Resolution Agreements and Civil Money Penalties
A resolution agreement is a contract signed by HHS and a covered entity in which the covered entity agrees to perform certain obligations (e.g., staff training) and make reports to HHS, generally for a period of three years. During the period, HHS monitors the covered entity’s compliance with its obligations. A resolution agreement likely would include the payment of a resolution amount. These agreements are reserved to settle investigations with more serious outcomes. When HHS has not been able to reach a satisfactory resolution through the covered entity’s demonstrated compliance or corrective action through other informal means, civil money penalties (CMPs) may be imposed for noncompliance against a covered entity. To date, HHS has entered into 21 resolution agreements and issued CMPs to one covered entity.
Since 2013, the following Resolution Agreements and CMPs have been enforced:
1. $800,000 HIPAA Settlement in Medical Records Dumping Case
As reported on June 23, 2014, Parkview Health System, Inc. (Parkview) agreed to settle potential violations of the HIPAA Privacy Rule with the OCR. Parkview will pay $800,000 and adopt a corrective action plan to correct deficiencies in its HIPAA compliance program. OCR opened an investigation after receiving a complaint from a retiring physician alleging that Parkview had violated the HIPAA Privacy Rule. In September 2008, Parkview took custody of medical records pertaining to approximately 5,000 to 8,000 patients while assisting the retiring physician to transition her patients to new providers, and while considering the possibility of purchasing some of the physician’s practice. On June 4, 2009, Parkview employees, with notice that the physician was not at home, left 71 cardboard boxes of these medical records unattended and accessible to unauthorized persons on the driveway of the physician’s home, within 20 feet of the public road and a short distance away from a heavily trafficked public shopping venue.As a covered entity under the HIPAA Privacy Rule, Parkview must appropriately and reasonably safeguard all protected health information in its possession, from the time it is acquired through its disposition. “All too often we receive complaints of records being discarded or transferred in a manner that puts patient information at risk,” said Christina Heide, acting deputy director of health information privacy at OCR.
2. Data Breach Results in $4.8 Million HIPAA Settlements
As reported on May 7, 2014, two health care organizations agreed to settle charges that they potentially violated HIPAA by failing to secure thousands of patients’ electronic protected health information (ePHI) held on their network. New York and Presbyterian Hospital (NYP) agreed to pay OCR $3,300,000 to settle potential violations of the HIPAA Privacy and Security Rules, and to adopt a corrective action plan to evidence their remediation of these findings. NYP and CU are separate covered entities that participate in a joint arrangement in which CU faculty members serve as attending physicians at NYP. The entities generally refer to their affiliation as “New York Presbyterian Hospital/Columbia University Medical Center.” NYP and CU operate a shared data network and a shared network firewall that is administered by employees of both entities. The shared network links to NYP patient information systems containing ePHI.
The investigation revealed that the breach was caused when a physician employed by CU who developed applications for both NYP and CU attempted to deactivate a personally-owned computer server on the network containing NYP patient ePHI. Because of a lack of technical safeguards, deactivation of the server resulted in ePHI being accessible on internet search engines. The entities learned of the breach after receiving a complaint by an individual who found the ePHI of the individual’s deceased partner, a former patient of NYP, on the internet.In addition to the impermissible disclosure of ePHI on the internet, OCR’s investigation found that neither NYP nor CU made efforts prior to the breach to assure that the server was secure and that it contained appropriate software protections. Moreover, OCR determined that neither entity had conducted an accurate and thorough risk analysis that identified all systems that access NYP ePHI. As a result, neither entity had developed an adequate risk management plan that addressed the potential threats and hazards to the security of ePHI. Lastly, NYP failed to implement appropriate policies and procedures for authorizing access to its databases and failed to comply with its own policies on information access management.
3. Concentra Settles HIPAA Case for $1,725,220
As reported on April 22, 2014, Concentra Health Services (Concentra) agreed to pay OCR $1,725,220 to settle potential violations of HIPAA Privacy and Security Rules, and to adopt a corrective action plan to evidence their remediation of these findings. OCR opened a compliance review of Concentra upon receiving a breach report that an unencrypted laptop was stolen from one of its facilities. OCR’s investigation revealed that Concentra had previously recognized in multiple risk analyses that a lack of encryption on its laptops, desktop computers, medical equipment, tablets and other devices containing electronic protected health information (ePHI) was a critical risk. While steps were taken to begin encryption, Concentra’s efforts were incomplete and inconsistent over time leaving patient PHI vulnerable throughout the organization. OCR’s investigation further found Concentra had insufficient security management processes in place to safeguard patient information.
