Cignet Proves That It Is Bad To Violate The HIPPA Privacy Rule, But Worse To Ignore HHS

Posted on February 28, 2011 by Proskauer Rose LLP

Cignet Health (Cignet), which operates four health centers in Maryland, is a little lighter in the wallet after the U.S. Department of Health and Human Services’ (HHS) Office of Civil Rights (OCR) found that Cignet violated the Privacy Rule of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) - $4.3 million lighter, to be exact.

This penalty marks the first civil money penalty imposed by HHS for violations by a “covered entity” of the HIPAA Privacy Rule. In the past, HHS has primarily worked with covered entities to settle the violations and obtain agreement to changes in practices. The civil monetary penalty imposed upon Cignet is based on the violation categories and increased penalty amounts authorized by Section 13410(d) of the Health Information Technology for Economic and Clinical Health (HITECH) Act, which modified HIPAA.

HHS news release, part of the penalty stems from Cignet’s denying 41 patients their right to access their medical records when requested between September 2008 and October 2009. Under HIPAA, a covered entity must provide access to a patient who requests such access to his or her medical record within 30 days of the request, subject to various exceptions and limited rights to extend such time period. (Numerous state laws include similar obligations that health care providers provide a patient with access to his or her own records, often within shorter time frames than is required by HIPAA.) Thirty-eight separate complaints of such denial of access had been filed with OCR, pursuant to which OCR began its investigation of Cignet. HHS has indicated that $1.3 million of the $4.3 million penalty is attributable to this denial of access to a patient’s records.  

Notably, out of the over 50,000 complaints of alleged HIPAA Privacy Rule violations that OCR has resolved, the denial of a patient’s access to his or her own records has been the third most cited reason for such a complaint every year since 2003, when compliance with the Privacy Rule was first legally required. But every other such complaint of denial of access was informally resolved with OCR. According to various news reports, Cignet never attempted to informally resolve the complaints with OCR.

In Cignet’s case, $3 million of the penalty is attributable to OCR finding that Cignet repeatedly failed to respond to various requests from OCR for more than a year (March 17, 2009 to April 4, 2010), resulting in per-day penalties, up to the maximum permissible penalties per year pursuant to applicable enforcement rules. Under HIPAA, covered entities are required to cooperate with HHS investigations. Even after Cignet finally produced the applicable patient records to HHS (in response to a federal court order), Cignet’s cooperation was limited in that it produced records relating to thousands of patients in addition to the 41 at issue. In various communications from OCR during the course of the investigation and the initial proposal of penalties, Cignet was notified of its rights to offer defenses and mitigating factors, and subsequently, of its rights of appeal. Cignet never exercised any of its rights.

The lesson to be learned from Cignet is that if you violate the HIPAA Privacy Rule, be prepared to pay, but if you fail to cooperate with OCR investigations into such violations, be prepared to pay even more (potentially 200% more). The question remains as to whether or not the extent of this fine is a true example of a new approach to enforcement of HIPAA, or whether Cignet’s ignoring official inquiries, failing to pursue informal resolution and not exercising its rights under HIPAA warranted unusual measures.
Tags: , , , , , , , , , , ,
  • Email This
  • Print
  • Trackbacks
  • Share Link

Sanctions for Lazy Disposal Require Drug Store Chain to Re-"Rite" its Data Security Policies and Procedures

Posted on August 5, 2010 by Brendon Tavelli

Rite Aid has agreed to pay $1 million to resolve allegations that it violated the Health Insurance Portability and Accountability Act (“HIPAA”) by pitching pill bottles and prescription information into publicly accessible dumpsters near Rite Aid stores. According to the Department of Health and Human Services’ resolution agreement, released on July 27, Rite Aid must implement a three-year corrective action program, which includes the adoption of revised policies and procedures concerning the disposal of sensitive health-related information, employee training programs related to the revised policies and procedures and penalties for employees that fail to comply with them.

In addition to the HHS resolution agreement, Rite Aid has entered into a separate, but related settlement with the FTC to resolve the FTC’s allegations that the company failed to live up to promises made in its privacy policy that it would protect customers’ sensitive medical information. The FTC settlement will require Rite Aid to implement a comprehensive information security program and obtain independent audits of the program for twenty years.

