Matthew Redding contributed to this post.

It’s a familiar story: a HIPAA breach triggers an investigation which reveals systemic flaws in HIPAA compliance, resulting in a seven-figure settlement.  A stolen laptop, unencrypted data, a missing business associate agreement, and an aggressive, noncompliant contractor add to the feeling of déjà vu.

North Memorial Health Care of Minnesota, a not-for-profit health care system, settled with the Office of Civil Rights for the Department of Health and Human Services (OCR) for $1.55 million resulting from allegations that it violated HIPAA by failing to timely implement a Business Associate Agreement with Accretive Health, Inc., a major contractor, and failing to institute an organization-wide risk analysis to address the risks and vulnerabilities to its patient information.

The OCR’s investigation arose following North Memorial’s reporting of a HIPAA breach on September 27, 2011, which indicated that an unencrypted, password-protected laptop was stolen from a workforce member of a business associate’s (BA’s) locked vehicle, impacting the ePHI of almost 10,000 individuals. The investigation further revealed that, North Memorial began providing Accretive with access to its PHI on March 21, 2011, and the parties did not enter into a business associate agreement until October 14, 2011

In addition to the fine, North Memorial is required to develop policies and procedures specific to documenting the BA relationship, modify its existing risk analysis process, and develop and implement an organization-wide risk management plan. The Resolution Agreement is available here.

In a press release, OCR director Jocelyn Samuel said:

“Two major cornerstones of the HIPAA Rules were overlooked by this entity.  Organizations must have in place compliant business associate agreements as well as an accurate and thorough risk analysis that addresses their enterprise-wide IT infrastructure.”

Accretive Health, Inc. may be a familiar name to readers of this blog.  In 2012, the Minnesota Attorney General’s office filed suit against Accretive for allegedly mining, analyzing and using their hospital clients’ data for purposes that were not disclosed to patients and which may adversely affect their access to care.  This suit was subsequently settled for $2.5 million under an agreement under which Accretive agreed to cease operations in Minnesota.  The AG’s lawsuit was triggered by the same laptop theft which compromised the healthcare data of North Memorial and another facility, Fairview Health  Services.  One stolen, unencrypted laptop of a BA has resulted in over $4 million in aggregate liabilities to three covered entities.

The lessons for covered entities from this continuing saga are clear:

  • Encrypt your electronic data. All of it, everywhere it resides and whenever it is transmitted, and pay particular attention to laptops, mobile devices and media.  (While you’re at it, be sure to protect paper data as well and shred it when it is no longer needed  — it can be easily exploited by thieves and dumpster-divers).
  • Make sure you have Business Associate Agreements with all business associates, and review them to make sure they are current and require appropriate safeguards and indemnify you from the costs of the BA’s breaches.
  • Know your BAs and control what they do with your data.  Accretive’s alleged aggressive collection efforts, such as accosting patients on gurneys in the emergency department or while recovering from surgery, did not reflect well on their hospital clients.
  • Do not take your HIPAA obligations lightly.  North Memorial’s incomplete HIPAA implementation and lack of attention to risk analysis may have contributed to the severity of the result.

Cancer Care Group, P.C., a 13-physician radiation oncology practice in Indiana (group), has agreed to pay $750,000 and implement a comprehensive corrective action plan in a settlement resulting from the theft of a laptop and backup media containing unencrypted patient information.  As is often the case, the breach incident triggered an investigation that revealed deeper deficiencies in the physician group’s HIPAA compliance efforts.  The Office of Civil Rights of the Department of Health and Human Services (OCR) announced the settlement in a September 2, 2015 press release entitled “$750,000 HIPAA settlement emphasizes the importance of risk analysis and device and media control policies.”  That heading alone strongly suggests that OCR chose this case to send a clear and powerful message to smaller covered entities and business associates that neglecting basic compliance efforts can and will result in heavy fines, especially if meaningful corrective action is not undertaken after a breach occurs.

The practice first notified OCR of the theft of an employee’s laptop bag in 2012 from the employee’s car. The bag contained a laptop, which did not contain ePHI, and unencrypted computer server backup media with names, addresses, dates of birth, Social Security numbers, insurance information and clinical information of approximately 55,000 current and former patients.   OCR learned upon further investigation that the group had taken its HIPAA obligations less than seriously for years preceding the breach.

