On December 28, 2017, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced that 21st Century Oncology, Inc. (21CO) agreed to pay $2.3 Million in lieu of potential civil money penalties and enter into a two-year Corrective Action Plan (CAP) to settle potential HIPAA Privacy and Security violations. This is the eighth HIPAA settlement announced by the Trump Administration, and the first since May 2017 (relating to an impermissible disclosure of HIV information).
21CO is an international provider of cancer care services and radiation oncology, with headquarters in Ft. Myers, Florida. 21CO has 143 cancer treatment centers in 17 states in the U.S. 21CO filed for bankruptcy in May, 2017 and this HIPAA settlement was approved by the Bankruptcy Court.
The HIPAA settlement resulted from an investigation by the FBI which informed 21CO – on two separate occasions in 2015 – that its patients’ information was illegally obtained by an unauthorized third party. 21CO’s internal investigation determined that the inappropriate access to 21CO’s database may have occurred through a remote desktop protocol from one of its exchange servers. 21CO determined that more than 2.2 million individuals were impacted by the impermissible access to names, social security numbers, physicians’ names, and diagnosis and treatment information.
OCR’s investigation determined that 21CO (i) failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of its electronic protected health information (ePHI); (ii) failed to implement security measures sufficient to reduce the risks and vulnerabilities to a reasonable and appropriate level; (iii) failed to implement procedures to regularly review records of its information system activity; and, (iv) disclosed PHI to third party vendors who were acting as business associates without having written business associate agreement in place.
As part of the CAP, 21CO agreed to do each of the following:
- complete a risk analysis and risk management plan;
- revise certain of its security policies and procedures;
- once HHS approves the policies and procedures, distribute them to members of its workforce;
- catalog each of its business associate relationships;
- develop an internal monitoring plan, and engage a third party assessor to review its compliance efforts;
- develop an internal reporting plan of any potential HIPAA violations; and
- prepare annual reports to HHS regarding its CAP compliance.
As we begin 2018, covered entities and business associates should re-visit their HIPAA Privacy, Security and Breach Notification policies and procedures to ensure internal compliance and make timely adjustments as appropriate. The start of a new year is also an opportune time to determine the last time a HIPAA security risk assessment was performed, and conduct a new assessment if applicable. While HIPAA compliance has not been in the news as prominently the past several months – certainly not as much as the debate around health care reform and the repeal of the Affordable Care Act, and horizontal and vertical integration in the health care delivery system – it remains a critical element of an effective compliance program. The HIPAA Security Rule seems to get less attention than the HIPAA Privacy Rule by entities, though it is just as important and an alleged violation of the Security Rule can likely affect far more individuals and be far more costly in terms of a settlement with HHS. Cybersecurity issues affecting health care providers were prominent in 2017 and can be anticipated to continue. Ensuring compliance with the HIPAA Security Rule’s physical, technical and administrative safeguards – both required and addressable implementation specifications – should be a 2018 priority.