On May 8, 2014, the Department of Health and Human Services ("HHS") announced that it had reached settlements with two health care organizations arising from alleged violations of the Health Insurance Portability and Accountability Act ("HIPAA") Privacy and Security Rules.  The settlements result from the organizations' failure to secure thousands of patients' electronic protected health information ("ePHI") held on their network. The settlement total of $4.8 million is the largest HIPAA settlement to date. 

The Settlement

The Office of Civil Rights ("OCR") initiated its investigation of a New York hospital ("Hospital") and an affiliated medical school ("Medical School") following submission of a joint breach report on September 27, 2010, regarding the disclosure of the ePHI of 6,800 individuals, including patient status, vital signs, medications and laboratory results.

The Hospital and Medical School participate in a joint arrangement in which Medical School faculty members serve as attending physicians at the Hospital, and the parties operate a shared data network.  A physician employed by the Medical School deactivated a personally-owned computer server on the shared network, which resulted in ePHI being accessible by internet search engines.

OCR's investigation found that neither party properly maintained server security or installed appropriate software protections.  OCR found that neither party conducted a thorough risk analysis incorporating all IT equipment, applications and data systems utilizing ePHI.  OCR further indicated that neither party had implemented processes for assessing and monitoring all IT equipment, applications and data systems linked to databases containing ePHI and had not implemented security measures sufficient to reduce the risks and vulnerabilities to its ePHI to a reasonable and appropriate level.  Importantly, OCR also found that the parties failed to implement appropriate policies and procedures for authorizing access to its databases containing ePHI and did not comply with its existing policies on information access management. 

As part of the Resolution Agreements, the Hospital agreed to pay $3.3 million and the Medical School agreed to pay $1.5 million, with both parties agreeing to a substantive corrective action plan, which includes undertaking a risk analysis, developing a risk management plan, revising policies and procedures, training staff and providing progress reports for a period of three years.

Practical Takeaways

In light of these HIPAA enforcement actions, covered entities and business associates should continue to take the necessary steps to safeguard their ePHI, including:

  • Conducting a comprehensive, thorough and accurate risk analysis to identify and evaluate security vulnerabilities for ePHI and remediating the vulnerabilities identified by that analysis;
  • Ensuring that all equipment, applications and data systems that are linked to databases containing ePHI are included in the risk analysis and appropriately safeguarded;
  • Developing and maintaining policies and procedures for authorizing access to databases that contain ePHI;
  • Updating privacy and security policies regularly;
  • Training workforce members on HIPAA policies and procedures and imposing prompt and appropriate sanctions for violations of those policies and procedures; and
  • Conducting an independent HIPAA compliance assessment utilizing the OCR HIPAA Audit Protocol.

More information on these enforcement actions, including the Resolution Agreements and the HHS press release, is available here.