It had not conducted an enterprise-wide risk analysis when the breach occurred in July 2012. Further, Cancer Care did not have in place a written policy specific to the removal of hardware and electronic media containing ePHI into and out of its facilities, even though this was common practice within the organization. OCR found that these two issues, in particular, contributed to the breach, as an enterprise-wide risk analysis could have identified the removal of unencrypted backup media as an area of significant risk to Cancer Care’s ePHI, and a comprehensive device and media control policy could have provided employees with direction in regard to their responsibilities when removing devices containing ePHI from the facility.

In addition to the fine, the group adopted a Corrective Action Plan as part of its Resolution Agreement with OCR, which can be read here.

Much like the Phoenix Cardiac Surgery settlement that we discussed on this blog in 2012, this case involved  not just a one-time negligent breach, but a systematic, ongoing failure to adopt and implement appropriate HIPAA safeguards, policies and compliance efforts.  The Resolution Agreement indicates that such failures continued for a significant time after the theft of the devices.

The Resolution Agreement states that the payment of the $750,000 “Resolution Amount” does not preclude the government from imposing civil monetary penalties in the future if the deficiencies are not cured, and the group agreed to extend the statute of limitations on such penalties during the three-year term of the Resolution Agreement and Corrective Action Plan and for one year afterwards.  During the term of the Agreement, the group is required to complete a comprehensive Risk Analysis of all security risks and vulnerabilities posed by its electronic equipment, data systems, and applications that contain, store, transmit, or receive electronic protected health information (“ePHI”) and report the results to OCR; develop and implement an organization-wide Risk Management Plan to address and mitigate any security risks and vulnerabilities found in the Risk Analysis; revised and update its policies and procedures to OCR’s satisfaction; revise its current Security Rule Training Program; investigate any workforce member’s violation of such policies and report the results to OCR (even if such violation did not result in a breach); and file detailed annual reports with OCR.

There are plenty of lessons to learn from this settlement, but one of the most critical lessons may be the easiest to implement: encrypt your data, particularly any data that is stored in portable devices which have a disturbing tendency to disappear.  Had the backup device been encrypted, it is likely that the outcome of this incident would have been very different. Another lesson is that, if a breach of HIPAA is discovered, be proactive and act immediately to assess and address the risk and mediate the potential damage, update your policies and procedures, implement changes designed to avoid another breach, etc.  Do not wait for OCR to tell you how to respond to the breach.

Our partner Elizabeth Litten and I were quoted by our good friend Marla Durben Hirsch in her recent article in Medical Practice Compliance Alert entitled “Doctor is Arrested for Stealing Thousands of Patient Records.”  While the full text can be found in the February 16, 2015 issue of Medical Practice Compliance Alert, the following considerations are based upon points discussed in the article.

A theft of patient protected health information (“PHI”) may invoke more than federal and state privacy laws.  It can also mean criminal charges under state penal laws. Radiologist James Kessler learned the hard way when he was arrested for allegedly stealing the PHI of nearly 100,000 patients.

Elizabeth was quoted as observing, “There is no indication that it was difficult for Kessler to do this.  He didn’t treat all 100,000 patients, so why did he have the ability to copy all of those files?  There are technical safety mechanisms and audit controls to limit that access.”

The article pointed out that in some multi-physician situations, ownership of records may need to be negotiated, and the contract may need to specify who gets which records in the event of a separation.  For example, if a physician brings patients to a practice, the employee may be entitled to own and take those patients’ records.

I was quoted by Marla: “Implement safeguards to reduce the risk that an employee can access records outside of his or her job responsibilities.  Also ensure that the practice provides HIPAA training, so that if an employee does violate HIPAA the action is less likely to be attributed to the employer.”

In the article Elizabeth explained that it is important to have an action plan to handle data breaches.  “Be prepared to investigate an incident that may be a security breach using the four steps required by HIPAA’s breach-notification requirements to see whether the breach needs to be reported,” she noted.  “Also be prepared to report a breach not only to the HHS and the state under HIPAA and state-notification laws but also to law enforcement when dealing with criminal activity such as theft and hacking.”

Elizabeth also advises in the article to make sure that the employment agreement complies with state law.  “Many states have laws regarding the reach of an employment agreement with physicians, such as reasonable non-competes and continuity of care provisions,” she says. “For instance, it varies whether an individual doctor or the practice itself is seen as having the relationship with the patients; there may even be state laws on the rights of patients in the event of a physician’s separation from a practice.”

