On April 27, 2015, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced a resolution agreement with Cornell Prescription Pharmacy (CPP) pursuant to which CPP paid a $125,000 resolution amount, and adopted a corrective action plan (CAP) to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 as amended (collectively, HIPAA). This solitary action in the first half of 2015 is in contrast to a pattern of increased enforcement that was evident throughout 2014, during which time OCR entered into seven resolution agreements to settle other alleged violations of HIPAA. Among the seven 2014 enforcement actions, six involved alleged failures to adequately safeguard electronic protected health information (ePHI), and one involved the failure to secure protected health information (PHI) in physical format. In addition, the resolution agreements and corrective action plans (which are publicly available) suggest certain areas of focus for OCR, which we discuss in this On the Subject. Covered entities and business associates should be mindful of these areas of focus when reviewing their HIPAA compliance programs.
Security Risk Assessments
Four of the seven 2014 enforcement actions—involving QCA Health Plan, Inc. (QCA), New York-Presbyterian Hospital (NYP), Trustees of Columbia University in the City of New York (Columbia) and Anchorage Community Mental Health Services, Inc. (ACMHS)—refer to allegations that the entities failed to conduct an accurate and thorough assessment of the risks and vulnerabilities to their ePHI, and failed to implement security measures to reduce such risks and vulnerabilities to a reasonable and appropriate level. Such an assessment is a required administrative safeguard of the HIPAA Security Rule and a fundamental building block of electronic data security. In all four enforcement actions, the final corrective action plans required submission of a recent risk assessment and corresponding risk management plan to OCR within a relatively short period after the effective date of the resolution agreement. Accordingly, covered entities and business associates should review their security-risk management policies and procedures; assure that they have conducted a baseline security risk assessment; and update prior security risk assessments, as needed, to address new threats and changes in their information technology environment.
Unlike the enforcement actions against QCA, NYP, Columbia and ACMHS, OCR acknowledged, in the resolution agreement associated with the enforcement action against Concentra Health Services (CHS), that CHS had conducted a security-risk assessment. However, OCR alleged that CHS failed to follow through with appropriate remediation efforts to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level, as required by the Security Rule. Specifically, the CHS resolution agreement notes that, although CHS had conducted multiple risk assessments recognizing a lack of encryption on its devices containing ePHI, CHS failed to thoroughly implement remediation measures to address the issue for more than three years. OCR expects covered entities and business associates to eliminate or mitigate any threats or vulnerabilities identified by security risk assessments on a reasonable, documented schedule consistent with their size, complexity and capabilities.
Change Management Procedures
Three of the seven enforcement actions—Skagit County, Washington, NYP and Columbia—refer to security-breach incidents attributable to internal changes to technology systems and data management which led to the inadvertent disclosure of ePHI. For example, OCR alleged that Skagit County moved ePHI related to 1,581 individuals to a publicly accessible server; however, Skagit County initially reported a security breach with respect to only seven individuals, allegedly failing to first identify the larger security breach.
OCR alleged that the NYP and Columbia breaches were caused when a Columbia physician attempted to deactivate a personally owned computer server on the network. Due to a lack of technological safeguards, this allegedly led to the public availability of certain ePHI on internet search engines. Accordingly, covered entities and business associates should review and revise, as appropriate, their change management policies and procedures; take care to safeguard ePHI during any system changes or data relocations; and assess the risks associated with such changes from a security perspective prior to making the change.Additionally, the recent enforcement action against ACMHS indicates a need for covered entities and business associates to implement security patches of their technology systems on an ongoing basis. OCR alleged that ACMHS did not regularly update its information technology resources with available patches but continued to run outdated, unsupported software. Accordingly, covered entities and business associates should review their change management procedures and, on a reasonable schedule, implement all patches and software upgrades that are necessary to safeguard ePHI.
Compliance with HIPAA Policies and Procedures
The Security Rule requires a covered entity or business associate to implement reasonable and appropriate policies and procedures to comply with the requirements of the Security Rule. Of particular interest from the enforcement perspective: whether the entity actually follows the policies and procedures that it has adopted. For example, within the NYP resolution agreement, OCR alleged that, with respect to the data sharing arrangement with Columbia, NYP had failed to comply with its own policies on information-access management. Similarly, within the HHS bulletin associated with the enforcement action against ACMHS, OCR alleged that ACMHS had adopted sample Security Rule policies and procedures in 2005, but that such policies and procedures were not followed. Therefore, covered entities and business associates should be thoughtful in adopting and revising their policies and procedures with the understanding that they may be held accountable by OCR for enforcing compliance with such policies and procedures through training and employee discipline.
Summary of Recent OCR Enforcement Actions
The following table provides a brief summary of the seven resolution agreements entered into by OCR during 2014 and the most recent enforcement action against CPP earlier this year, as referenced above, including the settlement amount and term of the CAP if any.
Click here to view table.