Businesses subject to HIPAA rules should take note of recent penalties imposed by the U.S. Department of Health and Human Services (“HHS”). Penalties of more than $1 million each were leveled as a result of Security Rule violations, serving as a strong reminder for businesses to revisit their compliance programs.

HHS enforces the privacy protections established by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), including the Security Rule. These privacy protections apply to Covered Entities, such as health care providers, doctors, insurance companies, HMOs, and health care clearinghouses, as well as to business associates of Covered Entities that handle protected health information.

The Security Rule establishes standards to protect electronic personal health information (“ePHI”) from unauthorized disclosure. This rule requires Covered Entities and Business Associates to adopt administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of ePHI. Under both the Security Rule and the related Privacy Rule, ePHI consists of individuals’ private information. The Privacy Rule provides protections over personal health information and sets rules and limits on who may receive that information.

Two recent settlement agreements issued by HHS call for substantial payments from a large health care provider and a state Medicaid plan to resolve allegations of HIPAA compliance issues. These two agreements illustrate that Covered Entities need to evaluate and regularly assess their compliance with HIPAA Security and Privacy Rules. In a forthcoming client alert, we will address audit protocols recently issued by the HHS Office for Civil Rights (“OCR”). These protocols cover the Privacy and Security Rule requirements, as well as requirements of the Breach Notification Rule. This rule requires Covered Entities to provide notification following a breach of unsecured ePHI. The audit protocols set forth a series of procedures by which OCR analyzes the processes, controls, and policies adopted by selected Covered Entities. This forthcoming client alert will be available on the Lewis and Roca website

The Alaska Department of Heath and Social Services Case

HHS announced the first recent agreement on June 26, 201with the Alaska Department of Heath and Social Services (“Alaska Department”).. The agreement followed a breach report from the Alaska Department reporting the 2009 theft of a USB hard drive possibly containing ePHI of 500 individuals from a department computer technician’s vehicle. After conducting an investigation, HHS determined that the Alaska Department had not:

  • completed a risk analysis, 
  • implemented sufficient risk management measures, 
  • completed security training for its workforce members, 
  • implemented device and media controls, or 
  • addressed device and media encryption, as required by the Security Rule.

Under the terms of the resolution agreement, without admitting liability, the Alaska Department agreed to pay HHS $1,700,000. In addition, the Alaska Department agreed to a corrective action plan calling for it to: 

  • develop and implement policies and procedures to comply with the Security and Privacy Rules, and submit polices and procedures to HHS within 90 days, 
  • distribute the polices and procedures to all members of its workforce who have access to ePHI, and obtain certifications from all members indicating they have read and will follow and comply with the policies and procedures, 
  • provide Security Rule training to all members of its workforce who have access to ePHI, 
  • conduct a thorough risk assessment of vulnerabilities to its ePHI, and 
  • designate an independent monitor to monitor its compliance with the Security Rule, who must report back to HHS on DHHS’ ongoing compliance efforts.

The Director of OCR, which conducted the investigation, commented, “This is OCR’s first HIPAA enforcement action against a state agency and we expect organizations to comply with their obligations under these rules regardless of whether they are private or public entities.” This HHS action illustrates that all Covered Entities, including state agencies, must implement compliance plans appropriate for their organization.

Massachusetts Eye and Ear Cases

HHS also announced an agreement with Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc. ( “MEEI”), on September 17, 2012. The agreement followed an OCR investigation after MEEI submitted a breach report of the theft of an unencrypted personal laptop containing ePHI of approximately 3,600 of its patients and research subjects, including patient prescriptions and clinical information. Among the allegations that the agency investigated, OCR’s findings revealed that MEEI did not: 

  • demonstrate that it conducted a thorough analysis of the risk to the confidentiality of its ePHI as part of its security management process, or implement appropriate security measures to address such potential risks, 
  • implement security measures sufficient to ensure the confidentiality of ePHI that it created, maintained, and transmitted, 
  • implement policies and procedures to restrict access to portable devices that access ePHI to authorized users, or provide MEEI with reasonable means to know whether or what type of portable devices were being used to access its network, 
  • adequately adopt or implement procedures governing receipt and removal of portable devices into, out of, and within its facility, or track non-MEEI owned portable media devices containing ePHI, or 
  • adopt technical policies and procedures to allow access to ePHI only to authorized users, or adopt alternative encryption measures to ensure the confidentiality of its ePHI (or document the rationale supporting the decision not to encrypt).

OCR’s investigation further determined that these failures continued over an extended period of time, demonstrating long-term, organizational disregard for the Security Rule’s requirements.

Without admitting liability, the resolution agreement calls for MEEI to pay HHS a total of $1,500,000. As with the DHHS resolution agreement, MEEI agreed to take corrective action to improve its policies and procedures to safeguard the privacy and security of its patients’ ePHI, including reviewing, revising, and maintaining policies and procedures to ensure compliance with the Security Rule, training its workforce on those policies and procedures, and designating an independent monitor to conduct assessments of its compliance with the corrective action plan and render semi-annual reports to HHS.

“In an age when health information is stored and transported on portable devices such as laptops, tablets, and mobile phones, special attention must be paid to safeguarding the information held on these devices,” said OCR Director Leon Rodriguez. “This enforcement action emphasizes that compliance with the HIPAA Privacy and Security Rules must be prioritized by management and implemented throughout an organization, from top to bottom.”

Importance of Reviewing Your HIPAA Obligations

The two recent agreements, and the substantial payments they require, demonstrate that Covered Entities and Business Associates should actively take steps to implement a HIPAA compliance plan. As these cases show, work should begin before an incident like the ones involving ADHHS and MEEI occur. The resolution agreements reflect that HHS imposed penalties because of the specific incidents involved as well as the broader failure of the organizations to have taken steps to protect ePHI and prevent unauthorized disclosures, including conducting a risk analysis, training their workforce, designing measures appropriate to the organization to protect ePHI, and taking steps to continually evaluate their compliance with the Security and Privacy Rules.

All Covered Entities should be aware of HIPAA’s requirements, as well as the requirements of the Security and Privacy Rules, to ensure they are in compliance and avoid the threat of HHS sanctions.