The article points out that there are many complexities involved in the ownership, custody, creation, access, use, maintenance, transmission and retention of PHI. It may not be possible to prevent hacking or theft of PHI, even with reasonable security and privacy policies and procedures in place that are being followed.  However, if a breach or other adverse event occurs, the covered entity or business associate will be well-served by being able to demonstrate that it had and followed such policies and procedures if and when a regulatory authority or court is reviewing a HIPAA violation and determining potential responsibility and liability.

Is the PHI on all your mobile devices encrypted?  If not, here’s another two million reasons to make encryption your top priority. The Office of Civil Rights (OCR) of the Department of Health and Human Services announced on April 22, 2014 that they had imposed nearly $2 million in penalties on two entities as a result of the theft of unencrypted laptops.

As previously noted in this blog, theft or loss of laptops or other portable electronic devices remains a predominant factor in HIPAA breaches, constituting 57.5% of the approximately 400 List Breaches that involved reported theft or loss as of August 2013.

In the first incident, Concentra Health Services was fined $1,725,220 and agreed to adopt a corrective action plan after an OCR investigation following a report of the theft of an unencrypted laptop from a physical therapy clinic.  According to the press release,

“OCR’s investigation revealed Concentra had previously recognized in multiple risk analyses that a lack of encryption on its laptops, desktop computers, medical equipment, tablets and other devices containing electronic protected health information (ePHI) was a critical risk.  While steps were taken to begin encryption, Concentra’s efforts were incomplete and inconsistent over time leaving patient PHI vulnerable throughout the organization. OCR’s investigation further found Concentra had insufficient security management processes in place to safeguard patient information.”

This isn’t Concentra’s first experience with laptop theft. The OCR list of Breaches Affecting 500 or More Individuals (also known as the “Wall of Shame”) includes two prior similar incidents, one in 2009 and another in 2011. (It is unclear whether this theft was related to the 2011 incident). Modern Healthcare reports that Concentra reported 16 additional breaches involving fewer than 500 individuals’ records.  So, although 434 out of 597 laptops had been encrypted according to HealthITSecurity.com, a batting average of .726 wasn’t good enough given their status as repeat offenders. Concentra’s resolution agreement, including the Corrective Action Plan, is available here and is worth reading.  Among other conditions, OCR requires that the company provide an update regarding its encryption status, including the percentage of all Concentra devices and equipment (laptops, desktops, medical equipment, tablets, and other storage devices) that are encrypted and an explanation for the percentage of devices and equipment that are not encrypted.

The company’s incomplete and inadequate implementation of compliance steps after known vulnerabilities had been identified may also have contributed to the severity of the penalty.  One of the worst things a covered entity or business associate can do is to engage in a half-hearted compliance effort that documents knowledge of uncorrected problems.

In the second case, Arkansas-based QCA Health Plan reported the theft of an unencrypted laptop containing records of 148 individuals. OCR noted that its investigation revealed that QCA failed to comply with multiple requirements of the HIPAA Privacy and Security Rules, beginning from the compliance date of the Security Rule in April 2005 and ending in June 2012. QCA agreed to pay $250,000 and implement upgraded security procedures and employee training. QCA’s Resolution Agreement and Corrective Action Plan is here. This case marks only the second time OCR has fined an entity for a breach involving less than 500 individuals’ PHI, following the Hospice of North Idaho settlement.

One lesson is clear from both incidents: if these laptops had been encrypted in accordance with NIST standards, neither entity would have been subjected to fines and additional government oversight.  As enforcement continues to ramp up and target both Covered Entities and Business Associates, and as the use of mobile devices continues to increase, there is no excuse to delay full implementation of encryption.  Encryption isn’t a panacea, but it’s as close as you can get in the HIPAA compliance world.

The first breach settlement announcement of the new year breaks new ground – a $50,000 fine based on theft of a laptop containing 441 patients’ unencrypted data. It’s the first settlement of a breach involving fewer than 500 individuals.  There was no indication that any PHI was improperly viewed or accessed.

In a press release issued January 2, 2013, OCR announced the negotiated resolution of a breach by the Hospice of North Idaho (HONI), which began when HONI reported the June 2010 laptop theft.  The investigation revealed that HONI had not conducted a risk analysis to safeguard ePHI and had not adopted policies or procedures to address mobile device security.

“This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information.” said OCR Director Leon Rodriguez. “Encryption is an easy method for making lost information unusable, unreadable and undecipherable.”

