Look no further than the last three weeks for proof that HIPAA enforcement is on the rise.
Failure to maintain the security of information systems containing patient information has cost healthcare providers over $10 million in recent settlements of alleged violations of the Health Insurance Portability and Accountability Act (HIPAA). The Department of Health and Human Service’s Office for Civil Rights (OCR) is making it clear that enforcement of HIPAA’s security requirements is a priority and not likely to slow down. Indeed, OCR recently announced three major settlements of alleged HIPAA security violations in as many weeks. The settlements all involve large health systems and include the largest ever settlement of HIPAA claims, at a record $5.55 million.
- On July 18, 2016, OCR announced that Oregon Health & Science University (“OHSU”) agreed to pay $2.7 million and enter into a three-year comprehensive corrective action plan as part of a settlement following OCR’s investigation of OHSU’s compliance with the HIPAA Security Rule.
OCR reports that OHSU submitted multiple reports of HIPAA breaches involving the unsecured protected health information (PHI) of thousands of individuals. Two of the breaches involved unencrypted laptops, and the third involved a stolen, unencrypted thumb drive. OCR’s investigation uncovered widespread security vulnerabilities and failure to comply with the HIPAA Security Rule. For example, OCR found that OHSU stored electronic PHI (ePHI) of more than 3,000 individuals on a cloud-based server, but OHSU did not have a business associate agreement in place with the vendor. OCR determined that this oversight put 1,361 individuals at significant risk of harm.
Although OHSU has performed security risk assessments periodically since 2003, the risk assessments did not cover all of the ePHI in OHSU’s information systems, and OHSU did not address the vulnerabilities identified in the risk assessments. For example, although OHSU identified that its lack of encryption of ePHI stored on its workstations was a risk, it failed to implement encryption or an equivalent protection. OCR also found that OHSU lacked policies and procedures required by the Security Rule to prevent, detect, contain, and correct security violations.
- Just a week after the OHSU announcement, OCR announced a similar settlement with the University of Mississippi Medical Center (“UMMC”) for $2.75 million. Like OHSU, OCR investigated UMMC’s HIPAA compliance after UMMC reported a HIPAA breach involving a stolen laptop containing ePHI.
OCR’s investigation found that users of UMMC’s wireless network could use a generic username and password to access an active directory on UMMC’s network drive containing 67,000 files. OCR estimates that the directory included files containing the ePHI of 10,000 patients. OCR also found that UMMC violated the Security Rule by failing to implement appropriate security policies and procedures, restrict access on workstations that access ePHI to authorized users, and assign unique user names for identifying and tracking users of systems containing ePHI. Further, UMMC failed to notify each individual whose ePHI was reasonably believed to have been affected by the breach of the stolen laptop.
- Finally, in keeping with its once-a-week settlements,OCR announced on August 4, 2016 that it had entered into the largest ever settlement of HIPAA claims with Advocate Health Care Network (“Advocate”). Advocate agreed to pay $5.55 million, due in part to the extent and duration of Advocate’s alleged noncompliance and the large number of individuals whose PHI was affected.
OCR investigated Advocate’s HIPAA compliance after it reported three separate HIPAA breaches involving its subsidiary, Advocate Medical Group, affecting approximately 4 million individuals. OCR reports that Advocate failed to conduct accurate and thorough risk assessments, implement appropriate security policies and procedures, enter into written business associate agreements to protect ePHI, and reasonably safeguard an unencrypted laptop that was left in an unlocked car.
Aside from confirming that HIPAA enforcement is dramatically up, these settlements highlight the importance of Security Rule compliance. Among other things, this means that covered entities (and business associates) must:
- have adequate security policies and procedures to prevent, detect, contain and correct security violations;
- have thorough risk assessments that assess all information systems containing ePHI;
- respond to all risks and vulnerabilities that they have identified in their risk assessments; and
- handle security breaches in accordance with the requirements of the Breach Notification and Security Rules — and be prepared for significant breaches to result in enforcement actions.