4. QCA Settles HIPAA Case for $250,000
As reported on April 22, 2014, QCA Health Plan, Inc., of Arkansas, agreed to settle potential violations of the HIPAA Privacy and Security Rules, agreeing to pay a $250,000 monetary settlement and to correct deficiencies in its HIPAA compliance program. OCR received a breach notice in February 2012 from QCA reporting that an unencrypted laptop computer containing the ePHI of 148 individuals was stolen from a workforce member’s car. While QCA encrypted their devices following discovery of the breach, OCR’s investigation revealed that QCA failed to comply with multiple requirements of the HIPAA Privacy and Security Rules, beginning from the compliance date of the Security Rule in April 2005 and ending in June 2012. QCA agreed to a $250,000 monetary settlement and is required to provide HHS with an updated risk analysis and corresponding risk management plan that includes specific security measures to reduce the risks to and vulnerabilities of its ePHI. QCA is also required to retrain its workforce and document its ongoing compliance efforts.
5. County Government Settles Potential HIPAA Violations
As reported on March 7, 2014, Skagit County, Washington, agreed to settle potential violations of the HIPAA Privacy, Security, and Breach Notification Rules by paying a $215,000 monetary settlement and agreeing to work closely with HHS to correct deficiencies in its HIPAA compliance program. OCR opened an investigation of Skagit County upon receiving a breach report that money receipts with electronic protected health information (ePHI) of seven individuals were accessed by unknown parties after the ePHI had been inadvertently moved to a publicly accessible server. OCR’s investigation revealed a broader exposure of protected health information involved in the incident, which included the ePHI of 1,581 individuals. Many of the accessible files involved sensitive information, including protected health information concerning the testing and treatment of infectious diseases. OCR’s investigation further uncovered general and widespread non-compliance by Skagit County with the HIPAA Privacy, Security, and Breach Notification Rules.
6. Resolution Agreement with Adult & Pediatric Dermatology, P.C. of Massachusetts
Reported on December 20, 2013, Adult & Pediatric Dermatology, P.C., of Concord, Massachusetts (APDerm) agreed to settle potential violations of the HIPAA Privacy, Security and Breach Notification Rules with HHS, including a $150,000 payment. APDerm agreed also to implement a corrective action plan to correct deficiencies in its HIPAA compliance program. This case marks the first settlement with a covered entity for not having policies and procedures in place to address the breach notification provisions of the HITECH Act.
OCR opened an investigation of APDerm upon receiving a report that an unencrypted thumb drive containing the electronic protected health information (ePHI) of approximately 2,200 individuals was stolen from a vehicle of one its staff members. The thumb drive was never recovered. The investigation revealed that APDerm had not conducted an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality of ePHI as part of its security management process. Further, APDerm did not fully comply with requirements of the Breach Notification Rule to have in place written policies and procedures and to train workforce members.
7. HHS Settles with Health Plan in Photocopier Breach Case
Reported on August 14, 2013, Affinity Health Plan, Inc. paid $1,215,780 to settle potential violations of the HIPAA Privacy and Security Rules. OCR’s investigation indicated that Affinity impermissibly disclosed the protected health information of up to 344,579 individuals when it returned multiple photocopiers to a leasing agent without erasing the data contained on the copier hard drives. In addition, the investigation revealed that Affinity failed to incorporate the electronic protected health information stored in copier’s hard drives in its analysis of risks and vulnerabilities as required by the Security Rule, and failed to implement policies and procedures when returning the hard drives to its leasing agents.
8. WellPoint Settles HIPAA Security Case for $1,700,000
This case sends an important message to HIPAA-covered entities to take caution when implementing changes to their information systems, especially when those changes involve updates to Web-based applications or portals that are used to provide access to consumers’ health data using the Internet. As reported on July 11, 2013, OCR began its investigation following a breach report submitted by WellPoint as required by the HITECH Act.
The HITECH Breach Notification Rule requires HIPAA-covered entities to notify HHS of a breach of unsecured protected health information.
The report indicated that security weaknesses in an online application database left the electronic protected health information (ePHI) of 612,402 individuals accessible to unauthorized individuals over the Internet. OCR’s investigation indicated that WellPoint did not implement appropriate administrative and technical safeguards as required under the HIPAA Security Rule.
The investigation indicated WellPoint did not:
- adequately implement policies and procedures for authorizing access to the on-line application database
- perform an appropriate technical evaluation in response to a software upgrade to its information systems
- have technical safeguards in place to verify the person or entity seeking access to electronic protected health information maintained in its application database.
As a result, beginning on Oct. 23, 2009, until Mar. 7, 2010, the investigation indicated that WellPoint impermissibly disclosed the ePHI of 612,402 individuals by allowing access to the ePHI of such individuals maintained in the application database. This data included names, dates of birth, addresses, Social Security numbers, telephone numbers and health information. Whether systems upgrades are conducted by covered entities or their business associates, HHS expects organizations to have in place reasonable and appropriate technical, administrative and physical safeguards to protect the confidentiality, integrity and availability of electronic protected health information – especially information that is accessible over the Internet. HHS points out that beginning Sept. 23, 2013, liability for many of HIPAA’s requirements extend directly to business associates that receive or store protected health information, such as contractors and subcontractors.
