OCR is Making a List, Checking it Twice, Gonna Find Out Who Has Not Been Complying with HIPAA
Health & Life Sciences Alert 12/16/19 Meghan C. O'Connor, Sarah A. Erdmann
OCR Closing the Calendar Year with Four (and Counting) HIPAA Settlements in Excess of $1 Million
At the end of November, the US Department of Health & Human Services Office for Civil Rights (OCR) announced its fourth HIPAA settlement of over $1 million in the last five weeks. This ramp-up in number and financial amounts in settlements follows an otherwise slower HIPAA enforcement year with sporadic settlements (including the second right of access settlement announced last week). The 2019 actions follow OCR’s record-breaking year of $28.7 million in settlements and judgments in 2018 (22% higher than the next-highest year, 2016).
While recent $1.6 million–$3 million 2019 settlements and civil money penalties address substantive HIPAA issues that are not novel (e.g., failure to provide breach notifications, lack of business associate agreements, failure to conduct a risk analysis, lack of access and audit controls, failure to utilize device and media controls, lack of encryption, failure to restrict access to protected health information [PHI] to the minimum necessary), these newest settlements are illustrative. Two provide good insight into OCR’s internal process in an enforcement action, including how OCR determines and calculates an appropriate penalty. In addition, the corrective action plans included in these recent settlements are detailed and prescriptive and provide a good road map for internal compliance teams looking at opportunities for improving their organizations’ HIPAA compliance posture.
Further, the increasing pace and size of these settlements and penalties is notable. We have also been seeing an increase in interest from state Attorneys General in HIPAA breaches. Are we seeing a newly engaged enforcement stance from OCR, and will this increase and emphasis on HIPAA enforcement (and settlement/penalty amounts) carry into 2020? Also, will we see greater cooperation and collaboration between OCR and state Attorneys General? Only time will tell. In the meantime, a summary of each recent settlement is included below for your holiday reading pleasure:
Misdirected Bills: $2.175 Million Settlement for Failure to Properly Notify HHS of a Breach of Unsecured PHI
OCR entered into a settlement agreement with a hospital system that sent hospital bills containing PHI to the wrong patients and failed to provide appropriate notification of the breach. The settlement includes corrective action, a two-year corrective action plan, and a $2.175 million payment to settle potential violations of the HIPAA Breach Notification and Privacy Rules. The hospital system (an affiliated covered entity) operates 10 acute care hospitals in Virginia and North Carolina.
The settlement was the result of an OCR investigation initiated after OCR received a complaint from a patient who received a hospital bill intended for and containing another patient’s PHI. After an investigation, OCR determined that due to a mail merge accident, 577 patients had received these misdirected bills containing PHI of other patients, including name, account number, and dates of services. OCR alleges that the hospitals provided breach notification with regard to only eight individuals after concluding—incorrectly—that notification was only required if a patient’s diagnosis, treatment information, or other medical information were disclosed. In announcing the settlement, OCR noted that the hospitals failed to properly report the breach even after OCR explicitly advised the hospitals of their duty to do so. OCR’s investigation also indicated the lack of a business associate agreement between the parent corporation of the hospitals and subsidiary hospitals despite the parent corporation’s provision of business associates services to the hospitals.
OCR’s Breach Investigation Uncovers No Access Controls or Risk Analysis: $1.6 Million Civil Money Penalty Against State Agency
OCR imposed a $1.6 million civil money penalty (CMP) on the Texas Health and Human Services Commission (TX HHSC) for violations of HIPAA Privacy and Security Rules. This is a rare OCR fine against a state agency. The Texas Department of Aging and Disability Services (DADS), which was reorganized into TX HHSC, provides, among other services, health care services (e.g., Medicaid, long-term care services, and behavioral health services), manages day-to-day operations of state-supported living centers, and oversees regulatory functions such licensing and credentialing of long-term care facilities.
TX HHSC submitted an OCR breach notification explaining that electronic PHI (ePHI) of 6,617 individuals was viewable over the Internet, including names, addresses, social security numbers, and treatment information. According to the settlement, the incident occurred when an internal application was moved from a private, secure server to a public server and a flaw in the software code allowed access to electronic PHI without access credentials and without auditing capabilities. OCR noted that as part of the investigation, it discovered that there were no access controls on any of TX HHSC’s systems or applications and TX HHSC failed to conduct an enterprise-wide risk analysis.
OCR notes that it issued a Letter of Opportunity providing TX HHSC with an opportunity to submit written evidence of mitigating factors or affirmative defenses. OCR reports that TX HHSC did not provide any such evidence and OCR moved to issue CMPs. OCR issued CMPs at the penalty tier of “reasonable cause” and considered the amount of time TX HHSC remained out of compliance (violations from 2013-2019) an aggravating factor. According to OCR, “No one should have to worry about their privacy health information being discoverable through a Google search.”
