The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently announced that it reached resolution agreements and corrective action plans with two health care entities - a health system and a research institution - in connection with alleged violations of the Health Insurance Portability and Protection Act of 1996 (HIPAA). These cases underscore the importance of ongoing HIPAA compliance vigilance by covered entities and business associates, particularly in light of OCR’s recent announcement that it has commenced Phase 2 of its audit program.
SETTLEMENT 1: FAILURE TO EXECUTE BUSINESS ASSOCIATE AGREEMENT
The first settlement, announced on March 16, involved North Memorial Health Care of Minnesota (North Memorial), which agreed to adopt a corrective action plan (CAP) to address deficiencies in its compliance program and to pay $1,550,000. North Memorial’s problems started when a laptop was stolen from the car of a business associate’s employee, impacting the electronic protected health information (ePHI) of nearly 10,000 people.
After receiving a breach report, OCR began an investigation and determined that North Memorial failed to have in place a business associate agreement, and also failed to complete a risk analysis to address all of the potential risks and vulnerabilities to the ePHI that it maintained, accessed, or transmitted across its entire IT infrastructure.
The CAP requires North Memorial to develop a risk analysis and management plan and to train appropriate workers on all policies and procedures.
SETTLEMENT 2: LAX SECURITY MANAGEMENT PROCESSES
The second settlement, announced on March 17, involved Feinstein Institute for Medical Research (Feinstein). Feinstein agreed to pay $3.900,000 and to adopt a CAP to settle alleged violations of HIPAA. Similar to the North Memorial situation, Feinstein’s alleged violations came to light following the theft of a laptop containing ePHI from a car - although in this case it was the car of an employee as opposed to the car of a business associate’s employee.
The OCR’s investigation resulted in findings that Feinstein’s security management system “was limited in scope, incomplete, and insufficient to address potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the entity,” and that Feinstein didn’t have proper policies, procedures and training in place to safeguard ePHI. In a news release, OCR made clear that research institutions such as Feinstein are held to the same compliance standards as other HIPAA-covered entities.
NOW IS THE TIME TO ASSESS RISKS
These situations underscore the importance of HIPAA compliance, and the significant consequences for failing to comply with HIPAA. All covered entities, business associates, and subcontractors of business associates must conduct a risk analysis under HIPAA.
Specifically, these entities must “[i]mplement policies and procedures to prevent, detect, contain, and correct security violations.” 45 C.F.R. §164.308(a)(1). In order to fulfill these requirements, all entities subject to HIPAA’s Security Rule must run a risk assessment. A risk assessment is a “thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information.”
Entities affected by HIPAA can expect increased scrutiny by OCR moving forward. On March 21, 2016, OCR announced in a press release that Phase 2 of its audit program has commenced. According to OCR, these audits could involve onsite assessments or desk audits, and will be completed by the end of 2016. Any covered entity or business associate may be audited.
According to OCR, the audits “present an opportunity to examine mechanisms for compliance, identify best practices, discover risks and vulnerabilities that may not have come to light through OCR’s ongoing complaint investigations and compliance reviews, and enable us to get out in front of problems before they result in breaches.”
In light of the cases discussed above, and OCR’s recent announcement that Phase 2 of its audit program has commenced, it’s more important than ever to conduct a thorough HIPAA risk assessment.