Potentially missed among end-of-year and holiday activities, the Office for Civil Rights (OCR) has announced three resolution agreements for violations of the HIPAA Privacy and Security Rules within the past month. These three resolution agreements double the number of settlements announced by OCR in 2015, and they serve as a year-end reminder to covered entities (and business associates) that OCR is continuing to ramp-up its enforcement of HIPAA violations. Covered entities and business associates should review their HIPAA compliance programs to ensure that they are functioning effectively with the start of the new year.
A short description of each of the three recently announced resolutions agreements is included below.
Lahey Hospital and Medical Center - $850,000
On November 25, 2015, OCR announced that Lahey Hospital and Medical Center, a nonprofit teaching hospital affiliated with Tufts Medical School providing care in Burlington, Massachusetts, had agreed to pay $850,000 and adopt a robust corrective action plan to correct wide-spread deficiencies in its HIPAA compliance program. OCR’s investigation began when Lahey notified OCR that a laptop connected to a portable CT scanner had been stolen from an unlocked treatment room in August 2011. The laptop hard drive contained the PHI of 599 individuals. In its announcement of the resolution agreement, OCR highlighted the importance of applying appropriate protections to portable workstations containing PHI associated with medical devices, including the need to consider these devices as part of an entity’s required risk analysis.
Triple-S Management Corporation - $3.5 million
On November 30, 2015, OCR announced that it had entered into a $3.5 million resolution agreement with Puerto Rico-based insurance holding company Triple-S Management Corporation, on behalf of its wholly owned subsidiaries, Triple-S Salud, Inc., Triple-C, Inc., and Triple-S Advantage, Inc., (collectively, Triple-S) to resolve potential violations of the HIPAA Privacy and Security Rules. Triple-S also agreed to adopt a robust corrective action plan. OCR initiated its investigation after receiving multiple breach notifications from Triple-S. OCR’s investigation identified widespread non-compliance with the HIPAA requirements, including failing to implement appropriate administrative, physical, and technical safeguards to protect the privacy of its beneficiaries’ PHI, disclosing PHI to a vendor without having a business associate agreement in place, using or disclosing more PHI than necessary to carry out mailings, failing to conduct a thorough risk analysis, and other instances of non-compliance.
The $3.5 million resolution agreement is one of the largest resolution agreements OCR has entered into with a covered entity. Triple-S’s subsidiary Triple-S Salud also previously paid a $6.8 million penalty to the Puerto Rican Medical Insurance Administration for its failure to properly respond to a data breach resulting from mailing pamphlets to more than 13,000 Medicare beneficiaries displaying each beneficiary’s Medicare Health Insurance Claim Number.
University of Washington Medicine - $750,000
On December 14, 2015, OCR announced that the University of Washington Medicine (UWM) had agreed to pay $750,000, implement a corrective action plan, and provide annual reports on its compliance efforts to resolve allegations that it violated the HIPAA Security Rule. UWM is an affiliated covered entity, encompassing the University of Washington Medical Center and other designated health care components and other entities under the control of the University of Washington. OCR initiated its investigation of UWM after receiving a breach report in November 2013 that the electronic PHI of approximately 90,000 individuals was accessed after an employee downloaded an email attachment containing malware. Although UWM’s policies required its affiliated entities to have up-to-date, documented system-level risk assessments, OCR’s investigation determined that UWM was not ensuring that the affiliated entities were properly conducting the risk assessments and appropriately responding to potential risks and vulnerabilities. OCR noted in the settlement announcement that an effective risk analysis must be comprehensive in scope and conducted across an organization, not limited to an analysis of a specific system such as an electronic medical record.