By: Susan St. John
In the last few months, settlements related to potential violations of HIPAA and the Security Rule have ranged from $31,000 to $5.5 million. The smallest settlement amount, $31k, for potential HIPAA compliance breach violations related to one missing Business Associate Agreement (“BAA”) between a pediatric group and an ePHI records storage company that had come under HHS’ Office of Civil Right’s (“OCR”) scrutiny. The pediatric group used the ePHI record storage company since 2003, yet could not locate or provide a signed BAA to the OCR prior to 2015. The outcome of the OCR’s compliance review indicates that internal risk analysis and risk management was not thoroughly undertaken.
The largest settlement reached was $5.5 million to be paid by Memorial Healthcare Systems (“MHS”) located in south Florida. MHS operates 6 hospitals, an urgent care center, a nursing home, and numerous ancillary healthcare facilities. Additionally, MHS is affiliated with physician offices through an Organized Health Care Arrangement. MHS experienced a breach that potentially compromised the ePHI of over 115,000 individuals, when impermissible access by its employees and impermissible disclosure to affiliated physicians occurred through the use of the login credentials of an affiliated physician’s former employee. Although MHS reported the breach and had policies and procedures in place related to HIPAA and the Security Rule, it had not implemented procedures for reviewing, modifying, and/or terminating users’ rights of access as required by HIPAA. Further, MHS failed to regularly review records of information system activity, in applications that maintain ePHI, by employees or workforce users or users at affiliated physician practices, even though MHS had identified such risk during risk analysis conducted from 2007 to 2012.
Other settlement agreements revolve around similar themes, i.e., insufficient policies and procedures, insufficient risk analysis and risk management or insufficient or no implementation of existing polices and procedures related to HIPAA and the Security Rule. For example, CardioNet agreed to pay $2.5 million in settlement for potential HIPAA violations due to the impermissible disclosure of ePHI and not having adequate risk analysis and risk management processes in place when an employee’s laptop was stolen. The laptop contained ePHI for almost 1,400 individuals. Although CardioNet had draft polices and procedures for HIPAA, it had not implemented the policies and procedures. Furthermore, CardioNet did not have sufficient risk analysis and risk management in place at the time the theft occurred.
Similarly, Metro Community Provider Network (“MCPN”) was found to have not conducted a timely risk analysis, assessing risk and vulnerabilities of its ePHI environment prior to a hacker accessing employees’ emails and obtaining ePHI of 3,200 individuals. Also, when MCPN conducted a risk analysis it was insufficient and did not meet the requirements of the Security Rule.
Another provider, Children’s Medical Center of Dallas (“Children’s”), entered into a settlement agreement for $3.2 million, related to impermissible disclosure of unsecured ePHI and many years of non-compliance with HIPAA. Children’s experienced the loss of an unencrypted, non-password protected BlackBerry device and theft of an unencrypted laptop. These two events resulted in ePHI of over 6,200 individuals being potentially compromised. Children’s did not have sufficient safeguards in place, i.e., risk management plans, even though there were prior external recommendations to do so.
MAPFRE Life Insurance Co., of Puerto Rico (“MAPFRE”) entered into a settlement of $2.2 million stemming from the theft of a USB storage device containing ePHI of 2,209 individuals. MAPFRE had failed to conduct a risk analysis and implement risk management plans, despite prior recommendations. Further MAPFRE did not have encryption or equivalent alternative measures for laptops or removable storage media until September 2014, and corrective measures were not in place.
Given these settlement amounts and OCR’s assessment of insufficient policy and procedures, or insufficient or failure to implement existing policy and procedure, it is vitally important for health care providers or business associates to make sure they have effective policies and procedures that are actively followed to help ensure the security of ePHI and PHI. Health care providers and business associates should undertake an assessment of current policies, procedures and protocols to ensure past, current and future compliance with HIPAA and the Security Rule. As these few cases demonstrate, it is not enough to have conducted a risk analysis or have draft policies and procedures, the health care provider or business associate must actively manage risk by implementing and adhering to meaningful policies, procedures and protocols, and re-evaluating their effectiveness periodically.
The Florida Healthcare Law Firm recommends undertaking a risk analysis/assessment and evaluation of practices and safeguards to limit unnecessary or inappropriate disclosure of ePHI or PHI on a not less than annual basis, or more frequently as may be needed. Keep in mind, it is important to be diligent and pro-active in assessing your risk management plan and the effectiveness of your policies and procedures. Anything less could be very costly.