The passage of the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH) armed The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) with new tools to enforce provisions of The Health Insurance Portability and Accountability Act (HIPAA). Although HITECH was passed in 2009, the Final Rule implementing the tiered penalty structure set forth in HITECH -- which allows for penalties significantly greater than those which were allowed under the previous penalty framework -- was not promulgated until January of 2013.1 Accordingly, despite the availability of an increased penalty framework, healthcare providers rarely saw the multi-million dollar penalties that many in the industry predicted as far back as 2010. Over the last two years, however, healthcare industry companies have seen increased enforcement activity from the OCR, resulting in an increased frequency of and higher dollar HIPAA settlements. This article will cover eight of the highest profile HIPAA resolutions in 2015 and early 2016 and the corrective measures each organization had to implement as a result of the resolution agreements.
Although these are only the top eight cases, HIPAA breaches occur almost daily, and those affecting 500 or more individuals can be found on the OCR website under HHS’ Breach Portal.2 2015 also saw an uptick in state law enforcement actions and lawsuits related to healthcare information privacy and security under theories such as negligence and invasion of privacy.3
Each of the incidents reported below affected more than 500 individuals and, despite the national dialogue regarding cybersecurity concerns,4 were not outside attacks on the organization. In fact, most of these reported breaches were internal mistakes and mishandling of Protected Health Information (PHI) or electronic PHI (ePHI) and illustrate lessons to be learned so that covered entities and business associates don’t make these same costly errors in the future.
1. Triple-S Management Corporation (TSS):5 TSS, an insurance holding company and the largest medical insurance provider in San Juan, Puerto Rico, agreed in 2015 to pay $3.5 million due to multiple HIPAA breaches over the past five years. These breaches included the following: improper database access by a former employee whose access was not immediately terminated, transfer of PHI data to another employee’s computer, mailings of PHI disclosed on pamphlets mailed to 13,000 beneficiaries and other unauthorized disclosures related to health plan beneficiary mailings, such as sending insurance ID cards to the wrong beneficiaries and including identification numbers on envelope labels. This is the third largest settlement to date.
2. Lahey Hospital and Medical Center (LHMC):6 LHMC settled a case with the OCR in 2015 for $850,000 that stemmed from a 2011 breach of PHI when an unencrypted laptop that accompanied a portable CT scanner was stolen from an unlocked treatment room in the facility’s radiology department. In this case, again, basic security measures were not followed, nor were they included in the policies and procedures of the organization. The laptop hard drive contained ePHI of 599 individuals. Evidence obtained through the OCR's subsequent investigation indicated widespread non-compliance with the HIPAA rules, including failure by LHMC to conduct a thorough risk analysis of all of its ePHI; failure to physically safeguard a workstation that accessed ePHI; failure to implement and maintain policies and procedures regarding the safeguarding of ePHI maintained on workstations utilized in connection with diagnostic/laboratory equipment; lack of a unique user name for identifying and tracking user identity with respect to the workstation at issue in this incident; failure to implement procedures that recorded and examined activity in the workstation at issue in this incident; and impermissible disclosure of 599 individuals' ePHI. In addition to the $850,000 settlement, LHMC must address its history of noncompliance with the HIPAA Rules by providing the OCR with a comprehensive, organization-wide risk analysis and corresponding risk management plan, as well as comply with certain reporting requirements.
3. University of Washington Medicine (UWM):7 UWM settled a case with the OCR in 2015 for $750,000 with corrective action plans and adherence to an annual report on the organization’s compliance efforts. The breach stemmed from a 2013 incident where ePHI of approximately 90,000 individuals was accessed after an employee downloaded an email attachment that contained malicious malware. The malware compromised the organization's IT system, affecting the data of two different groups of patients. The first group affected approximately 76,000 patients involving a combination of patient names, medical record numbers, dates of service, and/or charges or bill balances; the second group affected approximately 15,000 patients involving names, medical record numbers, and other demographics such as address and phone number, dates of birth, charges or bill balances, social security numbers, insurance identification or Medicare numbers. The OCR's investigation found that although UWM's security policies required its affiliated entities to have up-to-date, documented system-level risk assessments and to implement safeguards in compliance with HIPAA’s Security Rule, UWM did not ensure that all of its affiliated entities were properly conducting risk assessments and appropriately responding to the potential risks and vulnerabilities in their respective environments.
4. Cancer Care Group, P.C. (CCG):8 This radiation oncology group in Indiana was fined $750,000 in 2015 for an incident that occurred in 2012. As in several other security breaches, a laptop bag containing a laptop computer and unencrypted backup media were stolen from an employee’s automobile. The OCR contended that CCG had not conducted an enterprise-wide risk analysis when the breach occurred, and that the organization did not have a written policy in place discussing if hardware and electronic media with ePHI should be removed from its facilities at all and if so how.
