In a span of a few weeks in early January 2017, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) announced two major settlements under the Health Insurance Portability and Accountability Act (“HIPAA”) relating to the breach of protected health information (“PHI”). Neither settlement included an admission of any liability, but they included significant fines and mandated that additional measures be taken to protect PHI.
One of the investigations was triggered by alleged untimely notification of a breach of the PHI of 836 individuals by a large health care network. The health care network discovered that paper-based operating room schedules with PHI went missing from one of its surgery centers October 22, 2013, but did not notify the OCR until January 31, 2014. The notification delay was apparently because of miscommunication between its workforce members. Citing the 60-day notice deadline in the HIPAA Breach Notification Rule (45 CFR §§ 164.400-414), the OCR investigation concluded that the notifications to OCR that affected individuals (on February 3, 2014) and required media outlets (on February 5, 2014) were roughly 40 days overdue. OCR also reviewed notifications provided by the health care network in regard to smaller breach incidents in 2015 and 2016, and concluded that those notifications were not timely either.
Under the terms of a settlement agreement with OCR, the health care network agreed to pay $475,000—roughly $570 per affected individual—as well as implement and comply with a Corrective Action Plan for two years. The Corrective Action Plan includes the required revision of policies and procedures to define employees’ roles and responsibilities with respect to potential breaches, and two annual reports to OCR regarding compliance with the Corrective Action Plan.
The other recent settlement concerned the impermissible disclosure of electronic PHI (“ePHI”) by a multinational insurance company, with a total fine of $2,204,182 – roughly $1,000 per affected individual. The breach resulted from an August 5, 2011, theft of an unsecured USB storage device with the ePHI of 2,209 individuals (including Social Security Numbers) from the IT department. The insurance company reported the breach September 29, 2011, and the OCR’s subsequent investigation concluded that the company was noncompliant with the HIPAA Rules. In particular:
- Failure to conduct an adequate risk analysis and implement risk management plans (45 CFR § 164.308(a)(1)(i)
- Failure to implement a security awareness and training program for its workforce members (45 C.F.R. § 164.308(a)(5)(i)
- Failure to utilize encryption (or equivalent measures) on its laptops and storage media to protect ePHI (45 C.F.R. § 164.312(a)(2)(iv))
- Failure to implement reasonable policies and procedures to safeguard ePHI (45 C.F.R. § 164.316(a))
In addition to the hefty fine, the insurance company agreed to a Corrective Action Plan with a number of requirements, including: (i) conducting a thorough, enterprise-wide risk analysis of ePHI security risks and vulnerabilities incorporating all electronic equipment and data systems controlled by the insurance company, including the inventorying of all equipment that contains ePHI within 220 days of the settlement; (ii) submitting the risk analysis to OCR for review; (iii) developing a risk management plan to mitigate any identified security risks, with a process to evaluate changes that affect the security of ePHI within 120 days of the settlement; (iv) revising policies and procedures based on the risk management plan; and (v) submitting a report to the OCR summarizing compliance with the Corrective Action Plan requirements within 150 days after OCR approval of the revised policies, as well as annual reports for three years.
These settlements offer some important takeaways:
- Organizations should be prepared to launch a prompt response and efficient investigation following the discovery of a potential breach, and to perform an adequate risk analysis
- Even unintentional delays, such as those resulting from internal miscommunication, may not be excused, and it will be helpful to take them into account when implementing incident response plans and training employees
- Electronic data is not the only risk vector, as even hard-copy documents with PHI can prompt regulatory scrutiny, and are relevant to records-management oversight
- A lack of encryption for ePHI, particularly with mobile devices or media, carries a high risk of alleged HIPAA violations
- OCR increasingly seeks a combination of both hefty monetary penalties (on a per-affected-individual basis), and injunctive-type relief that could impose significant additional expenses and burdens for alleged violations