More than five years into the HIPAA privacy era, the Department of Health and Human Services (HHS) has announced its first penalty for a violation of the HIPAA Privacy and Security Rules. In a groundbreaking settlement with various components of the Providence Health System, HHS has imposed a "resolution amount" of $100,000 on Providence, along with a burdensome and intrusive Corrective Action Plan.
This action clearly demonstrates that we have entered a new era of HIPAA enforcement. It also provides health care companies with extensive useful information about potential areas of security compliance concern, along with clues as to how HHS may proceed in the future. At a minimum, this enforcement action, along with the various pending security "assessment" reviews that are underway, should provide HIPAA-covered entities and their business partners with new incentives to revisit their overall HIPAA compliance program.
Details of the Alleged HIPAA Violations
According to the HHS press release and related settlement documents, the agreement "relates to Providence's loss of electronic backup media and laptop computers containing individually identifiable health information in 2005 and 2006." Specifically, on "several occasions" between September 2005 and March 2006, "backup tapes, optical disks, and laptops, all containing unencrypted electronic protected health information, were removed from the Providence premises and were left unattended." In one of the incidents, four backup disks and two optical disks were left unsecured overnight in the vehicle of an employee and then were stolen. Apparently, the tapes were taken home under a practice that was then followed within Providence (perhaps as part of a contingency or backup plan). According to the Resolution agreement, "the ePHI on the tapes and disks was not encrypted." In the other incidents, the laptops also were not encrypted. These portable media and laptops "were subsequently lost or stolen, compromising the protected health information of over 386,000 patients."
The time frame and specific events are important both in terms of assessing what the reasonable "best practices" then were and in assessing the length of time required for HHS to resolve its investigation. Perhaps of significance, the Oregon Department of Justice announced a settlement with Providence in September 2006. That settlement reportedly required a payment of $95,000 and undertakings by Providence to designate a security program coordinator, perform employee training, conduct regular testing of the security program's effectiveness, and to pay for any patient's direct financial losses resulting from the theft of data (no such losses then being known).
The breach also triggered a proposed Oregon class action against Providence. That complaint was dismissed by the trial judge in November 2007 for failure to allege compensable damages and the class allegations were stricken because Providence had identified and notified the proposed class members, timely offered them reasonable compensation or remedies, and ceased the practice alleged to have caused damage. Those rulings were appealed, and the appeal is now being briefed in the Oregon Court of Appeals. Paul v. Providence Health System-Oregon (No. CA A137930)
HHS received approximately 30 complaints about the stolen tapes and disks, all of which appear to have been received after Providence notified individuals of the losses voluntarily or pursuant to state security breach notification laws. Providence also had reported these incidents to HHS.
The Investigation and Resolution
Because both the HHS Office of Civil Rights and the Centers for Medicare and Medicaid Services have relevant enforcement authority (reflecting the overlap in some situations between the Privacy Rule and the Security Rule in the context of appropriate safeguards), a joint investigation was conducted by both enforcement agencies.
Following this substantial investigation (or at least an investigation that lasted at least two years), Providence and HHS reached a "resolution agreement" as a means of concluding the investigation. This agreement both imposes a significant penalty of $100,000 and requires Providence to follow an aggressive "corrective action plan" in relation to the areas of concern. The settlement (apparently) releases civil claims against Providence, but there is no release of potential criminal liability under the HIPAA statute. (Presumably, no criminal release is provided because the Department of Justice is not a party to the Resolution Agreement, rather than because a criminal prosecution is actually anticipated, but this is an open issue that could make Providence officials somewhat nervous).
As to the payment, HHS was careful in its press release and agreement language not to call the amount a "penalty." The HIPAA Enforcement Rule creates a substantial set of procedural requirements before a civil monetary penalty can be imposed as a result of a HIPAA violation. Moreover, it is at least arguable that the Enforcement Rule requires a second violation before HHS has the authority to impose civil monetary penalties at all.
To HHS, Providence's "cooperation" "allowed HHS to resolve this case without the need to impose a civil money penalty." Nonetheless, because the Enforcement Rule makes clear that HHS may not impose a penalty "in excess of $25,000 for identical violations in a calendar year," there is no obvious explanation for how this settlement amount was derived. In any event, this payment amount is clearly a substantial and aggressive penalty, even if HHS did not want to label it a penalty.