5. St. Elizabeth’s Medical Center (SEMC):9 SEMC workforce members had used an internet-based document sharing application to store documents containing ePHI of nearly 500 individuals. The risks associated with this practice were not fully evaluated or documented and policies and procedures were not in place for sharing data. Moreover, the OCR stated that SEMC “failed to timely identify and respond to the known security incident, mitigate the harmful effects of the security incident, and document the security incident and its outcome.” SEMC was fined $218,400 in 2015 as part of the settlement.
6. Cornell Prescription Pharmacy (CPP):10 The OCR resolved a settlement in 2015 with CPP, a small, single-location pharmacy in Denver that provides in-store and prescription services to patients in the area. It was accused of improperly disposing of documents containing 1,600 patients’ PHI in an unlocked, open dumpster. Even though the organization was a small pharmacy in Colorado, the OCR contended that it, too, needed to evaluate its PHI, and implement proper safeguards to protect it.
7. Lincare:11 In January 2016, an HHS Administrative Law Judge (ALJ) upheld the $239,000 civil monetary penalty proposed by the OCR related to the company’s failure to safeguard PHI by allowing disclosure of PHI to an unauthorized individual and Lincare’s failure to develop adequate HIPAA policies and procedures. The case began as the result of a complaint from the husband of a Lincare manager who relayed that the Lincare manager left behind documents containing PHI of Lincare patients when she left him during a “rough patch” in their marriage.12 In its opinion, the ALJ took specific issue with the fact that the Lincare manager acknowledged that she left the records in her car, which was then in her husband’s possession, and that she did not even know where the car was located.13 On the issue of HIPAA policies, although the ALJ acknowledged that PHI needed to be removed from the office on occasion due to the nature of Lincare’s business, the ALJ cited Lincare for failure to include any mention of how to safeguard information removed from its offices in its HIPAA policies.14 Because the case was resolved through civil monetary penalties, no corrective action plan was required of Lincare.
8. Advocate Health Care Network:15 On August 4, 2016, OCR announced that Advocate Healthcare in Chicago, IL had agreed to settle a HIPAA enforcement matter for $5.5 million – the largest HIPAA settlement to date.16 This settlement came as a result of several breach reports made by Advocate Health Care Network and its subsidiaries in the fall of 2013. The conduct at issue involved the theft of four desktop computers and one laptop computer containing PHI of over 4 million patients and the potential unauthorized access of the computer system of one of Advocate’s business associates, with which Advocate failed to obtain a signed business associate agreement. Although Advocate had conducted a risk analysis, the corrective action plan required Advocate to conduct a more thorough risk analysis that incorporated all of the facilities it owns or leases.
In addition to the monetary penalties highlighted above, each entity except Lincare was required to enter into a corrective action plan (CAP) which frequently involved conducting a risk assessment or gap analysis of the entity’s current HIPAA Privacy and Security programs, strengthening policies and procedures, and complying with certain reporting requirements to the OCR.
Major Themes Revealed
Although each reported element of non-compliance outlined above serves as a “lesson learned” in itself, the following summarizes some of the major themes with which healthcare organizations - and healthcare attorneys advising their clients with respect to these issues - should familiarize themselves in 2016 and beyond.
1. Risk Assessments Still Crucial: In every matter cited in this article other than SEMC, the OCR cited organizations for their failure to conduct and document a thorough privacy and security risk assessment. In addition to being required by HIPAA,17 conducting a thorough risk assessment remains the single best place to start in developing a robust privacy and security program. The need for covered entities and their business associates to have completed a risk assessment will become even more crucial this year given the OCR’s launch of Phase 2 of its HIPAA audit program in early 2016.18 For those providers and attorneys unfamiliar with the basic framework of a risk analysis, the OCR offers many helpful tools on its website.19
2. Enterprise Risk Management: In the wake of the industry consolidation that has been seen as a result of the Patient Protection and Affordable Care Act, healthcare organizations face challenges in designing HIPAA Privacy and Security regimes that are robust enough to account for a variety of provider types. Moreover, more often than not, Health IT compatibility/interoperability is only a secondary consideration in provider transactions. Given the increased scrutiny on HIPAA compliance, thorough pre-transaction due diligence should be completed and may serve as a roadmap for integrating the new provider into the enterprise’s overall HIPAA compliance strategy. Moreover, risk assessments must be broad enough to include new sites and software systems that are incorporated into the provider’s overall structure.