The Resolution Agreement, which appears here, emphasized the hospice agency’s failure to anticipate the risk of loss of unprotected data on mobile devices which were commonly used by its staff in field work: 

"In particular, HONI did not evaluate the likelihood and impact of potential risks to the confidentiality of electronic PHI maintained in and transmitted using portable devices, implement appropriate security measures to address such potential risks, document the chosen security measures and the rationale for adopting those measures, and maintain on an on-going basis reasonable and appropriate security measures."  

The emphasis on a small covered entity’s lack of analysis and risk assessment is reminiscent of OCR’s settlement with two-physician Phoenix Cardiac Surgery, P.C. announced in April 2012, another case widely considered to be a warning to similarly situated entities. Note that HONI disputes the allegations in its own press release.

OCR also required HONI to enter into a two-year corrective action plan, which requires HONI to investigate any information indicating that any workforce member may have failed to comply with its Privacy and Security policies and procedures, and report the details of any such failure including sanctions imposed and steps taken to prevent recurrence.                  

Some lessons can be taken away from the HONI settlement.

First, encryption of ePHI is critical! Given the prevalance of breaches associated with lost and stolen laptops, it is often forgotten that the loss of unreadable encrypted data is generally not a HIPAA breach. 

Next, all organizations but especially those like hospices, home health agencies and other entities with mobile workforces must prioritize securing mobile devices. For starters, refer to OCR’s guidance entitled Your Mobile Device and Health Information Privacy and Security, which is definitely worth reading.  Some of the advice seems to be common sense (password protection, remote wiping or disabiling, firewall and security software, avoiding file-sharing applications) but needs to be enforced organization-wide, particularly in today’s "bring your own device" environment.   OCR has even created a handy one-page Fact Sheet with useful mobile device security tips. 

Loss and theft of mobile devices may be inevitable, but protection of the data those devices contain is not as challenging as many think, and effectively implementing such protection should be a priority for 2013. 

On May 28, 2010, William H. Maruca, editor of this blog, reported in a post entitled Red Flag Reprieve – Déjà vu All Over Again that, under pressure from Congress, the Federal Trade Commission (“FTC”) had agreed to postpone enforcement of its “Red Flags Rule” until January 1, 2011.  

 

On June 1, 2010, an article in The National Law Journal  discussed the  postponement insofar as enforcement of the Red Flags Rule by the FTC against doctors, lawyers, and other professionals would require them to develop written identity theft prevention programs.  The article further noted that the postponement followed separate lawsuits by the American Bar Association and the American Medical Association and other physician associations on behalf of their respective professionals against the FTC, arguing that imposing the identity theft rule requirements on their members is arbitrary, capricious and has no legally supportable basis.  The article quoted FTC Chairman Jon Leibowitz as stating that Congress needs to clarify and fix problems in the application of the Red Flags Rule quickly to permit the FTC to carry out its enforcement obligations.

 

“Financial Institutions” and “creditors” with “covered accounts” are governed by the Red Flags Rule.  Therefore, a physician, other healthcare provider or lawyer could be subject to the Red Flags Rule if any activities meet the definition of a creditor with a covered account.  This broad definition essentially includes anyone who bills after providing services or allows patients or clients to defer payment.  One could be deemed a creditor simply because it allows a patient or client to defer payment for medical or legal services rendered. 

 

The “final” Red Flags Rule was promulgated by the FTC as long ago as November 9, 2007 under the Fair and Accurate Credit Transaction Act of 2003.  The original compliance date for the Red Flags Rule was November 1, 2008.  However, because many healthcare providers and professionals were unaware of or uncertain as to whether the requirements of the Red Flags Rule applied to them, the FTC delayed the initial enforcement date to May 1, 2009.

 

Discussions and correspondence between the healthcare sector and the FTC to clarify whether health care providers, such as physicians and other providers such as hospitals, must comply with the Red Flags Rule followed.  As a result of those discussions and the subsequent lawsuits discussed above, the FTC suspended enforcement of the Red Flag Rule multiple times, with the most recent enforcement deadline date being postponed to January 1, 2011.

 

Significant changes with respect to the application of the Red Flags Rule may be on the horizon for the healthcare industry.  It is not clear that Congress will act or, if it does, that the legislation will clearly define the applicability of the Red Flags Rule to a specific type of healthcare provider. Providers should keep apprised of developments that may affect them.