A recent and costly settlement is the latest reminder of the importance of HIPAA compliance. At year-end 2013, the Office for Civil Rights(OCR) of the U.S. Department of Health and Human Services (HHS) and a dermatology practice, Adult & Pediatric Dermatology, P.C. (the Group), entered into a resolution agreement that breaks new ground in imposing sanctions for failure to maintain written policies and procedures. The resolution agreement serves as a reminder of potential Health Insurance Portability and Accountability Act (HIPAA) exposure for covered entities and business associates. The settlement is based on OCR’s findings that the Group failed (i) to perform risk analysis as required under the HIPAA Security Rule, and (ii) to have written policies and procedures and train members of its workforce as required under the Breach Notification Rule. The settlement requires the Group to pay $150,000 and implement a corrective action plan. The press release, resolution agreement and corrective action plan are available here.
Landscape of healthcare data breaches
Reports of healthcare data breaches have been increasing in recent years. The Identity Theft Resource Center (ITRC) identified 267 data breaches within the medical/healthcare category during 2013, constituting 43 percent of all data breaches tracked by ITRC. This is a substantial increase from the 163 medical/healthcare data breaches tracked in 2012, comprising 34.7 percent of all data breaches.
The Breach Notification Rule requires covered entities (healthcare providers, health plans, healthcare clearinghouses) to notify individuals and OCR (and in some cases the media) of breaches of protected health information (PHI), and requires business associates to notify covered entities of such breaches. Since reporting began in 2009, over 700 breaches involving 500 or more individuals have been reported to OCR. In addition, OCR has received over 64,000 reports of breaches involving fewer than 500 individuals.
Since 2008, OCR has obtained corrective action from covered entities in more than 13,000 cases and has entered into HIPAA resolution agreements with covered entities in 16 cases for HIPAA noncompliance. The resolution agreement with the Group is the most recent example.
The breach, investigation and resolution agreement
The Group is a 12-physician dermatology practice with six offices. OCR’s investigation and the settlement arose out of the theft of an unencrypted thumb drive from the vehicle of one of the Group's staff members. The thumb drive, which contained electronic PHI (ePHI) of approximately 2,200 individuals, was never recovered. The Group notified the media, the individuals whose ePHI was on the thumb drive and OCR.
The breach spurred OCR’s investigation regarding the Group’s compliance with the HIPAA Security, Privacy and Breach Notification Rules (HIPAA Rules), but the mere occurrence of a breach did not trigger sanctions. The settlement resulted from OCR’s findings that:
- The Group did not conduct an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality of ePHI (risk analysis), as required under the Security Rule;
- The Group did not fully comply with administrative requirements of the Breach Notification Rule to maintain written policies and procedures and train members of its workforce regarding breach notification; and
- It was an impermissible disclosure of ePHI to allow the thief to gain unauthorized access to ePHI due to the Group’s failure to reasonably safeguard the unencrypted thumb drive.
After OCR concluded its investigation, the Group and OCR entered into a resolution agreement under which the Group agreed to pay OCR $150,000 and to implement and comply with a corrective action plan requiring the Group to:
- Conduct a comprehensive, organizational-wide risk analysis of all ePHI security risks and vulnerabilities covering all of the Group’s electronic media and systems;
- Develop a risk management plan to address and mitigate any security risks and vulnerabilities uncovered in the risk analysis and, if necessary, revise its policies and procedures;
- Forward the risk analysis, risk management plan and revised policies and procedures to OCR for review and approval, and implement any revisions as required by OCR; and
- Comply with reporting requirements.
What does this mean?
In its press release, OCR makes a point of conspicuously noting that this is the first settlement with a covered entity for not having breach notification policies in place. Although it appears that the Group timely notified the affected individuals, the media and OCR, the Group was sanctioned for failing to maintain written breach notification policies and procedures as required under the Breach Notification Rule. Moreover, the need to implement written policies and procedures (and presumably the possibility of sanctions for failure to do so) is not limited to the Breach Notification Rule, and also applies to other aspects of the HIPAA Rules.