3. Small Organizations Still in Jeopardy: In keeping with a lesson learned from 2014,20 the 2015 enforcement action against CPP instructs that even the smallest healthcare organizations are at risk for being found non-compliant by the OCR and facing stiff fines. Although the security measures may not need to be as robust at small organizations as at large organizations,21 all entities, regardless of size, must evaluate and document what level of privacy and security policies and procedures are appropriate for its organization.
4. Timely Response Essential: In addition to the problems caused by breaches themselves, recent settlements indicate that the OCR renewed its focus on entities that failed to respond timely to breaches and potential breaches, as evidenced in the CCR settlement and the Lincare decision. The OCR sited lack of timely investigation, reporting, and follow-up as an aggravating factor that led to increased fines and the need to implement corrective action plans.
5. Cloud Storage: As the information storage needs of healthcare organizations continue to grow, more and more companies will move away from “private cloud” solutions and will rely on “hybrid-cloud” or “third-party hosted clouds” available from third-party vendors like Amazon Web Services, Microsoft Azure, and Rackspace or cloud-based EHRs like eClinicalWorks to host their data. Before entering into definitive data hosting agreements with these types of companies, an organization should ensure that agreements with these third parties will contain the necessary representations and warranties regarding information privacy and security, especially to the extent that they are acting as business associates. Although there is a perception that many large vendors like those listed above are unwilling to negotiate the terms of their service contracts, there has been some loosening of this practice as these entities evaluate the market opportunity of hosting healthcare data.22
6. Document Sharing and Collaboration Products: Many healthcare organizations qualifying as covered entities and business associates have begun to explore new models of employee collaboration. Many new business enterprises focused on improving employee communication (e.g., Yammer, Salesforce’s Chatter, and HipChat, etc., not to mention traditional file sharing platforms like Dropbox23 and Box.com) offer enhanced chat-like features as an alternative to traditional enterprise e-mail solutions. These new technologies enable employees to collaborate in real time by sharing files (images, videos, etc.) in addition to text-based communication. As was evident in the SEMC case outlined above, not all of these new technologies are designed with the sharing of sensitive data like ePHI in mind. Accordingly, healthcare organizations should develop policies and procedures governing the use of third-party document sharing and collaboration products and should thoroughly vet these products’ functionality before staff are authorized to use them.
7. Secure Disposal of Paper Records: Although much of the focus of HIPAA Security programs is on the management of electronic information, covered entities and business associates should also take care to continue to properly safeguard any PHI stored in paper records. As evidenced by the settlement with CPP, failure to properly dispose of PHI stored in paper records can lead to significant monetary fines.
8. Business Associates: Covered Entities’ reliance on business associates to manage, use, or otherwise handle PHI continues to present risks to covered entities. In addition to securing written assurances from business associates regarding their safeguarding of PHI, covered entities should also consider mechanisms to monitor and verify business associates’ compliance with their obligations under business associate agreements.
9. Hackers/Ransomware: In addition to more traditional security incidents involving criminals hacking IT systems to gain access to medical record numbers, social security numbers, and credit card information, the last two years have also seen an uptick in “ransomware” activity by hackers, whereby a healthcare company’s IT system is “locked down” by a third party until some amount is paid to the hacker. Although a thorough discussion of ransomware is beyond the scope of this article, healthcare providers are well-advised to begin thinking through their ransomware response strategies. In addition to the financial and reputational burden of these type of security incidents, patient care is also put at risk.
The uptick in OCR enforcement activity and the increased settlement amounts have sent a clear message to the healthcare industry about the importance that the OCR places on safeguarding patient information. Although interoperable IT systems continue be championed as a means to improve healthcare quality and speed access to information, the security issues associated with these systems continue to cause headaches for privacy and security professionals. Despite these challenges, commonsense approaches to HIPAA compliance like comprehensive risk assessments, well developed policies and procedures, and prompt response to issues as they arise are necessary steps and continue to be well received by the OCR.
Anjali Bajaj Dooley, JD, MBA is chief operations officer and healthcare legal counsel for MedAware Solutions in St. Louis, MO. Her primary focus is on healthcare regulatory compliance and closing business transactions. Her practice areas include Privacy & Security Law, Data Breach Analysis, HIPAA Compliance, Telemedicine Regulatory Compliance, Cybersecurity Law, Corporate Governance and Capital Funding and Business Development for Start-Ups. She is the American Bar Association Health Law Section’s Web & Technology Vice-Chair; the ehealth, Privacy & Security Interest Group Vice Chair; a member of the Health Law Section’s Military & Veterans Task Force; Vice-President of the South Asian Bar Association-Saint Louis Chapter; and a member of the Saint Louis University Pre-Law Honors Task Force. She is an adjunct professor at Saint Louis University and a legal analyst for local and national news outlets and magazines. She was also named by Missouri Lawyers Media as one of its “Up & Coming Lawyers under 40.” (2012). She may be reached at email@example.com.
