Matthew Redding contributed to this post.

It’s a familiar story: a HIPAA breach triggers an investigation which reveals systemic flaws in HIPAA compliance, resulting in a seven-figure settlement.  A stolen laptop, unencrypted data, a missing business associate agreement, and an aggressive, noncompliant contractor add to the feeling of déjà vu.

North Memorial Health Care of Minnesota, a not-for-profit health care system, settled with the Office of Civil Rights for the Department of Health and Human Services (OCR) for $1.55 million resulting from allegations that it violated HIPAA by failing to timely implement a Business Associate Agreement with Accretive Health, Inc., a major contractor, and failing to institute an organization-wide risk analysis to address the risks and vulnerabilities to its patient information.

The OCR’s investigation arose following North Memorial’s reporting of a HIPAA breach on September 27, 2011, which indicated that an unencrypted, password-protected laptop was stolen from a workforce member of a business associate’s (BA’s) locked vehicle, impacting the ePHI of almost 10,000 individuals. The investigation further revealed that, North Memorial began providing Accretive with access to its PHI on March 21, 2011, and the parties did not enter into a business associate agreement until October 14, 2011

In addition to the fine, North Memorial is required to develop policies and procedures specific to documenting the BA relationship, modify its existing risk analysis process, and develop and implement an organization-wide risk management plan. The Resolution Agreement is available here.

In a press release, OCR director Jocelyn Samuel said:

“Two major cornerstones of the HIPAA Rules were overlooked by this entity.  Organizations must have in place compliant business associate agreements as well as an accurate and thorough risk analysis that addresses their enterprise-wide IT infrastructure.”

Accretive Health, Inc. may be a familiar name to readers of this blog.  In 2012, the Minnesota Attorney General’s office filed suit against Accretive for allegedly mining, analyzing and using their hospital clients’ data for purposes that were not disclosed to patients and which may adversely affect their access to care.  This suit was subsequently settled for $2.5 million under an agreement under which Accretive agreed to cease operations in Minnesota.  The AG’s lawsuit was triggered by the same laptop theft which compromised the healthcare data of North Memorial and another facility, Fairview Health  Services.  One stolen, unencrypted laptop of a BA has resulted in over $4 million in aggregate liabilities to three covered entities.

The lessons for covered entities from this continuing saga are clear:

  • Encrypt your electronic data. All of it, everywhere it resides and whenever it is transmitted, and pay particular attention to laptops, mobile devices and media.  (While you’re at it, be sure to protect paper data as well and shred it when it is no longer needed  — it can be easily exploited by thieves and dumpster-divers).
  • Make sure you have Business Associate Agreements with all business associates, and review them to make sure they are current and require appropriate safeguards and indemnify you from the costs of the BA’s breaches.
  • Know your BAs and control what they do with your data.  Accretive’s alleged aggressive collection efforts, such as accosting patients on gurneys in the emergency department or while recovering from surgery, did not reflect well on their hospital clients.
  • Do not take your HIPAA obligations lightly.  North Memorial’s incomplete HIPAA implementation and lack of attention to risk analysis may have contributed to the severity of the result.

Cancer Care Group, P.C., a 13-physician radiation oncology practice in Indiana (group), has agreed to pay $750,000 and implement a comprehensive corrective action plan in a settlement resulting from the theft of a laptop and backup media containing unencrypted patient information.  As is often the case, the breach incident triggered an investigation that revealed deeper deficiencies in the physician group’s HIPAA compliance efforts.  The Office of Civil Rights of the Department of Health and Human Services (OCR) announced the settlement in a September 2, 2015 press release entitled “$750,000 HIPAA settlement emphasizes the importance of risk analysis and device and media control policies.”  That heading alone strongly suggests that OCR chose this case to send a clear and powerful message to smaller covered entities and business associates that neglecting basic compliance efforts can and will result in heavy fines, especially if meaningful corrective action is not undertaken after a breach occurs.

The practice first notified OCR of the theft of an employee’s laptop bag in 2012 from the employee’s car. The bag contained a laptop, which did not contain ePHI, and unencrypted computer server backup media with names, addresses, dates of birth, Social Security numbers, insurance information and clinical information of approximately 55,000 current and former patients.   OCR learned upon further investigation that the group had taken its HIPAA obligations less than seriously for years preceding the breach.

It had not conducted an enterprise-wide risk analysis when the breach occurred in July 2012. Further, Cancer Care did not have in place a written policy specific to the removal of hardware and electronic media containing ePHI into and out of its facilities, even though this was common practice within the organization. OCR found that these two issues, in particular, contributed to the breach, as an enterprise-wide risk analysis could have identified the removal of unencrypted backup media as an area of significant risk to Cancer Care’s ePHI, and a comprehensive device and media control policy could have provided employees with direction in regard to their responsibilities when removing devices containing ePHI from the facility.

In addition to the fine, the group adopted a Corrective Action Plan as part of its Resolution Agreement with OCR, which can be read here.

Much like the Phoenix Cardiac Surgery settlement that we discussed on this blog in 2012, this case involved  not just a one-time negligent breach, but a systematic, ongoing failure to adopt and implement appropriate HIPAA safeguards, policies and compliance efforts.  The Resolution Agreement indicates that such failures continued for a significant time after the theft of the devices.

The Resolution Agreement states that the payment of the $750,000 “Resolution Amount” does not preclude the government from imposing civil monetary penalties in the future if the deficiencies are not cured, and the group agreed to extend the statute of limitations on such penalties during the three-year term of the Resolution Agreement and Corrective Action Plan and for one year afterwards.  During the term of the Agreement, the group is required to complete a comprehensive Risk Analysis of all security risks and vulnerabilities posed by its electronic equipment, data systems, and applications that contain, store, transmit, or receive electronic protected health information (“ePHI”) and report the results to OCR; develop and implement an organization-wide Risk Management Plan to address and mitigate any security risks and vulnerabilities found in the Risk Analysis; revised and update its policies and procedures to OCR’s satisfaction; revise its current Security Rule Training Program; investigate any workforce member’s violation of such policies and report the results to OCR (even if such violation did not result in a breach); and file detailed annual reports with OCR.

