On June 30, the Health and Human Services Office for Civil Rights (“OCR”) announced the first-ever settlement under the Health Insurance Portability and Accountability Act (HIPAA) with a business associate. In the press release, OCR Director Jocelyn Samuels stated:
Business associates must implement the protections of the HIPAA Security Rule for the electronic protected health information they create, receive, maintain, or transmit from covered entities. This includes an enterprise-wide risk analysis and corresponding risk management plan, which are the cornerstones of the HIPAA Security Rule.
OCR initiated its investigation after receiving notification from the covered entities that the theft of an iPhone of an employee of their business associate, Catholic Health Care Services of the Archdiocese of Philadelphia (“CHCS”), compromised protected health information (PHI) of over 400 nursing home residents. The data on the iPhone was neither password protected and nor encrypted and included social security numbers, information regarding diagnosis and treatment, medical procedures, names of family members and legal guardians, and medication information. At the time of the incident, CHCS had no policies addressing the removal from its facility of mobile devices containing PHI or what to do if a security incident occurred.
According to the settlement agreement, an OCR’s investigation uncovered that CHCS failed to:
- Conduct an accurate and thorough risk assessment; and
- Implement appropriate security measures to address and reduce risks and vulnerabilities as required by the HIPAA Security Rule (See 45 C.F.R. § 164.308(a)(1)(ii)).
Under the Settlement Agreement, CHCS paid Health and Human Services $650,000 and entered into a two-year Corrective Action Plan (“CAP”). In agreeing to the amount of the fine, OCR indicated in its press release that it “considered that CHCS provides unique and much-needed services in the Philadelphia region to the elderly, developmentally disabled individuals, young adults aging out of foster care, and individuals living with HIV/AIDS.” The import being that future violators may face much stiffer fines. Under the CAP, CHCS must, among other things, develop and maintain written policies and procedures that comply with the Privacy, Security, and Breach Notification Rules and provide annual privacy and security training to those of its employees who have access to PHI.
Although this is the first enforcement against a business associate, it is not likely to be the last. In March of this year, Phase Two of OCR’s HIPAA audit program, which officially began a couple of months ago, has kicked into “high gear.” Selected covered entities have received notification letters regarding their inclusion in the desk audit portion of the audit program. Letters were delivered on Monday, July 11, 2016, via email to 167 health plans, health care providers and health care clearinghouses (covered entities). The desk audits will examine the selected entities’ compliance with the Privacy, Security, and Breach Notification Rules. Desk audits of business associates will follow in the fall of 2016.
Next Steps for Health Care Providers
Both covered entities and business associates should have in place, at a minimum, policies and procedures that address all aspects of the Privacy, Security, and Breach Notification Rules, including policies and procedures covering encryption of PHI, password management, automatic log off and log-in monitoring, audit and integrity controls, mobile device controls, security incident response, a data backup plan and a disaster recovery plan.
Additionally, covered entities and business associates should conduct risk assessments and then address those specific risks and vulnerabilities that are identified in their risk assessments by implementing best practices. For example, the best practice for mobile devices, including laptops, tablets and smartphones, is to avoid saving PHI on mobile devices. If that is not feasible, then the device’s password function should be enabled with a “complex password” scheme and the PHI on the device should be encrypted.