To date, the Department of Health and Human Services (“HHS”) has entered into ten resolution agreements and one civil monetary penalty related to its enforcement of the Health Insurance Portability and Accountability Act (“HIPAA”). Four resolution agreements have been triggered by a covered entity’s report of a security breach to HHS in compliance with the HITECH Act.
HHS’ fourth resolution agreement pertains to an April 2010 incident at Massachusetts Eye and Ear Infirmary (“MEEI”) and the Massachusetts Eye and Ear Associates, Inc. (“MEEA”) (hereinafter collectively referred to as “MEEI”) and MEEI’s paying of $1.5 million to settle potential violations of the HIPAA Privacy and Security Rules. MEEI has also agreed to take corrective action to improve policies and procedures for safeguarding the privacy and security of their patients’ protected health information. The Corrective Action Plan (“CAP”), contained in the resolution agreement, can be found here. The CAP includes minimum content for policies and procedures, workforce compliance with policies and procedures, training, and monitoring over a three year period.
The settlement stems from MEEI’s April 21, 2010 reporting to HHS of the theft of an unencrypted laptop computer containing the electronic protected health information (“ePHI”) of 3,500 individuals – patients and research subjects, including patient names, email addresses, dates of birth and medical histories. Social Security numbers or financial account information were not affected by the incident. The laptop was stolen from a hospital doctor lecturing in South Korea. Immediately upon learning of the incident, MEEI remotely disabled the computer’s hard drive. HHS, upon receiving the report, initiated an investigation by the Office for Civil Rights (“OCR”) into MEEI’s compliance with the Privacy, Security, and Breach Notification Rules. HHS' investigation indicated the following:
- MEEI, as part of its security management process, did not demonstrate that it conducted a through ongoing risk analysis regarding the confidentiality of ePHI;
- MEEI lacked security measures to ensure the confidentiality of ePHI;
- MEEI lacked policies and procedures to address security incident identification, reporting, and response;
- MEEI lacked policies and procedures for restricting access to authorized users for portable devices with access to ePHI;
- MEEI lacked policies and procedures governing the receipt and removal of portable devices; and
- MEEI lacked technical policies and procedures for restrcting access to ePHI on portable devices.
As stated by OCR Director Leon Rodriguez in a press release regarding the settlement, “In an age when health information is stored and transported on portable devices such as laptops, tablets, and mobile phones, special attention must be paid to safeguarding the information held on these devices. This enforcement action emphasizes that compliance with the HIPAA Privacy and Security Rules must be prioritized by management and implemented throughout an organization, from top to bottom.” MEEI, in a statement regarding the settlement, commented that “Given the lack of patient harm discovered in this investigation, [Massachusetts] Eye and Ear was disappointed with the size of the fine, especially since the independent specialty hospital’s annual revenue is very small compared to other much larger institutions that have received smaller fines.”
Since 2008, HHS has ramped up its enforcement of the HIPAA Privacy and Security Rules. HHS’ enforcement actions have included both private and public covered entities. The evolution of HHS’ enforcement activity is as follows:
- July 16, 2008 Resolution Agreement with Providence Health & Services - $100,000 (stolen tapes and disks containing unencrypted ePHI of over 386,000 patients);
- January 16, 2009 Resolution with CVS Pharmacy, Inc. - $2.25 million (inappropriate disposal of PHI);
- July 27, 2010 Resolution Agreement with Rite Aid Corporation - $1 million (inappropriate disposal of PHI);
- December 13, 2010 Resolution Agreement with Management Services Organization Washington, Inc. - $35,000 (disclosure of ePHI for marketing purposes);
- February 4, 2011 Civil Money Penalty issued to Cignet Health of Prince George’s County, MD - $4.3 million (denial of patient access to medical records);
- February 14, 2011 Resolution Agreement with General Hospital Corp. & Massachusetts General Physicians Organization, Inc. - $1 million (loss of PHI of 192 patients);
- July 6, 2011 Resolution Agreement with the University of California at Los Angeles Health System - $865,500 (unauthorized employee access to ePHI);
- March 13, 2012 Resolution Agreement with BCBST - $1.5 million (stolen unencrypted hard drives containing ePHI of over 1 million patients);
- April 13, 2012 Resolution Agreement with Phoenix Cardiac Surgery - $100,000 (public accessibility to Internet-based calendar of clinical and surgical appointments);
- June 26, 2012 Resolution Agreement with Alaska DHSS - $1.7 million (stolen USB hard drive possibly containing ePHI of 501 patients); and
- September 17, 2012 Resolution Agreement with MEEI - $1.5 million (stolen laptop containing ePHI of 3,500 individuals).
HHS’ last four resolution agreements have resulted from OCR investigations initiated after a covered entity’s reporting of a breach incident. From this most recent resolution agreement, it is clear that HHS will continue with OCR investigations post breach reporting – to ensure that a covered entity has in place policies and procedures for safeguarding of PHI. Moreover, MEEI's resolution agreement demonstrates that HHS is concerned with a covered entity's lack of an ongoing risk assessment as to the confidentiality of ePHI. In line with the BCBST, Phoenix Cardiac Surgery, and Alaska DHSS resolution agreements, a covered entity must conduct an ongoing, accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of the ePHI held by the covered entity.