Recent settlements and initiatives conducted by the Office for Civil Rights ("OCR") at the U.S. Department of Health and Human Services highlight the continuing need for focus on compliance with the privacy and security requirements of the Health Insurance Portability and Accountability Act ("HIPAA").
Provider settlements from 2015 and early 2016 indicate a continuing emphasis by OCR—the federal agency charged with implementing and enforcing HIPAA regulations—on core HIPAA requirements with which a substantial number of providers continue to struggle. These include conducting HIPAA risk assessments and entering into business associate agreements, as required by HIPAA.
In April 20, 2016, OCR reported a $750,000 settlement with Raleigh Orthopaedic Clinic, P.A. in North Carolina. OCR found that Raleigh Orthopaedic failed to enter into a business associate agreement before releasing x-ray films and other information of approximately 17,300 patients to a vendor that planned to transfer x-ray images to electronic media in exchange for harvesting silver from the x-ray films.
Previously, on September 2, 2015, OCR reported a $750,000 settlement with Cancer Care Group, P.C., a private physician practice with 13 physicians. Similar to many other OCR investigations, this one resulted from the theft of unencrypted backup media from an employee's car. OCR indicated that, in particular, Cancer Care failed to conduct an enterprise-wide HIPAA risk analysis and implement a comprehensive device and media control policy, thereby contributing to the breach.
In December 2015, OCR reported a $750,000 settlement with The University of Washington Medicine ("UWM") following an investigation triggered by a data breach that occurred when an employee downloaded an e-mail containing malware. OCR found UWM had not ensured that all of its affiliated entities were conducting HIPAA risk assessments and responding to risks and vulnerabilities in their system environments.
In March 2016, OCR reported a $1.55 million settlement with North Memorial Health Care of Minnesota following a breach involving the theft of a laptop from a workforce member's vehicle. OCR cited North Memorial both for failing to conduct an organization-wide HIPAA risk assessment and for failing to enter into a business associate agreement with a major contractor before granting the contractor access to a database containing information of 289,904 patients.
Last but not least, in late March, OCR announced the formal launch of its long-delayed Phase 2 HIPAA Audit Program. OCR plans to complete desk audits of covered entities and business associates over the course of 2016. OCR is first contacting entities with pre-audit questionnaires. OCR is then using the data it gathers to select entities for audits. Entities selected for audits will receive e-mail notices and have 10 days to submit information requested by OCR. As a result, HIPAA covered entities and business associates should take care not to miss any OCR e-mails and should take proactive steps to ensure their organizations are compliant with HIPAA requirements, including the risk assessment and business associate agreement requirements that were at issue in recent settlements.