The Office for Civil Rights (“OCR”) and the Centers for Medicare and Medicaid Services (“CMS”) of the U.S. Department of Health and Human Services—which are responsible for enforcing, respectively, the HIPAA Privacy Rule and the HIPAA Security Rule—extracted their first monetary payment from a covered entity for its failures to protect electronic protected health information (“ePHI”).
On July 15, 2008, Providence Health & Services, a Seattle-based not-for-profit hospital and health care system, agreed to pay a $100,000 “resolution amount”—not a civil monetary penalty—as redress for multiple incidents between September 2005 and March 2006, in which portable media containing unencrypted ePHI were taken off-site, left unattended and subsequently stolen. The ePHI of over 368,000 patients was compromised.
Providence also accepted a corrective action plan (“CAP”). The CAP’s primary focus is on improving the security of ePHI in portable media, which the CAP requires Providence to do by written data protection policies and procedures, to be approved by OCR and CMS and used to train Providence’s workforce members on their data protection obligations. The CAP’s emphasis on administrative safeguards underscores that the primary threats to the privacy and security of ePHI come from a covered entity’s workforce, and that effective, compliant data protection requires diligent workforce training, monitoring and oversight, not just physical and technical safeguards.
The CAP has a three year term. An uncured breach of the CAP can subject Providence to civil monetary penalties. The CAP imposes on Providence for its term the following administrative obligations tailored to avoiding a repeat of Providence’s data security lapses:
Policies and Procedures. Providence must review and revise its data privacy and security policies and procedures to ensure compliance with the Privacy and Security Rules and the following requirements, which essentially parrot the Privacy and Security Rules mandates (but with a focus on portable media):
- A “risk assessment of potential risk and vulnerabilities” to the confidentiality, integrity and availability of ePHI created, received, maintained, used or transmitted “off-site”
- A “risk management plan” with security measures “sufficient to reduce risks and vulnerabilities identified by the risk assessment to a reasonable and appropriate level”
- Physical safeguards governing the off-site transport and storage of backup electronic media containing ePHI and the “physical security” of portable devices containing ePHI
- Technical safeguards governing “encryption” and other means (such as passwords) to secure backup electronic media and portable devices containing ePHI
- Notification of OCR and CMS of any violation of the policies and procedures. The notification must describe the violation, the persons involved and the actions taken to mitigate any harm and prevent reoccurrence.
The CAP does not appear to require encryption (encryption is an “addressable” standard under the Security Rule). Nonetheless, the CAP certainly indicates that a covered entity with the size and sophistication to implement encryption—at least for ePHI in portable media—will need to document persuasive reasons if it decides not to do so. An added benefit of encryption is that, generally, encrypted data are not subject to the security breach notice laws enacted by more than 40 states.
Providence must submit its revised policies and procedures to OCR and CMS for approval. Once approved, Providence must certify that it has distributed these policies and procedures to its workforce. Workforce members must certify their receipt, review and understanding of and commitment to abide by the policies and procedures. Providence must reassess, update and revise the policies and procedures as needed, but not less than annually. Each revision must be approved by OCR and CMS, then redistributed to Providence’s workforce.
Training. Providence must train its workforce on the approved policies and procedures within 90 days of their approval and, for new workforce members, within 30 days of those workforce members’ start with Providence. Providence must review and update its training programs and processes at least annually.
Each workforce member must certify to receiving the training. No workforce member may be involved with off-site transport or storage of backup electronic media or with portable devices containing ePHI until the workforce member has certified to receipt of this training.
Monitoring. Providence must conduct monitoring reviews at least quarterly. These monitoring reviews are to validate that Providence’s workforce is familiar and complying with the data protection policies and procedures, and that backup electronic media and portable devices containing ePHI are being secured in accordance with the policies and procedures.
Monitoring reviews must include (a) unannounced site visits to Providence’s facilities, (b) interviews with a random sample of workforce members and with workforce members specifically involved with the supervision, use, retention or destruction of backup electronic media, and (c) inspection of a random sample of portable devices containing ePHI under the control of workforce members.
The monitoring reviews are to be one basis for Providence to identify risks and vulnerabilities to the confidentiality, integrity and availability of ePHI in backup electronic media or portable devices. Providence must develop and implement processes—including updating and revising its policies and procedures—as needed to reduce these risks and vulnerabilities. Providence must fully document each monitoring review, and retain for OCR and CMS all of its notes, work papers and other records created during monitoring reviews.
Implementation Report and Annual Reports. Providence’s Chief Information Security Officer must attest to OCR and CMS, within 120 days of the approval of Providence’s revised policies and procedures, that the approved policies and procedures are being implemented, that they have been distributed and remain available to Providence’s workforce, that the workforce has been trained on the approved policies and procedures, that all certifications required of workforce members have been collected, and that each of Providence’s locations is complying with the CAP.
The Chief Information Security Officer must attest that this “implementation report” results from “a reasonable inquiry regarding its content” and that he “believes that, upon such inquiry, the information is accurate and truthful.” Providence’s training materials, a description of its training, a summary of the topics covered by its training, the lengths of its training sessions, and a schedule of its training sessions held, must accompany the implementation report.
Providence must also submit an “annual report” to OCR and CMS confirming its compliance with the CAP. The annual report must be accompanied by a record of each quarterly monitoring review and the training schedule, training topics outline and training materials used by Providence during the annual reporting period. The annual report must include a summary of any violations of Providence’s policies and procedures during the year, and the actions taken by Providence to mitigate any harm resulting therefrom and to prevent reoccurrence. Providence’s Chief Information Security Officer must attest that each annual report results from “a reasonable inquiry regarding its content” and that he “believes that, upon such inquiry, the information is accurate and truthful.”
Document Retention. Providence must retain all documentation and records regarding its compliance with the CAP for six years following the CAP’s effective date