Jonathan E. Brouk, Esq. is a healthcare regulatory and transactional attorney residing in New Orleans, LA. His practice focuses on providing corporate and regulatory advice to healthcare providers and health information technology companies. In March 2016, Mr. Brouk joined Children's Hospital New Orleans as its Director of Compliance and Privacy Officer. He currently serves as the Vice Chair of Publications for the ABA Health Law Section's e-Health Interest Group. He may be reached at firstname.lastname@example.org.
Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules, 78 Fed. Reg. 5566 (January 25, 2013).
|2||https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf (last visited, March 2, 2016).|
For example, in February 2015, Modern Healthcare reported that more than 50 class action lawsuits had been filed as a result of the highly publicized Anthem breach. Conn, Joseph, Legal Liabilities in Data Breach Extend Far Beyond Anthem, Modern Healthcare, February 23, 2015 (available at: http://www.modernhealthcare.com/article/20150223/NEWS/302239977). See also Freeman, Liz, 21st Century Oncology Hit With Four SWFL Suits Over Breach, Naples Daily News, March 30, 2016 (http://www.naplesnews.com/news/health/oncology-firm-hit-with-four-swfl-suits-over-breach-2f4ac472-2c3c-6f6d-e053-0100007f7ece-374041471.html) (last visited March 31, 2016).
|4||For further information, see, e.g., the White House’s National Cybersecurity Initiative, detailing cybersecurity as one of the most serious economic and security challenges faced by the United States (https://www.whitehouse.gov/issues/foreign-policy/cybersecurity/national-initiative).|
|5||TSS Resolution Agreement with OCR is available at: http://www.hhs.gov/sites/default/files/Triple-S%20-%20OCR%20Resolution%20Agreement%20and%20Corrective%20Action%20Plan%20in%20Final%20%28508%29.pdf.|
|11||http://www.hhs.gov/sites/default/files/lincare-nfd-for-web.pdf; See also http://www.hhs.gov/sites/default/files/lincare_decision_remediated.pdf.|
|12||Director of the Office of Civil Rights v. Lincare, Inc. d/b/a United Medical, HHS Civil Remedies Division, Departmental Appeal Board, Decision No. CR4505 (January 13, 2016), page 2.|
|13||Id. at 9.|
|14||Id. at 11.|
|16||Several other multimillion dollar settlements were also announced this summer: University of Mississippi Medical Center ($2.75 million; http://www.hhs.gov/sites/default/files/UMMC_racap_508.pdf); Oregon Health & Science University ($2.7 million; http://www.hhs.gov/sites/default/files/ohsuracap_508.pdf); New York Presbyterian Hospital ($2.2 million; http://www.hhs.gov/sites/default/files/nyp-nymed-racap-april-2016.pdf).|
|17||See 45 C.F.R. 164.308(a)(1)(ii)(A) (2015).|
|18||For information regarding the OCR’s Phase II audit program, see http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/phase2announcement/index.html.|
|19||See the OCR Risk Assessment Tool, available at http://www.hhs.gov/hipaa/for-professionals/security/guidance/guidance-risk-analysis/index.html. (last visited March 31, 2016). The OCR makes the risk assessment tool available in both HTML and paper format.|
|20||In December 2014, a single physician practice was fined $150,000 for not having HIPAA policies and procedures in place.|
One of the hallmarks of HIPAA’s security standards is its flexibility of approach. See 45 C.F.R. 164.306(b) (2015) (“(1) Covered entities and business associates may use any security measures that allow the covered entity or business associate to reasonably and appropriately implement the standards and implementation specifications as specified in this subpart. (2) In deciding which security measures to use, a covered entity or business associate must take into account the following factors: (i) The size, complexity, and capabilities of the covered entity or business associate, (ii) the covered entity’s or business associate’s technical infrastructure, hardware, and software security capabilities, (iii) the costs of security measures, and (iv) the probability and criticality of potential risks to electronic protected health information”).
|22||For some tips on negotiating these sort of agreements, see Muscarella, Jeff, 5 Ways to Negotiate Smarter During your Next Microsoft Renewal (available at: http://www.cio.com/article/2922091/best-practices/5-ways-to-negotiate-smarter-during-your-next-microsoft-renewal.html) (last visited March 31, 2016).|
|23||In November 2015, Dropbox announced that it would begin signing business associate agreements in order to better serve its healthcare industry customers. See Dropbox Now Supports HIPAA and HITECH Act Compliance, available at https://blogs.dropbox.com/business/2015/11/support-for-hipaa-and-hitech/ (last visited March 31, 2016).|