The Rite Aid settlement marks the second time HHS and the FTC have joined forces for an investigation into alleged violations of individuals’ information privacy. The agencies began investigating Rite Aid after news media captured footage of employees at a number of pharmacies, not limited to Rite Aid, tossing sensitive medical information into insecure trash containers. According to HHS and the FTC, this practice demonstrated Rite Aid’s failure to implement, teach and enforce appropriate policies regarding the disposal of sensitive information.

So will [insert name of your pharmacy here] be the agencies’ next target? We hope not!
Tags: , , , , , ,

New HIPAA Cop: First AG Settlement for HIPAA Violations

Posted on July 14, 2010 by Proskauer Rose LLP

Last week, the Connecticut Attorney General became the first state attorney general to enter into a settlement agreement for HIPAA violations, as a result of the new authority granted to attorneys general under the Health Information Technology for Economic and Clinical Health Act (HITECH Act).

This settlement resulted from the first ever attorney general action under the HITECH Act, as a result of the loss by Health Net, a health insurer, of a computer disk drive that contained unencrypted protected health information such as claims forms, health plan appeals information, and other sensitive data relating to approximately 1.5 million health plan participants (approximately one-third of whom resided in Connecticut). The Connecticut AG focused upon the several month delay by Health Net in reporting the loss to law enforcement officials. 

As part of the settlement, Health Net has agreed to pay $250,000 to the state, offer two years of credit monitoring for affected participants, obtain $1 million of identity theft insurance, and reimburse affected individuals for security freezes. An additional contingent payment of $500,000 will need to be paid, under specified circumstances, in the event that the lost information is actually accessed and misused. Further, Health Net has agreed to a corrective action plan that includes various privacy and security measures to heighten protections for health information as well as other sensitive data, regular monitoring, and reporting to the attorney general’s office. Many of the steps that Health Net agreed to undertake relate to the handling of portable media and the encryption of sensitive data, such as encryption of hard drives, including those on desktop computers, as well as to the improvement of security training and awareness for personnel. 

While many commentators have understandably focused on the security breach notification provisions of the HITECH Act, the provision of the Act that authorizes state attorneys general to bring civil actions for violations of HIPAA also warrants attention. The inclusion of this provision adds an additional avenue for enforcement of privacy and security violations by HIPAA-covered entities, although the Connecticut action is the only action that has been brought to date since HITECH Act was enacted in February 2009.
Tags: , , , , , , ,

HHS and FTC Announce New Breach Notification Rules for Unsecured Protected Health Information

Posted on September 23, 2009 by Kristen J. Mathews

On August 24 and 25, 2009, the Department of Health and Human Services (“HHS”) and the Federal Trade Commission (“FTC”), respectively published rules on when and how covered entities regulated by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and vendors of personal health records (“PHR”) must notify individuals of security breaches concerning their unsecured protected health information (“PHI”). With its rule, HHS also provided guidance on securing PHI through “encryption” and “destruction” measures. While compliance with these security measures is not required, conformance to the guidance offers a relative safe harbor for covered entities and vendors in the event of a security breach.  See September 1, 2009 client alert from Proskauer's Health Care Department for additional information.

Tags: , , ,

HHS Enters Into First Monetary Settlement Under HIPAA

Posted on August 29, 2008 by Proskauer Rose LLP

On July 15, 2008, the U.S. Department of Health & Human Services (“HHS”) entered into its first Resolution Agreement with a HIPAA-covered entity to settle alleged violations of the privacy and security regulations promulgated under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). Pursuant to the Resolution Agreement, a Seattle-based not-for-profit health system, Providence Health & Services and certain of its divisions (“Providence”), paid $100,000 to HHS and entered into a Corrective Action Plan with the government. HHS advised that Providence’s cooperation in the investigation helped it avoid a “civil monetary penalty.” Providence has been released from further civil fines to HHS arising out of the particular activities at issue in this matter, provided that Providence complies with the terms of the three-year Corrective Action Plan. The Resolution Agreement did not release Providence from any potential criminal liability.

Prior to this Resolution Agreement, HHS had not imposed any fines on any HIPAA-covered entities. In the more than five years that have passed since the compliance deadline for the HIPAA privacy regulations, HHS has received close to 40,000 complaints of violations, the majority of which were not eligible for enforcement. Of those where a violation was identified, HHS had previously resolved such cases by requiring changes in privacy practices and other corrective actions without entering into any formal settlement agreements or imposing any fines.

