Two recent HIPAA settlements remind organizations subject to HIPAA of the importance of having a robust HIPAA privacy and security compliance program in place.

Most recently, on Nov. 30, 2015, the Office of Civil Rights (OCR) announced that Triple-S Management Corporation (Triple-S), an insurance holding company based in Puerto Rico, agreed to a settlement with OCR of potential violations of HIPAA Privacy and Security Rules in exchange for a $3.5 million payment and a requirement to implement a corrective action plan to correct deficiencies in its HIPAA compliance program.

OCR initiated its investigation of Triple-S after receiving numerous notifications of breaches of unsecured protected health information (PHI). According to the OCR’s press release, the OCR’s investigation found widespread non-compliance with HIPAA, examples of which include:

  • Using and disclosing more PHI than was necessary to carry out insurance related mailings;
  • Improperly disclosing PHI to an outside vendor without a business associate agreement;
  • Disclosing more PHI than necessary to accomplish the purpose for which a vendor was engaged;
  • Not terminating access to electronic PHI (ePHI) when the employment of a workforce member ended;
  • Not conducting a risk analysis incorporating all IT equipment, applications and data systems utilizing ePHI; and
  • Failing to implement security measures sufficient to reduce the risks and vulnerabilities to ePHI to a reasonable and appropriate level.

The corrective action plan that Triple-S must implement as part of the settlement requires Triple-S to establish a comprehensive compliance program to protect PHI, including performing a risk analysis, adopting HIPAA compliance policies and providing HIPAA compliance training to all workforce members and business associates providing services on Triple-S premises.

The Triple-S settlement was announced shortly after the OCR’s announcement on Nov. 24, 2015, of a settlement agreement with Lahey Hospital and Medical Center (Lahey), a nonprofit teaching hospital in Burlington, Mass. As part of the Lahey HIPAA Privacy and Security Rules settlement, Lahey was required to pay $850,000 and adopt a corrective action plan to correct deficiencies in its HIPAA compliance program.

The OCR initiated its investigation of Lahey after Lahey notified OCR of a laptop, which operated a scanner and produced radiology images, being stolen from an unlocked treatment room. The laptop hard drive contained the PHI of 599 individuals. According to the OCR’s press release, the OCR’s investigation found widespread noncompliance with HIPAA. Examples of noncompliance included not conducting a risk analysis of all of ePHI, failing to physically safeguard a workstation that accessed ePHI, not having a unique user name for identifying and tracking user identity involving the workstation at issue and not implementing procedures that recorded and examined activity in the workstation at issue. In addition, Lahey was required to address its history of noncompliance with the HIPAA Rules by providing OCR with a comprehensive, enterprise-wide risk analysis and risk management plan and providing OCR with evidence of HIPAA compliance.

Both of these settlements seem, in large part, to be driven by alleged widespread noncompliance with the HIPAA Privacy and Security Rules found by the OCR once the compliance investigation of these organizations was initiated. Given that the OCR may initiate a HIPAA compliance investigation based on a complaint alleging a HIPAA violation or in response to a PHI breach report, it is important that any organization subject to HIPAA be in a position to defend its HIPAA privacy and security compliance practices if faced with an investigation, including having a robust HIPAA privacy and security compliance program and appropriate privacy and security policies and procedures which remain current and updated as appropriate.