Beyond the monetary amount, HHS also imposed a "corrective action plan." This CAP includes a number of burdensome elements. Specifically, the corrective action plan requires Providence to:
- Revise its policies and procedures regarding physical and technical safeguards (e.g., encryption) governing off-site transport and storage of electronic media containing patient information, subject to HHS's approval and additional requirements imposed by HHS for these policies. The specific elements required by the agreement are properly within the scope of the HIPAA Security Rule, but the CAP mandates a level of detail that is more substantial and granular than the Rule requires;
- Distribute these policies to all work force members, and provide documentation to HHS that these materials have been distributed, including a "compliance certification" from every work force member;
- Assess, update and revise its policies at least annually, and provide all revisions to HHS for review and approval;
- Train work force members on the safeguards, and provide documentation of training to HHS;
- Conduct mandatory quarterly "monitor reviews," including unannounced site visits at facilities, employee interviews and inspection of a random sample of portable devices, to ensure compliance across the work force, and provide reports of these reviews to HHS, including "all notes, workpapers, and other records created during the Monitor Reviews;" and
- Submit detailed compliance reports to HHS for a period of three years.
Implications for Future Enforcement
What conclusions can we draw from this settlement about ongoing HIPAA enforcement?
This is a serious and aggressive enforcement action. While HHS can be criticized for taking five years to impose its first monetary penalty, the Providence agreement represents a substantial enforcement step. Given the range of penalties permitted by the HIPAA Enforcement Rule, the penalty is quite large—and HHS needs to be creative to justify how this amount is consistent with the Rule. Moreover, some of the standards imposed by the CAP mirror provisions in corporate integrity agreements and deferred prosecution agreements, where health care providers and others have engaged in much more egregious conduct. So, this is an enforcement step that needs to be taken seriously.
Does this mean that many more actions will follow?
Despite the extent of this payment, no evidence at this point suggests a wholesale shift in HHS enforcement approach or any reason to anticipate a large number of enforcement actions in the near future. This settlement does stem from events that are more than two years old, so there certainly are likely to be more cases in the pipeline. Nonetheless, unless a new Administration adopts a different approach, covered entities should not be overly fearful of aggressive enforcement action based on privacy or security rule violations. The primary approach of these enforcement offices is still to educate, train and fix problems, rather than impose sanctions.
But the security practices here were reasonably common at the time.
Nothing that obviously jumps out at one about the targeted practices to justify making Providence the first "example" case for enforcement. In 2005 and 2006, laptop encryption was growing but clearly was not uniform. There were reports on almost a daily basis of laptop thefts and other issues related to laptops, across the health care industry and otherwise. Similarly, the idea that backup tapes and disks would be encrypted was quite uncommon (and may still be so today). So, this action reflects a strong statement about a practice that was not then particularly unusual—and may not be unusual, even today.
Lessons Learned for Covered Entities
Be aware of the impact of your notice.
This case seems to have been driven by complaints that were submitted following the provision of notice by Providence to its patients. No evidence of any actual harm from these information losses was reported. Accordingly, while Providence clearly took action that it believed was required by state notification laws—and notified HHS about the losses as well—these notices themselves seem to have triggered the investigation and eventual settlement. Accordingly, companies should be very careful about providing notice, and should focus attention both on situations where notice is appropriate and on the language that is used to describe the incidents, so that patients and customers are not unduly concerned about risks that may not exist. Also, covered entities need to pay close attention to the developments on Capitol Hill that may result in passage of a federal law on security breach notification for the health care industry, as part of a broader set of legislative provisions dealing with health care technology.
Make sure you are keeping pace with technological developments.
This settlement focuses attention on the need for companies to stay abreast of technological developments—and perhaps even to stay ahead of the curve. In late 2005, laptop encryption was progressing but was not the standard practice in the health care industry. The same was true with backup tapes. So, this settlement—with no clear explanation of what part of the security incidents constituted the violations of the HIPAA rules—seems to require a "better than standard" obligation in order for security practices to be deemed "reasonable and appropriate" under the HIPAA rules. As a corollary, companies should pay close attention to public reports of where security breaches have occurred with other companies—if another company has a problem with a specific kind of media, for example, your company should evaluate whether you have similar policies in place and, if so, what can be done to improve the policies and procedures related to protection of this information.
Make sure you are aware of what HHS has said on security.
Last, as part of their ongoing security compliance efforts, companies must make sure that they have evaluated all of the guidance that is coming from HHS in connection with security practices. The Providence CAP identifies specific areas for policies and procedures—your company should be able to explain its policies and procedures in each of these areas, even if the Security Rule itself does not require those specific elements. Moreover, HHS has provided various materials concerning the ongoing security assessment process that is under way. Companies should be reviewing the questions and document requests that have been identified as part of the "standard" assessment, to make sure that they have a reasonable basis for responding to each of those areas, in the event that they were to become the target of a security assessment or other security-related enforcement action.
Overall, the Providence "resolution agreement" should be an eye-opener for the health care industry. It represents the start of a new enforcement era under the HIPAA Privacy and Security Rules. While there is no need for an overreaction, this agreement should motivate all HIPAA-covered entities to reevaluate their current security practices, to engage in a more focused effort to stay abreast of technological developments and to recognize the importance of documenting procedural changes to reflect the areas of HHS' primary interest on privacy and security issues.