April proved to be a busy month for the U.S. Department of Health and Human Services Office for Civil Rights (OCR) under its newly appointed director, Roger Severino. OCR announced three settlements of potential HIPAA violations totaling nearly $3,000,000.00 in fines. The settling parties include a wireless health services provider, a federally-qualified health center (FQHC), and a pediatric specialty provider. The settlements indicate that last year’s trend of higher settlement amounts and more robust corrective action plans appears to be continuing.
In the most costly settlement, announced on April 24, 2017, CardioNet, a mobile heart monitoring technology firm, agreed to pay $2,500,000.00 and implement a corrective action plan (CAP) based on the impermissible disclosure of electronic protected health information (ePHI) due to the theft of an employee’s unencrypted laptop. The unencrypted laptop, which was stolen from a parked vehicle outside the employee’s home, contained ePHI relating to 1,391 individuals.
The OCR determined CardioNet, which provides remote mobile monitoring of and rapid response to patients at risk for cardiac arrhythmias, is a covered entity required to comply with the HIPAA rules. The OCR’s investigation concluded that CardioNet had insufficient risk analysis and risk management processes in place at the time of the theft, and CardioNet’s policies and procedures implementing the standards of the HIPAA Security Rule were only in draft form and had not been implemented. This settlement is the first involving a wireless health services provider.
Less than two weeks earlier, the OCR entered into a settlement highlighting the importance of conducting robust risk analyses and implementing risk management processes in connection with the security of ePHI. On April 12, 2017, Metro Community Provider Network (MCPN), an FQHC, agreed to pay $400,000.00 and implement a CAP following a breach incident where the ePHI of over 3,200 individuals was accessed through a hacker’s phishing scheme.
The OCR’s investigation revealed that prior to the breach incident, MCPN had not conducted a risk analysis to assess the risks and vulnerabilities in its ePHI environment. When MCPN finally conducted a risk analysis, the OCR deemed the risk analysis was insufficient to meet the requirements of the HIPAA Security Rule. The OCR explained the relatively low settlement amount by saying it considered MCPN’s FQHC status when balancing the significance of the violation with MCPN’s ability to maintain sufficient financial standing to ensure the provision of ongoing care to its patients, many of whom have incomes below the poverty level.
The last of the three highlighted settlements is what has become a familiar case involving business associates. On April 21, 2017, the Center for Children’s Digestive Health (CCDH), agreed to pay $31,000.00 and implement a CAP. This settlement resulted from CCDH’s failure to enter into a Business Associate Agreement (BAA) with Filefax Incorporated (Filefax), a third party vendor whom CCDH contracted with to store inactive paper medical records. The OCR determined that while CCDH began disclosing PHI to Filefax dating back to 2003, neither party could produce a signed BAA prior to October 12, 2015.
The CCDH settlement reminds covered entities of the importance of having in place policies and procedures to identify and vet potential business associates before disclosing PHI. Failing to know your business partners and obtain proper written assurances regarding protecting PHI can be costly.
In light of the April settlements and the OCR’s continued active enforcement of the HIPAA rules, all entities subject to HIPAA are reminded to take steps to ensure compliance. In addition to decreasing the likelihood of breaches, the following steps serve to mitigate against potential penalties if breaches do occur:
- Entities must conduct robust and comprehensive risk analyses to identify potential threats to their ePHI. Conducting a risk analysis which the OCR deems insufficient may be viewed as the equivalent of conducting no risk analysis at all.
- Entities should also have risk management processes in place to implement post-risk analysis recommendations relating to security. If they are ignored, the OCR may consider the risk analysis as having been inconsequential.
- Entities should implement policies and processes governing their relationships with business associates. PHI or ePHI must not be shared with business associates until an analysis has been conducted as to whether a BAA is required for the given relationship.
- It is not enough to draft HIPAA policies and procedures – covered entities and business associates must also implement and disseminate the policies and procedures throughout the organization. Organizations should also revisit and update their HIPAA policies as often as necessary to conform with regulatory, environmental, and operational changes.