The U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) reached a $100,000 settlement and corrective action plan with Phoenix Cardiac Surgery, a small cardiothoracic surgery physician practice, over its failures to comply with the HIPAA Security Rule. The covered entity’s alleged actions included the posting of electronic protected health information (“ePHI”) on “a publicly accessible, Internet-based calendar” and transmission of ePHI to employees’ personal, Internet-based e-mail accounts. OCR also alleged failures to have adequate policies, train the medical group workforce on HIPAA, assign a security officer, conduct an accurate and thorough risk assessment, and obtain a business associate contract from the Internet-based calendar and e-mail providers that allegedly maintained ePHI on the medical group’s behalf.

This settlement suggests a few lessons. First, OCR appears to be sending a clear message that covered entities must have business associate contracts in place with software-as-a-service (“SaaS”) cloud providers that store and access ePHI on the covered entity’s behalf. While cloud computing is one of the IT buzzwords of the moment, this case involves one of the older variations of such technology: hosted e-mail. Many—if not most—small providers do not maintain their own e-mail servers but instead rely on third party providers to manage e-mails on their behalf. This settlement demonstrates OCR’s expectation that the covered entity will obtain business associate contracts with such providers. Likewise, if covered entities utilize other SaaS technologies where the SaaS providers maintain and access ePHI, such as certain online calendars, then OCR expects a business associate contract to be in place.

The second lesson is that OCR is willing to bring an enforcement action, in the form of a settlement agreement and corrective action plan, against a covered entity of any size, but that settlements with smaller entities may have lower settlement amounts, financial penalties and shorter corrective action plan terms. This settlement ($100,000) is substantial, but far less than the settlements approaching or exceeding a million dollars with CVS, Rite Aid, Massachusetts General, UCLA, and Blue Cross Blue Shield of Tennessee. Additionally, the term of this corrective action plan is a year. OCR negotiated a two-year corrective action plan with the only other small provider that was the subject of settlement—Management Services Organization of Washington—while all other settlements have required three-year corrective action plans. Note that Cignet, a small provider, bucks this trend with a $4.3 million civil monetary penalty, demonstrating that all bets are off if a small provider does not cooperate and does not agree to a settlement and corrective action plan.

The third lesson is that settlements take time, and changes in enforcement may not be fully reflected for years. OCR is picking up the pace of formal enforcement—OCR also settled with Blue Cross Blue Shield of Tennessee for $1.5 million last month. Both cases involved conduct up to 2009—suggesting that OCR took more than two years to reach settlement. We have heard recurring messages from OCR that it will more aggressively enforce HIPAA, especially once it finalizes regulatory provisions that place a greater emphasis on enforcement of noncompliance due to “willful neglect.” It may take years, however, until we fully see the fruits of OCR’s (and other governmental agencies’) increased enforcement efforts.

In the meantime, covered entities and business associates may want to:

  • Verify whether their vendors are business associates (or subcontractors).
  • Determine whether sufficient business associate contracts/subcontracts are in place.
  • Know where protected health information is located and verify that it is properly safeguarded, including ePHI maintained by SaaS providers.
  • Revisit and update the risk analysis and risk management determinations and documentation.