 2008 and the 2nd and 3rd this year. OCR representatives have stated that there are several more cases in the pipeline.
In the press release announcing the settlements, the OCR Deputy Director for Health Information Privacy, Susan McAndrew, noted that “[o]ur message…is simple: encryption is your best defense against these incidents.”
The Settlements
The first settlement involves a national provider of occupational medicine, urgent care, physical therapy and wellness services that is headquartered in Texas. OCR Region X began an investigation of the provider when it received a breach report that an unencrypted laptop was stolen from one of its Missouri facilities in December 2011, affecting 870 individuals. OCR’s investigation found that the provider previously had conducted risk analyses that identified the absence of encryption on portable devices as a critical risk but had been inconsistent in its steps to remediate that risk, which were not yet complete. OCR’s investigation also found that the provider’s security management processes were insufficient and did not adequately safeguard patient information.
HHS and the provider entered into a Resolution Agreement under which the provider agrees to pay $1,725,220 and comply with a Corrective Action Plan.
The second settlement involves an Arkansas health plan. In February 2012, the health plan reported to OCR that an unencrypted laptop computer containing the electronic protected health information (“ePHI”) of 148 individuals was stolen from a workforce member’s car. OCR Region VII’s investigation found that over a period of time the health plan did not implement policies and procedures to prevent, detect, contain and correct security violations. Specifically, the OCR found that the health plan had not conducted an accurate and thorough assessment and did not implement security measures sufficient to reduce risks and vulnerabilities to ePHI, which are HIPAA Security Rule requirements. OCR also found that the health plan did not implement physical safeguards for all workstations to restrict access to authorized users.
HHS and the health plan also entered into a Resolution Agreement under which the health plan agrees to pay $250,000 and comply with a Corrective Action Plan.
In both cases, the Corrective Action Plan requires the covered entities to implement and report on a number of HIPAA compliance activities, including:
- Providing HHS with a risk analysis of all potential risks and vulnerabilities to all of the provider’s ePHI;
- Providing HHS a risk management plan that describes all evidence of implemented and planned remediation actions and, for all planned remediation actions, timelines for expected completion;
- Conducting security awareness training for workforce members; and
- Submitting annual reports of compliance to OCR for two years.
Practical Takeaways
In light of these HIPAA enforcement actions, covered entities and business associates should continue to take the necessary steps to safeguard their ePHI, including:
- Addressing the HIPAA Security Rule encryption standard, which requires that encryption be implemented unless it is not reasonable and appropriate, in which case an alternative measure must be implemented and documented;
- Determining which devices and equipment contain or have access to ePHI and apply the encryption standard to all such devices, such as portable devices, desktop computers and medical equipment;
- Conducting comprehensive risk analyses to identify and evaluate security vulnerabilities for ePHI;
- Creating a detailed remediation plan for any vulnerabilities identified by the risk analysis and taking swift and consistent action to complete remediation activities according to their level of criticality;
- Updating privacy and security polices regularly;
- Updating and providing privacy and security training for workforce members periodically;
- Investigating and sanctioning workforce members promptly and appropriately for violations of HIPAA policies and procedures; and
- Conducting an independent HIPAA compliance assessment utilizing the OCR HIPAA Audit Protocol.
More information on these enforcement actions, including the Resolution Agreements and the HHS press release, is available here.
If you need additional information about these matters or how to conduct a HIPAA compliance assessment, please contact:
- Mark Swearingen at 317-977-1458 or mswearingen@hallrender.com;
- Charise Frazier at 317-977-1406 or cfrazier@hallrender.com;
- Elizabeth Callahan-Morris at 248-457-7854 or ecallahan@hallrender.com; or
- Your regular Hall Render attorney.
Hall Render’s HIPAA Impact Series has provided in-depth analysis of HIPAA issues and developments since the passage of HITECH. View our HIPAA Impact Series and sign up to receive updates by visiting https://hallrender.com/tag/hipaa/.
