On July 10, 2015, the United States Department of Health and Human Services Office for Civil Rights (OCR) announced its second settlement of the year for violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). St. Elizabeth’s Medical Center (SEMC), a tertiary care hospital in Massachusetts, must pay $218,400 and adopt a “robust corrective action plan” to correct deficiencies in its compliance program. The corrective action plan requires a detailed self-assessment of workforce members’ compliance with existing HIPAA policies, possible revisions to HIPAA policies, training of workforce members, and disclosure to OCR of the failure by workforce members to comply with its HIPAA policies and procedures.

Background

According to the OCR, on November 16, 2012, it received a complaint that the hospital’s workforce members were violating HIPAA Rules by using an internet-based document sharing application to store documents containing the electronic protected health information (e-PHI) of at least 498 individuals. On August 25, 2014, SEMC notified OCR of another breach involving the unsecured e-PHI stored on a former SEMC workforce member’s personal laptop and USB flash drive. This breach affected 595 individuals.

As a result of the two investigations, OCR found that SEMC:

  • disclosed the PHI of at least 1,093 individuals;
  • failed to implement sufficient security measures regarding the transmission and storage of e-PHI to reduce risks and vulnerabilities to a reasonable and appropriate level; and
  • failed to timely identify and respond to a known security incident, mitigate the harmful effects of the security incident, and document the security incident and its outcome.

Self-Assessment

The Resolution Agreement requires SEMC to conduct a self-assessment of SEMC workforce members’ knowledge and compliance with SEMC policies and procedures that address the following:

  • transmitting e-PHI using unauthorized networks;
  • storing e-PHI on unauthorized information systems, including unsecured networks and devices;
  • removal of PHI from SEMC;
  • prohibition on sharing accounts and passwords for e-PHI storage and access;
  • encryption of portable devices that access or store e-PHI; and
  • security incident reporting related to e-PHI.

HHS also imposed strict parameters for conducting the self-assessment. SEMC must make unannounced site visits to five SEMC departments to assess the implementation of the above-described policies and procedures; interview fifteen randomly selected SEMC workforce members; and inspect at least three portable devices at each of the five departments to determine if each of the portable devices satisfy the policies and procedures described above. SEMC must document its self-assessment by filing a detailed written report with the OCR, including  any material compliance issues SEMC identifies.

Policies and Procedures

Based on the self-assessment, SEMC must determine if it needs to revise its HIPAA policies and procedures. If the self-assessment shows that workforce members are not familiar with or not substantially complying with SEMC’s policies, SEMC must develop an oversight mechanism “reasonably tailored to ensure that all SEMC workforce members follow such policies and procedures” and the e-PHI is only used and disclosed as provided for in the policies. The OCR must approve the proposed revised policies or oversight mechanism.

Training

If, as a result of the self-assessment, SEMC determines that its HIPAA training needs to be revised, it must submit the proposed revisions to OCR for review and comment.  Upon final approval of the training by OCR, SEMC must distribute a “security reminder” reflecting the content of the revised training and describing any revised policies to all workforce members with access to e-PHI. SEMC must also include the revised training in future training sessions, and workforce members who are required to attend training must certify that they received the required training.

Takeaways

This settlement offers several lessons for covered entities and business associates, including the following:

  • ensure that HIPAA policies and procedures address the use of internet-based applications, including document and file-sharing applications;
  • implement robust policies addressing the use of portable devices, including encryption requirements and “wiping” technology;
  • effectively educate workforce members about the entity’s policies and procedures, including the reporting of suspected security incidents or other potential HIPAA breaches. Workforce members must know the organization’s contact person to report suspected improper uses or disclosures of PHI; and
  • timely respond to suspected security incidents, including mitigating the harm from such incidents and documenting how the incident was addressed.

Finally, covered entities and business associates may want to take a page from the Resolution Agreement and conduct their own “self-assessment” to determine the effectiveness of their HIPAA policies and training. This settlement shows that it is not enough to have the required policies.  Rather, your workforce members must also understand and follow them.