On July 15, 2008, the U.S. Department of Health & Human Services (“HHS”) entered into its first Resolution Agreement with a HIPAA-covered entity to settle alleged violations of the privacy and security regulations promulgated under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). Pursuant to the Resolution Agreement, a Seattle-based not-for-profit health system, Providence Health & Services and certain of its divisions (“Providence”), paid $100,000 to HHS and entered into a Corrective Action Plan with the government. HHS advised that Providence’s cooperation in the investigation helped it avoid a “civil monetary penalty.” Providence has been released from further civil fines to HHS arising out of the particular activities at issue in this matter, provided that Providence complies with the terms of the three-year Corrective Action Plan. The Resolution Agreement did not release Providence from any potential criminal liability.
Prior to this Resolution Agreement, HHS had not imposed any fines on any HIPAA-covered entities. In the more than five years that have passed since the compliance deadline for the HIPAA privacy regulations, HHS has received close to 40,000 complaints of violations, the majority of which were not eligible for enforcement. Of those where a violation was identified, HHS had previously resolved such cases by requiring changes in privacy practices and other corrective actions without entering into any formal settlement agreements or imposing any fines.
The circumstances underlying the Resolution Agreement were at least five incidents in 2005 and 2006 in which unencrypted electronic protected health information (“ePHI”) of Providence patients was stored on backup tapes, optical disks and laptops that were taken off-site from Providence by members of its workforce, and then misplaced or stolen, potentially compromising the health information of over 386,000 patients. Providence, in accordance with state notification laws, advised patients of the loss of their information. More than 30 of those patients subsequently complained to HHS, although there is no evidence that any of their personal information was wrongfully used as a result of these incidents. The HHS Office of Civil Rights, responsible for enforcing the privacy regulations under HIPAA, and the HHS Centers for Medicare & Medicaid Services, responsible for enforcing the security regulations under HIPAA, jointly investigated these complaints, focusing on Providence’s failure to implement policies and procedures to safeguard the ePHI.
Pursuant to the Corrective Action Plan, for the next three years Providence must:
- Provide copies to HHS, for its review and approval, of policies and procedures that address physical and technical safeguards for off-site storage and transport of electronic media containing ePHI;
- Following HHS approval of these security policies and procedures, provide to HHS evidence that Providence has implemented such policies and procedures, and distributed them to all applicable members of its workforce;
- Require a signed certification from each workforce member that such person has read, understood and will follow such policies and procedures;
- Annually assess such policies and procedures, and revise as appropriate;
- Train all workforce, including obtaining a signed certification of training from each workforce member before s/he may transport a portable device containing ePHI, or conduct off-site storage or transport of backup media containing ePHI;
- Notify HHS if it discovers that a workforce member violated any of these procedures;
- Conduct quarterly “Monitor Reviews,” including unannounced site visits, interviews of employees and inspection of portable devices to ensure compliance with these policies, and provide records of such monitoring to HHS; and
- Submit annual reports to HHS that show its compliance with this Plan.
When considered individually, none of the reported security incidents experienced by Providence in 2005 and 2006 was extraordinary. Virtually every day the media includes reports of laptop losses or thefts. Further, the HIPAA privacy and security regulations do not explicitly prohibit off-site access or transport of ePHI, and do not require encryption of ePHI in all circumstances. While security practices are still evolving, at the time of these incidents, it was not uncommon for health care organizations to maintain unencrypted ePHI in storage media, or to permit employees to remotely access ePHI.
When considered collectively, however, the occurrence at Providence of five similar security incidents over a six month period is more noteworthy and relevant for other health care organizations. Further, the types of remedial measures included in the Corrective Action Plan provide evidence of HHS’ focus in this area, and serves as additional guidance for HIPAA-covered entities. As a starting point, a covered entity should review its current privacy and security policies and procedures to determine if they remain relevant, consistent with the experience of the organization, and current with technological advances. Annual reviews should follow. If a HIPAA-covered entity instituted security policies and procedures in 2003 or 2004, those may no longer be reasonable in 2008, and may no longer be consistent with security procedures at other similar organizations. In addition to keeping abreast of industry standards, companies should follow applicable guidance from HHS. In connection with the particular incidents at Providence, in late 2006, HHS issued guidance on the use of portable media, and offsite access and transport of ePHI.
Any time privacy and security policies and procedures are updated, copies of such revised policies and procedures should be distributed to all applicable employees, and such employees should be retrained in the revised procedures. Next, in the event of a privacy breach or other security incident, a covered entity should immediately investigate the cause of the incident, review its then current policies and procedures to determine what additional measures should be taken to avoid future similar incidents, promptly institute any necessary revisions to policies and procedures, and distribute revised policies and retrain employees as applicable. Periodic monitoring of compliance with existing privacy and security policies and procedures is also advisable. Finally, all privacy and security policies and procedures, and training in such policies and procedures should be actively documented.
In light of the Providence settlement, as well as HHS’ announcement earlier this year that it intends to conduct security audits of HIPAA-covered entities, it appears that we are now moving into an era where HHS is taking a more active role in HIPAA enforcement, particularly with respect to security of electronic health information.