On consecutive days, the Office of Civil Rights (OCR) of the Department of Health and Human Services (HHS) recently announced two large settlements for breach of the Health Insurance Portability and Accountability Act (HIPAA). On March 16, 2016, OCR announced that it entered into a resolution agreement with North Memorial Health Care of Minnesota for $1.55 million plus a two-year corrective-action plan. On March 17, 2016, OCR followed by announcing that Feinstein Institute for Medical Research, a New York biomedical research institute, agreed to pay to $3.9 million and enter into a three-year corrective-action plan to settle potential HIPAA violations. Both cases resulted from the all-too-familiar scenario of breaches resulting from stolen, unencrypted laptops.
In the Minnesota hospital breach, the unencrypted laptop containing the personal health information (PHI) of over 9,000 individuals was stolen from the locked car of an employee of a business associate of the hospital. According to the OCR’s investigation, the hospital failed to have a business-associate agreement in place with that particular business associate. OCR also alleged that the hospital had not previously performed a risk analysis to identify and address potential risks and vulnerabilities to the electronic PHI (ePHI) it maintained, accessed, or transmitted.
In the New York research-corporation breach, OCR alleged that the institution did not have policies and procedures in place, including a policy on encryption and one that addressed use and access of electronic devices (e.g., the removal of the devices from the institution’s facility), nor did it have in place a security-management process that sufficiently addressed potential security risks and vulnerabilities to ePHI, namely, its confidentiality, vulnerability, or integrity. Notably, the stolen, unencrypted laptop contained the PHI of about 13,000 individuals. Both OCR settlements also include multiple-year corrective-action plans requiring the hospital and research facility to conduct risk analyses/assessments, train their employees, and have HIPAA compliant policies and procedures in place.
OCR’s 2016 breach enforcement appears to be off to a very strong start with these two high-dollar settlements. Lessons learned from both breaches include the significance of encrypting electronic devices, conducting and updating on a regular basis security-risk assessments and analyses, having adequate safeguards in place to protect PHI, having business associate agreements with all business associates, and having and implementing HIPAA policies and procedures to protect the security and privacy of PHI—including for example, policies related to encryption, authorized access to ePHI/PHI, and removal of electronic devices from facilities.
— Gregory M. Fliszar and J. Nicole Martin, Cozen O'Connor P.C., Philadelphia, PA