Last year, the Health and Human Services Office for Civil Rights (OCR) announced twelve settlements with a variety of HIPAA covered entities, including hospitals, universities, business associates and a physical therapy provider. The headlines announcing these settlements were dramatic and the associated penalties were substantial, as the following sample headlines demonstrate:
- $2.14 million HIPAA settlement underscores importance of managing security risk
- Business associate’s failure to safeguard protected health information (PHI) leads to $650,000 HIPAA settlement
- $1.55 million settlement underscores the importance of executing HIPAA business associate agreements
- Physical therapy provider settles violations that it impermissibly disclosed patient information
This Compliance Watch article provides an overview of OCR’s enforcement authority and process, identifies trends in the 2016 HIPAA settlements, and highlights key activities from the recent corrective action plans. The key activities, which often mirror the seven elements of a compliance program, can be adapted and incorporated into your organization’s compliance work plan to address compliance risks.
The Enforcement Process
Individuals cannot sue a covered entity under the HIPAA Privacy, Security and Breach Notification Rules (“HIPAA Rules”). Instead, an individual must file a complaint with OCR.1 OCR and the Department of Justice (DOJ) enforce the HIPAA Rules.
Individuals must file a complaint within 180 days of when they knew or should have known that the alleged violation occurred. OCR can waive the deadline if the individual can show “good cause” for delay. When filing a complaint, individuals must include their name and contact information although they may also request that OCR keep their information confidential.
Since 2003, OCR has received over 144,500 HIPAA complaints and has resolved ninety-seven percent of these cases. Once a complaint is received, OCR reviews it to determine whether it alleges a possible violation of the HIPAA Rules. Approximately 60% of complaints are dismissed because they are either not timely, the entity is not covered by the HIPAA Rules, or the incident described does not violate the HIPAA Rules.2
OCR investigates approximately 25% of the complaints it receives.3 According to OCR, the most investigated complaints include:
- Impermissible uses and disclosures of PHI
- Lack of administrative safeguards of PHI
- Lack of patient access to their PHI
- Uses or disclosure of more than the minimum necessary PHI
When OCR accepts a complaint for investigation, OCR notifies both the individual who filed the complaint and the covered entity. Both parties are asked to present information about the incident. Covered entities are required by law to cooperate with the investigation.
After reviewing the information, or evidence, gathered in each case, OCR may determine that the covered entity did not violate the requirements of the HIPAA Rules. If the evidence indicates that the covered entity did not comply with the HIPAA Rules, OCR will attempt to resolve the case with the covered entity by obtaining voluntary compliance, corrective action and/or a resolution agreement or settlement.
If a covered entity does not take action to resolve the matter in a manner that is satisfactory to OCR, OCR may pursue civil monetary penalties (CMPs). There are four tiers of CMPs which reflect increasing levels of culpability. In negotiating settlements with covered entities, the amount of the settlement often reflects the amount of CMPs that OCR could pursue if the covered entity did not resolve the matter.
Settlement Trends and Lessons Learned
As of December 31st, 2016, OCR settled 41 cases resulting in total settlements of over $48 million. OCR intends the settlements to send a message to the covered entity involved as well as to other covered entities about top HIPAA risks. As such, it is important for all covered entities to be familiar with the recent settlements. By incorporating activities from the corrective action plans into a compliance work plan, similar HIPAA risks can be addressed within the organization.
While the HIPAA compliance team at your organization will want to review each of the settlement agreements, corrective action plans and relevant HIPAA Rule requirements, below we highlight five trends from the 2016 settlements and summarize some of the key activities from the related corrective action plans.
Stolen Computers and Other Devices
In half of the settlements announced in 2016 covered entities experienced the theft of desktop computers, laptops or mobile phones containing electronic PHI (ePHI). For example:
- Advocate Health Care Network agreed to a $5.5 million settlement and a two year corrective action plan for multiple potential violations of the HIPAA Rules, including the theft of four desktop computers containing the ePHI of 3.9 million individuals from an administrative office and the theft of an unencrypted laptop containing the ePHI of 2,237 individuals, stolen from an employee’s vehicle.
- University of Mississippi Medical Center agreed to a $2.75 million settlement and a three year corrective action plan for potential violations of the HIPAA Rules for potentially compromising the ePHI of an estimated 10,000 patients when a laptop stolen from the intensive care unit provided access to the wireless network through a generic username and password.
- North Memorial Health Care of Minnesota agreed to a $1.55 million settlement and a two year corrective action plan for potential violations of the HIPAA Rules related to the theft of an unencrypted, password protected laptop containing the ePHI of 9,497 individuals which was stolen from the vehicle of a business associate’s employee.
The following activities were included in the corrective actions for the covered entities that signed settlement agreements related to stolen computers and other devices:
- Risk assessment and management: Under the HIPAA Security Rule, covered entities are required to conduct a thorough, organization-wide risk analysis that incorporates all electronic equipment, including equipment owned by the covered entity and its workforce members, that contain, store, transmit or receive ePHI. The covered entities that signed settlement agreements with OCR were required to submit the results of their risk assessment and their risk management plan for approval.
- Developing written policies and procedures: The covered entities were required to review, revise and/or develop policies and procedures to protect ePHI stored on computers and other devices. Some of the required policy topics included:
- Hardware and mobile device management, include authorization requirements for use of personal devices and media that utilize covered entity’s ePHI systems and policies on the disposal and reuse of personal devices and media,
- Unique user identification plans; and,
- Prohibitions on the transfer of ePHI to unencrypted storage devices.
- Providing training and education: The covered entities were required to:
- Train all workforce members at least annually and provide certification of employee attendance (sign-in sheets, completed quizzes, etc.);
- Train new workforce members within 15 days of their start date; and,
- Review their training content regularly (at least every 1-2 years) and update it as necessary. Required training topics varied based upon the actual incident and included topics such as:
- Managers’ oversight of workforce members’ uses and disclosures of PHI,
- Security incident reporting, and
- Password management.
Disclosing ePHI on the Internet
Sharing ePHI that is not properly protected on the internet can violate the HIPAA Rules. Settlements from 2016 that highlighted this risk included:
- Oregon Health & Science University agreed to a $2.7 million settlement and three year corrective action plan for multiple potential violations of the HIPAA Rules, including using an internet-based cloud-based service to maintain a spreadsheet of information about 3,044 individuals.
- St. Joseph Health agreed to a $2.14 million settlement and a three year corrective action plan for exposing the ePHI of 31,800 individuals via a file sharing application that made the ePHI accessible to the public via Google and possibly other search engines for a year.
Some key activities from the corrective action plans for covered entities that disclosed ePHI on the internet included:
- Providing training and education: The covered entities were required to provide:
- Mandatory privacy and security trainings; and,
- Specific trainings on the use of internet-based information storage services and on the requirements to have a business associate agreement or other reasonable assurance in place to ensure ePHI is safeguarded.
- Internal monitoring and auditing: The covered entities were required to:
- Assess employees’ familiarity and compliance with policies addressing ePHI;
- Conduct site visits to different departments/sites to assess compliance with relevant policies and procedures; and/or,
- Interview employees and inspect portable devices.
Using PHI for Publicity
In 2016, OCR announced the following settlements in which covered entities used PHI without appropriate consent from patients:
- Complete P.T., Pool & Land Physical Therapy agreed to a $25,000 settlement and a three year corrective action plan following the disclosure of several individuals’ PHI as a result of posting patient testimonials that included photographs of patients’ faces and full names on its website.
- New York Presbyterian Hospital paid a $2.2 million settlement and agreed to a two year corrective action plan for allowing two individuals receiving urgent medical care to be filmed without that patients’ authorization.
The corrective action plans for these two covered entities included the following activities:
- Developing written policies and procedures: The covered entities were required to develop policies and procedures related to appropriate authorizations for the use of PHI for publicity or media purposes, including:
- Description of uses and disclosures for which individual authorization is required, including for the website, social media, or for publicity;
- Description of the procedure for obtaining an individual’s authorization;
- Development of a valid authorization form; and,
- Sanctions against workforce members who fail to comply with policies and procedures.
Employee access to PHI
Two 2016 settlements highlighted the risks associated with former employees having on-going access to PHI:
- Triple-S Management Corporation paid a $3.5 million settlement and signed a three year corrective action plan to settle multiple potential violations of the HIPAA Rules related to two former employees who accessed a database containing ePHI because access rights were not revoked when they left employment with the covered entity; another employee copied ePHI onto a CD and downloaded it onto a computer of his new employer.
- St. Elizabeth’s Medical Center paid $218,400 and agreed to a one year corrective action plan after reporting to OCR that a former employee stored ePHI of 595 individuals on a personal laptop and USB drive.
Corrective actions for these covered entities included:
- Developing written policies and procedures: The covered entities were required to develop policies and procedures to automatically revoke employee access to PHI upon termination of employment.
Disclosing PHI without a Business Associate Agreement
Several of the 2016 settlements involved covered entities releasing PHI without having an appropriate business associate agreement (BAA) in place:
- Raleigh Orthopaedic Clinic P.A. of North Carolina paid $750,000 and agreed to a two year corrective action plan for releasing x-ray films and related PHI of 17,300 patients to an entity that promised to transfer the images to electronic media without a BAA in place.
- Care New England Health System agreed to a $400,000 settlement and two year corrective action plan for releasing back-up tapes containing the PHI of 12,127 patients to a business associate under a BAA that had not been updated since 2005.
Key activities in the corrective action plans in these settlements included the following activities:
- Providing training and education: The covered entities were required to train employees about disclosures to third party entities that require a business associate agreement or other reasonable assurance to be in place to ensure ePHI is safeguarded.
- Developing written policies and procedures: Required topics included:
- Designating one or more individual(s) to be responsible for ensuring that the covered entity enters into a BAA with each of its business associates;
- Creating a process for assessing the covered entity’s current and future business relationships to determine whether each relationship is with a business associate and requiring the covered entity to enter into a BAA;
- Creating a process for negotiating and entering into BAAs with business associates prior to disclosing PHI;
- Creating a standard template BAA;
- Creating a process for maintaining BAAs for at least six (6) years beyond the date of when the business associate relationship is terminated; and/or,
- Limiting disclosures of PHI to business associates to the minimum necessary
Because OCR expects covered entities to be aware of and respond to the information in the recent HIPAA settlements, covered entities should incorporate relevant activities from the corrective action plans into a compliance work plan that addresses their organization’s top risks. The corrective action plans in the 2016 settlements alert covered entities to the need to build robust compliance programs that address HIPAA risks through the development of written policies, training and education, and internal monitoring and auditing.
1. While the vast majority of OCR’s enforcement activities are based on individual complaints received, OCR may also investigate covered entities in response to tips, media reports or as a result of information from OCR’s audit program.
2. OCR provides covered entities with technical assistance in response to approximately 10% of the complaints received.
3. OCR also refers complaints to the Department of Justice (DOJ) for criminal investigation when the complaint involves knowingly disclosing or obtaining PHI in violation of the HIPAA Rules. Since 2003, OCR has made 589 referrals to the DOJ.