 The circumstances underlying the Resolution Agreement were at least five incidents in 2005 and 2006 in which unencrypted electronic protected health information (“ePHI”) of Providence patients was stored on backup tapes, optical disks and laptops that were taken off-site from Providence by members of its workforce, and then misplaced or stolen, potentially compromising the health information of over 386,000 patients. Providence, in accordance with state notification laws, advised patients of the loss of their information. More than 30 of those patients subsequently complained to HHS, although there is no evidence that any of their personal information was wrongfully used as a result of these incidents. The HHS Office of Civil Rights, responsible for enforcing the privacy regulations under HIPAA, and the HHS Centers for Medicare & Medicaid Services, responsible for enforcing the security regulations under HIPAA, jointly investigated these complaints, focusing on Providence's failure to implement policies and procedures to safeguard the ePHI.

Pursuant to the Corrective Action Plan, for the next three years Providence must:

 

▪           Provide copies to HHS, for its review and approval, of policies and procedures that address physical and technical safeguards for off-site storage and transport of electronic media containing ePHI;

▪           Following HHS approval of these security policies and procedures, provide to HHS evidence that Providence has implemented such policies and procedures, and distributed them to all applicable members of its workforce;

▪           Require a signed certification from each workforce member that such person has read, understood and will follow such policies and procedures;

▪           Annually assess such policies and procedures, and revise as appropriate;

▪           Train all workforce, including obtaining a signed certification of training from each workforce member before s/he may transport a portable device containing ePHI, or conduct off-site storage or transport of backup media containing ePHI;

▪           Notify HHS if it discovers that a workforce member violated any of these procedures;

▪           Conduct quarterly “Monitor Reviews,” including unannounced site visits, interviews of employees and inspection of portable devices to ensure compliance with these policies, and provide records of such monitoring to HHS; and

▪           Submit annual reports to HHS that show its compliance with this Plan.

When considered individually, none of the reported security incidents experienced by Providence in 2005 and 2006 was extraordinary. Virtually every day the media includes reports of laptop losses or thefts. Further, the HIPAA privacy and security regulations do not explicitly prohibit off-site access or transport of ePHI, and do not require encryption of ePHI in all circumstances. While security practices are still evolving, at the time of these incidents, it was not uncommon for health care organizations to maintain unencrypted ePHI in storage media, or to permit employees to remotely access ePHI.

When considered collectively, however, the occurrence at Providence of five similar security incidents over a six month period is more noteworthy and relevant for other health care organizations. Further, the types of remedial measures included in the Corrective Action Plan provide evidence of HHS’ focus in this area, and serves as additional guidance for HIPAA-covered entities. As a starting point, a covered entity should review its current privacy and security policies and procedures to determine if they remain relevant, consistent with the experience of the organization, and current with technological advances. Annual reviews should follow. If a HIPAA-covered entity instituted security policies and procedures in 2003 or 2004, those may no longer be reasonable in 2008, and may no longer be consistent with security procedures at other similar organizations. In addition to keeping abreast of industry standards, companies should follow applicable guidance from HHS. In connection with the particular incidents at Providence, in late 2006, HHS issued guidance on the use of portable media, and offsite access and transport of ePHI.

Any time privacy and security policies and procedures are updated, copies of such revised policies and procedures should be distributed to all applicable employees, and such employees should be retrained in the revised procedures. Next, in the event of a privacy breach or other security incident, a covered entity should immediately investigate the cause of the incident, review its then current policies and procedures to determine what additional measures should be taken to avoid future similar incidents, promptly institute any necessary revisions to policies and procedures, and distribute revised policies and retrain employees as applicable. Periodic monitoring of compliance with existing privacy and security policies and procedures is also advisable. Finally, all privacy and security policies and procedures, and training in such policies and procedures should be actively documented.

In light of the Providence settlement, as well as HHS’ announcement earlier this year that it intends to conduct security audits of HIPAA-covered entities, it appears that we are now moving into an era where HHS is taking a more active role in HIPAA enforcement, particularly with respect to security of electronic health information. 
Tags: , , , ,