Healthcare Alert

Last month, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) announced the largest settlement to date for alleged violations of the Health Insurance Portability and Accountability Act (HIPAA). Advocate Health Care Network, a large, nonprofit health system based in the greater Chicago area, agreed to pay $5.55 million and adopt a corrective action plan to settle a variety of allegations of HIPAA noncompliance.

The Advocate settlement is the latest in a series of enforcement activities that already have made for a record-breaking year. So far in 2016, OCR has published nine resolution agreements requiring total payment of over $20 million, or an average of more than $2.2 million per settlement. By comparison, from the April 2003 effective date of the HIPAA privacy rule through the end of 2015, OCR entered into 29 settlements totaling approximately $28 million.

It is clear enough that we are in a new era of HIPAA enforcement activity. As massive data breaches continue to dominate headlines and with the second phase of OCR’s HIPAA audit program now underway, covered entities and their business associates have every reason to take stock of OCR’s enforcement actions and carefully review their own compliance efforts.

The Advocate Settlement

The Advocate settlement resulted from three separate breach notification reports submitted by Advocate on behalf of one of its subsidiaries, Advocate Medical Group (AMG). The first incident involved the theft in July 2013 of four desktop computers from an AMG administrative office building. In its breach report to OCR, which it submitted in August 2013, Advocate concluded that the computers contained the unsecured electronic-protected health information (ePHI) of approximately 4 million individuals. OCR began an investigation shortly after receiving the report.

Approximately two weeks later, in September 2013, Advocate submitted another breach report to OCR. The second incident involved the breach of unsecured ePHI by a subcontractor billing company, Blackhawk Consulting Group (Blackhawk). Advocate reported that, at some time between June and August 2013, the ePHI of roughly 2,000 AMG patients had been potentially compromised when an unauthorized third party accessed Blackhawk’s network. Advocate reported a third breach in November 2013. The third incident involved the theft of a laptop containing the unencrypted ePHI of more than 2,000 individuals from the car of an AMG employee.

In all, the three incidents involved the ePHI of approximately 4 million individuals, including names, addresses, dates of birth, credit card numbers with expiration dates, demographic information, clinical information, and health insurance information.

Through its investigation, OCR determined that Advocate failed to comply with HIPAA in a variety of ways. Specific findings highlighted in the settlement agreement include:

  • Failure to conduct an accurate and thorough risk analysis that incorporated all of its facilities, information technology equipment, applications, and data systems using ePHI

  • Failure to implement policies and procedures to limit physical access to the electronic information systems housed within a large data support center (from which the four desktop computers were stolen)

  • Failure to obtain satisfactory assurances in the form of a written business associate agreement from Blackhawk that Blackhawk would appropriately safeguard all ePHI in its possession or control

  • Impermissible disclosure of the ePHI of approximately 2,000 individuals to Blackhawk when it failed to enter into a written business associate agreement with Blackhawk prior to disclosure

  • Failure to reasonably safeguard the data of more than 2,000 individuals when an AMG workforce member left an unencrypted laptop in an unlocked vehicle overnight

OCR announced that Advocate had agreed to a settlement with OCR to resolve these allegations on August 4, 2016. The settlement agreement requires the payment of $5.55 million and outlines a corrective action plan that will last for two years. Corrective actions required by the plan include, among other things: (1) modifying Advocate’s existing risk analysis; (2) developing and implementing an enterprise-wide risk management plan to address and mitigate any security risks and vulnerabilities found in the risk analysis; (3) implementing a process for evaluating environmental and operational changes; (4) developing an encryption report that covers all Advocate devices and equipment that may be used to access, store, download, or transmit ePHI; (5) reviewing and revising policies and procedures on (i) device and media controls, (ii) facility access controls, and (iii) business associates; and (6) developing an enhanced privacy and security awareness training program. Advocate is required to submit the above analyses, plans, and policies to OCR for its review and approval.

Advocate also is required to conduct internal monitoring of its compliance with the corrective action plan as well as engage an independent third-party assessor to review its compliance. The independent reviewer is to provide reports of Advocate’s compliance directly to OCR.

In its press release announcing the settlement, OCR cited the extent and duration of the alleged noncompliance (dating back to the inception of the HIPAA security rule in some cases) as factors contributing to the record-breaking penalty. OCR also highlighted the involvement of the Illinois Attorney General in a corresponding investigation, the large number of individuals whose information was affected, and the size of Advocate.

Enforcement Activities in 2016

The Advocate settlement is the most recent in a string of significant HIPAA enforcement actions. In July, OCR announced two settlements with large health systems—one for $2.75 million and the other for $2.7 million. Earlier this year, OCR announced a $3.9 million settlement involving a biomedical research institute. In all, nine resolution agreements have been published thus far this year. Collectively, these settlements require payment of over $20 million, or an average of more than $2.2 million per settlement.