9. Shasta Regional Medical Center Settles HIPAA Privacy Case for $275,000
Reported on June 13, 2013, SRMC has agreed to pay $275,000, to implement a comprehensive corrective action plan to update its policies and procedures on safeguarding PHI from impermissible uses and disclosures, and to train its workforce members. OCR’s investigation indicated that SRMC failed to safeguard the patient’s protected health information (PHI) from impermissible disclosure by intentionally disclosing PHI to multiple media outlets on at least three separate occasions, without a valid written authorization. OCR’s review indicated that senior management at SRMC impermissibly shared details about the patient’s medical condition, diagnosis and treatment in an email to the entire workforce. In addition, SRMC failed to sanction its workforce members for impermissibly disclosing the patient’s records pursuant to its internal sanctions policy.
According to OCR Director Leon Rodriguez, “When senior level executives intentionally and repeatedly violate HIPAA by disclosing identifiable patient information, OCR will respond quickly and decisively to stop such behavior. Senior leadership helps define the culture of an organization and is responsible for knowing and complying with the HIPAA privacy and security requirements to ensure patients’ rights are fully protected.”
10. Idaho State University Settles HIPAA Security Case for $400,000
Reported on May 21, 2013,this settlement involved the breach of unsecured electronic protected health information (ePHI) of 17,500 individuals who were patients at an ISU clinic. The ePHI was unsecured for at least 10 months, due to the disabling of firewall protections at servers maintained by ISU. OCR’s investigation indicated that ISU’s risk analyses and assessments of its clinics were incomplete and inadequately identified potential risks or vulnerabilities. ISU also failed to assess the likelihood of potential risks occurring. OCR concluded that ISU did not apply proper security measures and policies to address risks to ePHI and did not have procedures for routine review of their information system in place, which could have detected the firewall breach much sooner.
According to OCR Director Leon Rodriguez, “Risk analysis, ongoing risk management, and routine information system reviews are the cornerstones of an effective HIPAA security compliance program. Proper security measures and policies help mitigate potential risk to patient information.”
OCR’S HIPAA Audit Program
Background on the OCR Pilot Privacy, Security, and Breach Notification Audit Program
The use of health information technology continues to expand in health care. Although these new technologies provide many opportunities and benefits for consumers, they also pose new risks to consumer privacy. Because of these increased risks, the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH) include national standards for the privacy of protected health information, the security of electronic protected health information, and breach notification to consumers. HITECH also requires HHS to perform periodic audits of covered entity and business associate compliance with the HIPAA Privacy, Security, and Breach Notification Rules. HHS Office for Civil Rights (OCR) enforces these rules, and in 2011, OCR established a pilot audit program to assess the controls and processes covered entities have implemented to comply with them. Through this program, OCR developed a protocol, or set of instructions, it then used to measure the efforts of covered entities.
The audit program began with an audit of 20 entities in 2011, with 95 more added in 2012. In the summer of 2012 the OCR published the audit protocols that OCR, through KPMG, is using to audit the healthcare industry. The audit program analyzes processes, controls, and policies of selected covered entities pursuant to the HITECH Act audit mandate. The audit protocol is organized around modules, representing separate elements of privacy, security, and breach notification. The combination of these multiple requirements may vary based on the type of covered entity selected for review. There are a total of 169 protocols- 78 for HIPAA security, 81 for HIPAA privacy and 10 for HIPAA breach. The protocols are published online at:
OCR’s HIPAA Audit Protocols
- The audit protocol covers Privacy Rule requirements for (1) notice of privacy practices for PHI, (2) rights to request privacy protection for PHI, (3) access of individuals to PHI, (4) administrative requirements, (5) uses and disclosures of PHI, (6) amendment of PHI, and (7) accounting of disclosures.
- The protocol covers Security Rule requirements for administrative, physical, and technical safeguards
- The protocol covers requirements for the Breach Notification Rule.
Consulting firm KPMG conducted the pilot audits and assessed compliance with the 169 requirements of the protocol. Now, OCR is learning which gaps in protecting health information cause the most breaches, and has stated an intention to focus on those areas that are causing the most breaches. One big target area, if not the biggest target, is an organization’s risk analysis. Covered entities audited in the pilot program often had conducted a shallow analysis that wasn’t updated as events warranted, such as new business strategies or new information systems, or no risk analysis of their internal operations at all. Organizations must have a complete and accurate risk analysis to be compliant.
Another top area of focus is the use of data encryption. Under the security rule, encryption is an “addressable” requirement. An organization deciding not to encrypt must, through documentation, justify its decision and select a reasonable alternative. What is being found in the pilot program is that an organization either implemented encryption or did nothing at all in justifying and documenting reasonable alternatives. According to OCR’s senior advisor for health information privacy, Linda Sanches, her best piece of advice about preparing for audits is to actually be in compliance and to conduct comprehensive risk analysis. Sanches acknowledged that it requires heavy-lifting to perform such an analysis but that it’s better to have one in hand than scramble and pull it together come audit time.
OCR originally planned to conduct 400 desk audits and “a large number of on-site audits,” in the coming year, but are now said they’re looking at “fewer than 200 desk audits” and they haven’t confirmed a specific number of on-site audits for covered entities, or the number of Business Associate audits that will follow those.