A recent costly settlement is the latest reminder of the importance of compliance with the Health Insurance Portability and Accountability Act (HIPAA). Recently, the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) and a medical practice (the Group) entered into a resolution agreement that serves as an expensive reminder of potential HIPAA exposure for healthcare providers’ failure to maintain written policies and procedures. The settlement, which requires the Group to pay $150,000 and implement a corrective action plan, is based on OCR’s findings that the Group failed (i) to perform risk analysis (required under the HIPAA Security Rule) and (ii) to have written policies and procedures, and train members of its workforce (required under the Breach Notification Rule).
Landscape of Healthcare Data Breaches
In recent years, the number of reports of healthcare data breaches has skyrocketed. In 2013, the Identity Theft Resource Center (ITRC) identified 267 data breaches within the medical/healthcare industry, constituting 43% of all data breaches tracked by ITRC; in 2012, the ITRC identified 163 medical/healthcare data breaches, which comprised only 34.7% of all data breaches.
Pursuant to the Breach Notification Rule, HIPAA-covered entities (healthcare providers, health plans and healthcare clearinghouses) must notify individuals and OCR (and in some cases the media) of breaches of protected health information (PHI). The Breach Notification Rule further requires business associates to notify covered entities of such breaches. Since reporting began in 2009, OCR has received reports of more than 700 breaches involving 500 or more individuals and 64,000 reports of breaches involving fewer than 500 individuals.
Since 2008, OCR has obtained corrective action from covered entities in more than 13,000 cases and has entered into resolution agreements in 16 cases involving HIPAA noncompliance by covered entities.
The Breach, Investigation, and Resolution Agreement
The Group is a 12-physician medical practice with six offices. OCR’s investigation and the settlement arose out of the theft of an unencrypted thumb drive containing electronic PHI (ePHI) of approximately 2,200 people from the vehicle of one of the Group’s staff members.
—Steven M. Harris, Esq.
After the Group notified the media, the people whose ePHI was on the thumb drive, and OCR, OCR investigated the Group’s compliance with the HIPAA Security, Privacy and Breach Notification Rules (HIPAA Rules). Although the mere occurrence of a breach did not trigger sanctions, the settlement resulted from OCR’s findings that:
- The Group violated the Security Rule by failing to conduct an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality of ePHI;
- The Group violated the administrative requirements of the Breach Notification Rule by failing to maintain written policies and procedures, and to train members of its workforce regarding breach notification; and
- The Group impermissibly disclosed ePHI by failing to reasonably safeguard the unencrypted thumb drive, which allowed the thief to gain unauthorized access to ePHI.
Subsequent to OCR’s investigation, OCR entered into a resolution agreement with the Group, under which the Group agreed to:
- Pay a $150,000 fine;
- Perform a comprehensive, organization-wide risk analysis of all ePHI security risks and vulnerabilities covering the Group’s electronic media and systems;
- Address and mitigate any security risks and vulnerabilities uncovered in the risk analysis by developing a risk management plan and, if necessary, revising its policies and procedures;
- Provide the risk analysis, risk management plan, and revised policies and procedures to OCR to review and revise, and implement any of OCR’s revisions; and
- Comply with reporting requirements.
What Does This Mean?
OCR’s press release notes conspicuously that this is the first settlement with a covered entity for failing to have breach notification policies. Despite the Group’s timely notification to the affected individuals, the media, and OCR, the Group was sanctioned for violating the Breach Notification Rule by failing to maintain written breach notification policies and procedures.
Although the Security Rule does not require encryption, if a breach occurs, failure to encrypt is likely to invite scrutiny from OCR, other regulators, and plaintiffs’ attorneys. Moreover, even if ePHI is lost or stolen, breach-reporting obligations may be excused if encryption is in accordance with National Institute of Standards and Technology (NIST) standards.
Risk analysis is a recurring theme in OCR’s resolution agreements and Security Rule guidance. In August 2013, OCR expressed a similar focus on risk analysis when settling with Affinity Health Plan Inc. for returning used photocopy machines without erasing PHI from the copier hard drives. In its press release, OCR stated, “covered entities are required to undertake a careful risk analysis to understand the threats and vulnerabilities to individuals’ data, and have appropriate safeguards in place to protect this information.”
This settlement is a reminder of the importance of taking appropriate steps to protect the privacy and security of PHI. Parties will pay a high price for their failure to take appropriate steps to protect the confidentiality and security of PHI. In addition to the monetary fine, addressing the breach and the resulting investigation will result in other heavy costs. For example, legal and consulting costs can be substantial; attention of staff members and leadership is diverted; and a corrective action plan can be significantly more expensive and time consuming to implement than if effective policies and procedures had been employed. Moreover, it is difficult to quantify the adverse impact of a breach on one’s reputation and relationships. Thus, even when covered entities diligently pursue HIPAA compliance, they should still consider cyber insurance or other means to offset the potential for incurring the immense costs of a breach or investigation.
To avoid potentially significant costs and liabilities for HIPAA noncompliance and to minimize the likelihood and consequences of a data breach, proactive steps should be taken to ensure that systems, policies, and procedures comply with the HIPAA Rules and applicable state law. Accordingly, consider:
- Reviewing written HIPAA privacy, security, and breach notification policies and procedures, and updating them if necessary;
- Identifying and reviewing all business associate relationships and business associate agreements;
- Assessing potential risks and vulnerabilities to the confidentiality, integrity, and availability of all ePHI through the performance of risk analysis;
- Engaging in risk management to identify and take action on security gaps and promptly correcting identified HIPAA violations;
- Documenting HIPAA-related determinations and actions;
- Training workforce members to comply with the HIPAA Rules and promptly identifying, investigating, and responding to possible data breaches;
- Encrypting ePHI to the extent feasible;
- Avoiding unnecessary disclosures of PHI; and
- Obtaining cyber insurance.
HIPAA compliance is imperative, and taking proactive measures can help you avoid a bigger issue down the road.
Steven M. Harris, Esq., is a nationally recognized healthcare attorney and a member of the law firm McDonald Hopkins LLC. He may be reached at sharris@mcdonald hopkins.com.