OCR strikes again with 3 recent HIPAA settlements

The U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) is showing signs of becoming increasingly aggressive in enforcing the Health Insurance Portability and Accountability Act (“HIPAA”), with the recent announcement of three settlements in a 20-day span. Each covered entity was investigated for noncompliance after breach reports were filed with OCR, emphasizing the need for compliance among all covered entities and business associates subject to the HIPAA Privacy and Security Rules.

Lahey Hospital and Medical Center – Settlement amount: $850,000

On November 25, 2015, OCR announced its settlement with Lahey Hospital and Medical Center (“Lahey”) in Burlington, MA, four years after the security incident at issue occurred. Lahey notified OCR that an unencrypted laptop was stolen from an unlocked treatment room during the night of August 11, 2011. The laptop’s hard drive contained protected health information (PHI) of 599 individuals. An investigation was conducted by OCR, and a settlement required Lahey to pay $850,000 and adopt a robust corrective action plan to correct deficiencies in its HIPAA compliance program. In addition, Lahey must provide OCR with a comprehensive risk analysis and corresponding risk management plan, report certain events, and provide evidence of compliance.

Triple-S Management Corporation – Settlement amount: $3.5 Million

Just five days after the Lahey settlement, OCR announced its settlement with Triple-S Management Corporation (“Triple-S”), an insurance holding company based in San Juan, Puerto Rico, which offers a range of insurance products and services to Puerto Rico residents. Over a period of time, Triple-S made multiple breach notifications to the OCR. As a result, OCR launched an investigation that revealed widespread non-compliance among Triple-S’s subsidiaries, including:

• Failure to implement appropriate administrative, physical, and technical safeguards to protect the privacy of the PHI of Triple-S’s beneficiaries;
• Impermissible disclosure of its beneficiaries’ PHI to an outside vendor with which it did not have an appropriate business associate agreement;
• Use or disclosure of more than the necessary amount of PHI necessary to carry out mailings; 
• Failure to conduct an accurate and thorough risk analysis incorporating all IT applications and data systems utilizing ePHI; and
• Failure to implement security measures sufficient to reduce the risks and vulnerabilities to its ePHI to a reasonable and appropriate level.

The settlement requires Triple-S to pay $3.5 million and implement a robust corrective action plan to correct its deficiencies.

University of Washington Medicine – Settlement amount: $750,000

The third settlement, announced by OCR on December 14, 2015, was with the University of Washington Medicine (“UWM”), pursuant to which UWM agreed to settle charges that it potentially violated the HIPAA Security Rule by failing to implement policies and procedures to prevent, detect, contain, and correct security violations. OCR conducted an investigation of UWM after receipt of a breach report on November 27, 2013, related to the ePHI of approximately 90,000 individuals. The breach occurred after an employee downloaded an e-mail attachment that contained malicious malware, which compromised UWM’s IT system. The information disclosed included patient names, addresses, dates of birth, social security numbers, phone numbers, medical record numbers, dates of service, insurance information, Medicare numbers, and charges or bill balances.
OCR’s subsequent investigation revealed that UWM’s security policies and procedures required its affiliates to have current, documented system-level risk assessments and to implement safeguards required by the HIPAA Security Rule. However, UWM failed to ensure that all of its affiliates properly conducted risk assessments and appropriately responded to potential risks and vulnerabilities. The settlement requires UWM to pay $750,000, implement a corrective action plan, and submit annual reports on its compliance efforts.

Key takeaways

• In all three settlements, the entity failed to conduct an acceptable risk analysis. It is critical that HIPAA covered entities and their business associates not only implement policies and procedures requiring that accurate and thorough risk analyses be regularly conducted, but that they ensure such risk analyses are actually conducted and that the assessment covers all applicable systems.
• Covered entities and business associates should regularly review and revise their HIPAA policies and procedures to address any potential risks or vulnerabilities discovered during risk assessments, and to ensure that the appropriate administrative, physical, and technical safeguards are in place to protect the privacy and security of PHI.
• Ongoing training should be conducted for all employees so that they are equipped with the knowledge and skills to proactively safeguard PHI and respond to any security incidents and data breaches that may arise.

What to expect in 2016

While OCR continues to actively enforce HIPAA regulations and investigate breaches, a 2015 report issued by the Office of Inspector General shows that OCR appears to primarily focus on breaches involving more than 500 individuals, often overlooking smaller breaches due to scarce federal resources. This does not mean that smaller providers can be lax in their compliance standards, however, as it is always critical to act in compliance with applicable privacy and security regulations.

In fact, we will probably see more OCR investigations in 2016 for those breaches affecting under 500 individuals. Therefore, it is critical that providers take steps now to review their HIPAA compliance, as OCR is gearing up to initiate a second round of HIPAA audits proposed for 2016. You can refer to “The time to prepare for a HIPAA audit is now” for more information on the expected HIPAA audits and related action steps.

For more information, please contact one of the attorneys listed below.