On Aug. 14, the Department of Health and Human Services (“HHS”) published a $1.2 million settlement with Affinity Health Plan, which had neglected to wipe clean a photocopier used to store protected health information of nearly 345,000 people before returning it to the leasing company. The photocopier was subsequently purchased by CBS News.
Affinity’s hefty settlement with HHS is the agency’s fifteenth so far and seems to fall in line with the pattern of HIPAA settlements being tied more closely to the size of the covered entity rather than the egregiousness of the breach. The average settlement has been about $920,000. While settlements still continue to represent a minority of resolutions, it is difficult to identify which cases may lead to financial settlement and which ones will only require voluntary corrective action or external monitoring. But we can at least discern a few practical lessons from the past 15 settlements. Here they are:
- DO conduct an accurate and thorough risk analysis ($1.7M, $50,000, $100,000, and $400,000 settlements)
- DO evaluate the security impact of operational changes, such as moving facilities ($1.5M settlement)
- DO evaluate software upgrades for significant vulnerabilities, such as changes to an online database or a firewall, which may leave patient information exposed ($1.7M settlement & $400,000 settlement)
- DON’T provide patient information to the press without authorization, no matter what the patient or others may be saying about you ($275,000 settlement)
- DO address risks of employee access to electronic protected health information, such as monitoring for employee snooping of celebrities or other persons of interest (including co-workers) ($865,500 settlement)
- DON’T place patient information on unencrypted laptops ($50,000 settlement)
- DO consider systems for preventing employees from transporting patient information in an unsecured manner, such as placing large amounts of electronic protected health information on a personal mobile device or transporting hard-copy protected health information offsite ($1.5M settlement and $1M settlement)
- DON’T post your surgery schedule on an online calendar, with privacy settings allowing public viewing ($100,000 settlement)
- DON’T return photocopiers with medical records on the hard drives ($1.2M settlement)
- DON’T dispose of protected health information in public dumpsters ($2.25M and $1M settlements)
- DO encrypt backup tapes or consider a secure backup solution ($100,000 settlement)
- DON’T disclose patient information to a subsidiary for purpose of marketing, particularly for Medicare Advantage plans as this may become an issue during an unrelated False Claims Act investigation ($35,000 settlement)
- DO keep your privacy issues off the 11 p.m. nightly news ($2.25M, $1M, and $1.2M settlements)Bonus: DO cooperate with a HIPAA investigation ($4.3M fine)
These represent only snapshots of what led to HHS settlements, as one incident may trigger an HHS investigation that identifies numerous other alleged deficiencies. Earlier settlements usually included three-year corrective action plans and external monitoring, but more recent settlements have included shorter corrective action plans and no external monitoring.