$3 Million Settlement with Medical Center After Failing to Encrypt Mobile Devices
A New York state-based academic medical center agreed to pay $3 million and enter into a two-year corrective action plan. According to OCR, the medical center filed two separate breach reports—first in 2013 after discovering that PHI was impermissibly disclosed through a lost, unencrypted flash drive, and then again in 2017 after the theft of an unencrypted personally owned laptop of a provider containing electronic PHI of 43 patients.
OCR reported that its investigation into the 2017 laptop theft revealed that the medical center failed to conduct an enterprise-wide risk analysis, implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level, utilize device and media controls, or employ a mechanism to encrypt and decrypt electronic PHI when it was reasonable and appropriate to do so.
In its announcement of the settlement for the 2017 breach, OCR made sure to note that it had investigated and provided the medical center with technical assistance regarding a similar breach involving a lost unencrypted flash drive in 2010. OCR also noted that the 2017 settlement involved “substantial corrective action,” including prescriptive requirements related to an enterprise-wide risk analysis, risk management plan, evaluating environmental and operational changes, distribution and updating of policies and procedures, training, and required implementation and annual reports. The corrective action plan makes a good roadmap for covered entities analyzing their own priorities for internal improvements.
A $3 million settlement for a breach that affected 43 individuals seems extreme from what we have come to see from OCR. However, given the three separate issues with unencrypted mobile devices, we have yet another example of how seriously OCR takes encryption. Encrypting mobile devices like laptops and flash drives should be a priority for covered entities and business associates alike.
Importance of Documentation and Roadmap for OCR’s Enforcement Process: $2.154 Million Penalty Against Health System
OCR imposed a civil money penalty of $2.154 million against a nonprofit academic medical system in Miami, Florida for violations of the HIPAA Security and Breach Notification Rules between 2013 and 2016. OCR announced that the hospital system had waived its right to a hearing, did not contest OCR’s findings in its Notice of Proposed Determination, and agreed to pay the full CMP assessed by OCR. This Notice of Proposed Determination presents a particularly helpful tool for understanding the enforcement process for entities of any size, including OCR data requests, OCR’s analysis in reviewing responses and supporting documentation, and how OCR determines appropriate CMPs.
There are a number of relevant facts:
- The hospital system submitted a 2013 breach report to OCR stating that its Health Information Management Department had lost paper records containing the PHI of 756 patients. OCR reports that during the hospital system’s internal investigation, it discovered that an additional three boxes of patient records were also lost; however, the hospital system did not report the additional loss or the increased number of affected individuals to 1,436, until 2016.
- OCR initiated an investigation in 2015 following a media report disclosing the PHI of a patient when a reporter shared on social media a photograph of an operating room screen containing the patient’s medical information. According to OCR, the hospital system subsequently determined that two employees had accessed this patient’s medical record without a job-related purpose.
- In addition, in 2016, the hospital system submitted a breach report that an employee had been selling patient PHI and had, since 2011, inappropriately accessed over 24,000 patients’ records.
According to OCR, its investigation revealed the hospital system failed to provide timely and accurate breach notification to the Secretary of HHS, conduct enterprise-wide risk analyses, manage identified risks to a reasonable and appropriate level, regularly review information system activity records, and restrict authorization of its workforce members’ access to electronic PHI to the minimum necessary to accomplish their job duties.
Of particular interest is OCR’s breakdown related to risk analyses. In response to OCR data requests, the hospital system provided risk analyses conducted by third parties in 2014, 2015, 2016, and 2017 as well as internal assessments in 2009, 2012, and 2013. Clearly OCR reviewed the documents, and in its Notice of Proposed Determination, OCR noted that the risk analyses were not sufficient for a variety of reasons, including:
- Analyses conducted before 2017 erroneously identified several provisions of the Security Rule as not applicable to the hospital system.
- Multiple analyses were deficient in scope (i.e., failed to include all electronic PHI) and did not identify the totality of threats and vulnerabilities that exist in its system.
- The hospital system did not provide evidence or documentation of a response to third party recommendations from the 2014 analysis.
- Certain portions of multiple analyses were left blank.
- The hospital system did not remediate risks, threats, and vulnerabilities identified specifically by the 2015 risk analysis to a reasonable and appropriate level. OCR’s analysis emphasized that the third party vendor had provided by the third party but the threats identified as high risk in 2014 were still identified as high risk in 2015.
This Notice of Proposed Determination demonstrates the importance of documenting the risk analysis process, findings, recommendations, and mitigation plan as well as taking appropriate action in response. This enforcement action emphasizes the need to live with the risk analysis throughout the year rather than let it gather dust on the shelf until the next risk analysis. Entities of any size and complexity would find this Notice of Proposed Determination helpful in thinking through internal opportunities for improvement in the compliance process.
We recommend that covered entities make “revisiting their HIPAA compliance programs” an item on their 2020 New Year’s resolution list, and keep in mind that these recent settlements and penalties are a good roadmap of OCR’s pain points, tolerance for noncompliance, and process and judgments in an enforcement action.
For questions about this update or HIPAA compliance generally, please contact: