A recent costly settlement is the latest reminder of the importance of compliance with the Health Insurance Portability and Accountability Act (HIPAA). Recently, the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) and a medical practice (the Group) entered into a resolution agreement that serves as an expensive reminder of potential HIPAA exposure for healthcare providers’ failure to maintain written policies and procedures. The settlement, which requires the Group to pay $150,000 and implement a corrective action plan, is based on OCR’s findings that the Group failed (i) to perform risk analysis (required under the HIPAA Security Rule) and (ii) to have written policies and procedures, and train members of its workforce (required under the Breach Notification Rule).
Landscape of Healthcare Data Breaches
In recent years, the number of reports of healthcare data breaches has skyrocketed. In 2013, the Identity Theft Resource Center (ITRC) identified 267 data breaches within the medical/healthcare industry, constituting 43% of all data breaches tracked by ITRC; in 2012, the ITRC identified 163 medical/healthcare data breaches, which comprised only 34.7% of all data breaches.
Pursuant to the Breach Notification Rule, HIPAA-covered entities (healthcare providers, health plans and healthcare clearinghouses) must notify individuals and OCR (and in some cases the media) of breaches of protected health information (PHI). The Breach Notification Rule further requires business associates to notify covered entities of such breaches. Since reporting began in 2009, OCR has received reports of more than 700 breaches involving 500 or more individuals and 64,000 reports of breaches involving fewer than 500 individuals.
Since 2008, OCR has obtained corrective action from covered entities in more than 13,000 cases and has entered into resolution agreements in 16 cases involving HIPAA noncompliance by covered entities.
The Breach, Investigation & Resolution Agreement
The Group is a 12-physician medical practice with six offices. OCR’s investigation and the settlement arose out of the theft of an unencrypted thumb drive containing electronic PHI (ePHI) of approximately 2,200 people from the vehicle of one of the Group’s staff members.
After the Group notified the media, the people whose ePHI was on the thumb drive and OCR, OCR investigated the Group’s compliance with the HIPAA Security, Privacy and Breach Notification Rules (HIPAA Rules). Although the mere occurrence of a breach did not trigger sanctions, the settlement resulted from OCR’s findings that:
- The Group violated the Security Rule by failing to conduct an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality of ePHI;
- The Group violated the administrative requirements of the Breach Notification Rule by failing to maintain written policies and procedures, and to train members of its workforce regarding breach notification; and
- The Group impermissibly disclosed ePHI by failing to reasonably safeguard the unencrypted thumb drive, which allowed the thief to gain unauthorized access to ePHI.
Subsequent to OCR’s investigation, OCR entered into a resolution agreement with the Group, under which the Group agreed to:
- Pay a $150,000 fine;
- Perform a comprehensive, organization-wide risk analysis of all ePHI security risks and vulnerabilities covering the Group’s electronic media and systems;
- Address and mitigate any security risks and vulnerabilities uncovered in the risk analysis by developing a risk management plan and, if necessary, revising its policies and procedures;
- Provide the risk analysis, risk management plan and revised policies and procedures to OCR to review and revise, and implement any of OCR’s revisions; and
- Comply with reporting requirements.
What Does This Mean?
OCR’s press release notes conspicuously that this is the first settlement with a covered entity for failing to have breach notification policies. Despite the Group’s timely notification to the affected individuals, the media and OCR, the Group was sanctioned for violating the Breach Notification Rule by failing to maintain written breach notification policies and procedures.