Consistent with its past resolution agreements and guidance, OCR continues to place particular emphasis on risk analysis and encryption. OCR characterized the theft of the unencrypted thumb drive from the vehicle of a staff member, which it determined was caused by the failure to reasonably safeguard the thumb drive, as an impermissible disclosure of ePHI. While encryption is not mandatory under the Security Rule, lack of encryption is likely to invite second-guessing from OCR, as well as other regulators and plaintiffs’ attorneys, if a breach occurs. Moreover, encryption in accordance with National Institute of Standards and Technology (NIST) standards may allow a covered entity or business associate to avoid breach reporting obligations even if ePHI is lost or stolen.
Risk analysis has been a recurring theme in OCR’s resolution agreements and Security Rule guidance. Like with the Group, OCR expressed a similar focus on risk analysis in settling with Affinity Health Plan, Inc. in Aug. 2013 for returning used photocopiers without erasing PHI from the copier hard drives, noting in its press release that “covered entities are required to undertake a careful risk analysis to understand the threats and vulnerabilities to individuals’ data, and have appropriate safeguards in place to protect this information.”
Covered entities and business associates face increasing exposure for HIPAA noncompliance. Although HIPAA enforcement has historically focused primarily on covered entities, it is important to keep in mind that business associates are now directly subject to most aspects of the HIPAA Rules, and like covered entities are potentially subject to HIPAA investigations and audits. In short, OCR can be expected to increase its oversight over the confidentiality and security of PHI and to apply stiffer sanctions upon discovering noncompliance with the HIPAA Rules.
This settlement appears to be another step toward increased HIPAA enforcement activities against covered entities and business associates, and should serve as a reminder of the importance of taking appropriate steps to protect the privacy and security of PHI. Indeed, in a Dec. 26, 2013 press release, OCR Director Leon Rodriguez warned:
“As we say in healthcare, an ounce of prevention is worth a pound of cure. That is what a good risk management process is all about – identifying and mitigating the risk before a bad thing happens. Covered entities and business associates of all sizes need to give priority to securing electronic protected health information.”
Covered entities and business associates who fail to heed this advice may pay a high price for their failure to take appropriate steps to protect the confidentiality and security of PHI. The payment amount for a HIPAA settlement is typically only a small portion of the overall cost incurred due to a breach and resulting investigation. Legal and consulting costs can also be substantial. The attention of staff members and leadership is diverted from other important matters. Implementing a corrective action plan can be a great deal more expensive and time consuming than if effective policies and procedures had been implemented in the first place. Moreover, the impact of a breach on a covered entity’s reputation and relationships may be difficult to quantify. Covered entities and business associates should consider cyber insurance or other means to offset the potentially hefty costs of a breach or investigation that may be incurred even when HIPAA compliance is diligently pursued.
Action steps for covered entities and business associates
In an effort to avoid ending up in the crosshairs for potentially significant costs and liabilities for HIPAA noncompliance, covered entities and business associates must take proactive steps to ensure that their systems, policies and procedures comply with the HIPAA rules as well as applicable state law and minimize the likelihood and consequences of a data breach. Action steps of particular importance include:
- Review and update written HIPAA privacy, security and breach notification policies and procedures;
- Identify and review all business associate relationships and ensure that appropriate business associate agreements are in place (our Healthcare Alert, Who is a HIPAA Business Associate?, is available [here]);
- Perform risk analysis to assess potential risks and vulnerabilities to the confidentiality, integrity and availability of all ePHI;
- Take action on security gaps (risk management) and promptly correct identified HIPAA violations;
- Document HIPAA-related determinations and actions;
- Train members of the workforce to comply with the HIPAA Rules and to promptly identify, investigate and respond to possible data breaches;
- Encrypt ePHI to the extent feasible;
- Avoid unnecessary disclosures of PHI; and
- Obtain (or at least determine the feasibility of) cyber insurance.