The following table summarizes the settlement agreements announced to date in 2016:

Entity

Settlement

Date

Key Allegations

Advocate Health Care Network

$5,550,000

August 4, 2016

Three separate breach incidents; failure to perform organization-wide risk analysis; failure to execute business associate agreement; failure to implement facility access controls

University of Mississippi Medical Center

$2,750,000

July 21, 2016

Theft of laptop and network vulnerabilities without appropriate security safeguards

Oregon Health & Science University

$2,700,000

July 18, 2016

Theft of laptops and unencrypted thumb drive; failure to enter into business associate agreement with cloud-based storage provider; failure to perform organization-wide risk analysis

Catholic Health Care Services of the Archdiocese of Philadelphia

$650,000

June 29, 2016

Theft of unencrypted mobile device owned by business associate; failure to perform risk analysis; failure to have mobile device policies and procedures

New York Presbyterian Hospital

$2,200,000

April 21, 2016

Disclosure of two patients’ PHI to film crews and staff during the filming of television series

Raleigh Orthopaedic Clinic, P.A.

$750,000

April 19, 2016

Failure to execute business associate agreement prior to disclosing PHI

Feinstein Institute for Medical Research

$3,900,000

March 17, 2016

Theft of laptop with patient and research participant information; failure to have adequate security management process

North Memorial Health Care of Minnesota

$1,550,000

March 16, 2016

Theft of laptop; failure to enter into a business associate agreement with major contractor; failure to perform organization-wide risk analysis

Complete P.T., Pool & Land Physical Therapy, Inc.

$25,000

February 16, 2016

Disclosure of PHI in advertising without authorization

Aside from their number and size, the settlements are noteworthy for a few reasons. First, these enforcement actions involve a variety of covered entities—from large health systems and a biomedical research institute to a physical therapy practice and an orthopedic surgery group—as well as a business associate. Second, most of the enforcement actions arose from breach reports submitted by the entities to OCR. In many of these cases, the breach resulted from stolen laptops or devices that were not encrypted. Third, although the facts of each case vary considerably, many involve some of the same HIPAA compliance issues, including failure to conduct an adequate risk analysis and failure to enter into a business associate agreement. Finally, in each of these enforcement actions, the entity was required to enter into a corrective action plan, which usually requires ongoing reporting to OCR and in many cases lasts two years. In several cases, such as the Advocate settlement, the OCR has required the appointment of a monitor for continuous oversight.

Of course, the settlements alone do not fully describe OCR’s enforcement activities. As of July 31, 2016, OCR had received over 137,770 HIPAA complaints and initiated over 885 compliance reviews. While it has resolved the vast majority of these cases, OCR still has over 5,000 open cases. It is likely that some of these cases will result in monetary settlements.

OCR has also announced an initiative to more widely investigate the root causes of breaches affecting fewer than 500 individuals. OCR investigates all reported breaches involving 500 or more individuals. Historically, each OCR regional office has had discretion as to whether to take action on smaller breaches. Under the new initiative, the regional offices will still retain discretion to prioritize which smaller breaches to investigate, but each office will increase its efforts to address noncompliance related to these breaches. OCR has indicated that its regional offices will consider the following factors, among others: (1) the size of the breach; (2) whether the breach involved theft of or improper disposal of unencrypted protected health information; (3) whether the breach involved unwanted intrusion to information technology systems; (4) the amount, nature, and sensitivity of the information involved; and (5) instances where numerous breach reports from the same entity raise similar issues.

Lastly, OCR is in the process of implementing the second phase of its audit program. The Health Information Technology for Economic and Clinical Health Act requires OCR to conduct periodic audits of covered entities and business associate compliance with the HIPAA privacy, security, and breach notification rules. In 2011 and 2012, OCR implemented a pilot audit program that involved 115 covered entities. In March of this year, OCR announced the second phase of the audit program, which includes both covered entities and business associates. The first set of audits under this program are desk audits focused on several key focus areas. All of the desk audits are expected to be completed by the end of December 2016. In 2017, OCR will begin to conduct comprehensive on-site audits. The audits are primarily intended to be a compliance improvement activity; however, they will be used to help OCR determine what types of corrective action it should pursue in the future.

Concluding Thoughts

More settlements, more money, same problems. It has been a banner year for OCR in HIPAA enforcement, with more settlements and a bigger haul than ever before. Yet, many of the enforcement actions involve relatively straightforward allegations of noncompliance, such as the lack of adequate risk analyses and risk management plans, failure to enter into business associate agreements, or failure to implement appropriate policies and procedures.

Covered entities and business associates should be mindful of these enforcement actions and use them as an opportunity to critically evaluate their own compliance efforts. Among other things, HIPAA-covered organizations should consider: (1) reviewing their risk analyses, revising as necessary to capture changes in where information is located and how it is transmitted; (2) evaluating workforce training efforts; (3) reviewing the adequacy of existing policies and procedures, including those regarding responding to potential breaches; (4) encrypting ePHI where possible; and (5) assessing cyber liability and breach-related insurance policies. Breaches cannot always be prevented, but the associated risk of loss can be mitigated substantially with careful planning.