There are plenty of lessons to learn from this settlement, but one of the most critical lessons may be the easiest to implement: encrypt your data, particularly any data that is stored in portable devices which have a disturbing tendency to disappear.  Had the backup device been encrypted, it is likely that the outcome of this incident would have been very different. Another lesson is that, if a breach of HIPAA is discovered, be proactive and act immediately to assess and address the risk and mediate the potential damage, update your policies and procedures, implement changes designed to avoid another breach, etc.  Do not wait for OCR to tell you how to respond to the breach.

Our partner Keith McMurdy posted this analysis of a recent HIPAA settlement involving a physician practice on our Employee Benefits Legal Blog:

HIPAA Failure Results In Penalties: Lack of Compliance the Key

By Keith R. McMurdy on January 1, 2014Posted in Plan Administration, Welfare Plans

Often, when I am discussing HIPAA privacy compliance, I am asked about possible penalties for privacy breaches. Plan sponsors sometimes overlook the fact that failing to have a privacy compliance package in place is itself a violation and can lead to some hefty penalties. Such was the case for Adult & Pediatric Dermatology, P.C., a medical provider that had a security breach. While the facts may not be specific to a covered plan, they should serve as a reminder of the potential consequences for failing to be HIPAA compliant.

The provider had a thumb drive stolen from one of the vehicles of a staff member. It was unencrypted and had PHI for about 2,200 people. The Department of Health and Human Services Office for Civil Rights opened an investigation that revealed that the provider had not conducted an analysis of the potential risks and vulnerabilities as part of its security management process. More importantly, HHS also determined that the provider did not fully comply with requirements of the Breach Notification Rule and that it did not have written policies in place or procedures to train employees on HIPAA privacy and handling of PHI. The provider ended up settling the claim for a $150,000 penalty.

This result is significant for 2 reasons. First, it is the first reported settlement of a claim for failure to have policies and procedures in place under the Breach Notification rules under the HITECH Act. Second, it shows that the Office of Civil Rights is serious about investigating instances of an alleged breach and enforcing the rules related to privacy compliance. Covered entities (like health plans) are under an affirmative obligation to implement HIPAA Privacy and Security compliance policies, monitor and train employees and take steps to avoid breaches. There is a reporting obligation if a breach occurs and penalties can come into play not just for the breach, but for failing to comply to prevent the breach from occurring.

At a time when plan sponsors are struggling to comply with the requirements of PPACA, other rules like ERISA and HIPAA Medical Privacy can get overlooked. Employers would do well to remember that sponsoring a health plan means complying with all of the various regulations, not just the ones in the media right now. For help locating and complying with all of the requirements for benefit plans, ask your attorney at Fox Rothschild for assistance.

 

 

 

The first breach settlement announcement of the new year breaks new ground – a $50,000 fine based on theft of a laptop containing 441 patients’ unencrypted data. It’s the first settlement of a breach involving fewer than 500 individuals.  There was no indication that any PHI was improperly viewed or accessed.

In a press release issued January 2, 2013, OCR announced the negotiated resolution of a breach by the Hospice of North Idaho (HONI), which began when HONI reported the June 2010 laptop theft.  The investigation revealed that HONI had not conducted a risk analysis to safeguard ePHI and had not adopted policies or procedures to address mobile device security.

“This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information.” said OCR Director Leon Rodriguez. “Encryption is an easy method for making lost information unusable, unreadable and undecipherable.”

The Resolution Agreement, which appears here, emphasized the hospice agency’s failure to anticipate the risk of loss of unprotected data on mobile devices which were commonly used by its staff in field work: 

"In particular, HONI did not evaluate the likelihood and impact of potential risks to the confidentiality of electronic PHI maintained in and transmitted using portable devices, implement appropriate security measures to address such potential risks, document the chosen security measures and the rationale for adopting those measures, and maintain on an on-going basis reasonable and appropriate security measures."  

The emphasis on a small covered entity’s lack of analysis and risk assessment is reminiscent of OCR’s settlement with two-physician Phoenix Cardiac Surgery, P.C. announced in April 2012, another case widely considered to be a warning to similarly situated entities. Note that HONI disputes the allegations in its own press release.

OCR also required HONI to enter into a two-year corrective action plan, which requires HONI to investigate any information indicating that any workforce member may have failed to comply with its Privacy and Security policies and procedures, and report the details of any such failure including sanctions imposed and steps taken to prevent recurrence.                  

Some lessons can be taken away from the HONI settlement.

First, encryption of ePHI is critical! Given the prevalance of breaches associated with lost and stolen laptops, it is often forgotten that the loss of unreadable encrypted data is generally not a HIPAA breach. 

Next, all organizations but especially those like hospices, home health agencies and other entities with mobile workforces must prioritize securing mobile devices. For starters, refer to OCR’s guidance entitled Your Mobile Device and Health Information Privacy and Security, which is definitely worth reading.  Some of the advice seems to be common sense (password protection, remote wiping or disabiling, firewall and security software, avoiding file-sharing applications) but needs to be enforced organization-wide, particularly in today’s "bring your own device" environment.   OCR has even created a handy one-page Fact Sheet with useful mobile device security tips. 

Loss and theft of mobile devices may be inevitable, but protection of the data those devices contain is not as challenging as many think, and effectively implementing such protection should be a priority for 2013.