With the news of the recent cyber-attack and resulting data breach at health insurance giant Anthem Inc., the buzz around data security and privacy is again high. The Anthem breach serves as a reminder to those entities subject to the Health Insurance Portability and Accountability Act (HIPAA) that failing to keep protected health information secure and private can lead to serious consequences. In fact, enforcement of HIPAA’s Privacy and Security Rule was at an all-time high in 2014, with the U.S. Department of Health & Human Service’s (HHS) Office for Civil Rights (OCR) resolving a number of significant cases, summarized below.
As background, OCR began enforcing HIPAA’s rules on the use and disclosure (as opposed to security) of protected health information (PHI) by covered entities (i.e., health plans, health care providers and clearinghouses) in 2003. These rules are known collectively as the “Privacy Rule.” OCR began enforcing HIPAA’s rules related to the security of PHI held or transferred in electronic form in 2009, four years after covered entities were required to comply. These rules are known collectively as the “Security Rule.” According to OCR’s website, OCR enforces the Privacy and Security Rules by investigating complaints filed with it and by conducting reviews to determine if covered entities are in compliance. The total number of HIPAA complaints received by OCR since 2003 exceeds a staggering 106,000 complaints, and the number of complaints has risen each year but one, in 2009. The disposition of complaints ranges from referral to the Department of Justice for possible criminal violations, civil settlement with voluntary compliance or corrective action, or dismissal on the basis that no violation occurred, lack of jurisdiction (i.e., the entity is not covered by the Privacy or Security Rules) or an untimely complaint.
Below is a summary of seven significant settlements obtained by OCR in 2014. Six of the seven cases below arose from the unauthorized use or disclosure of electronic PHI. And six of the seven cases involved cases where the data breach was self-reported by the covered entity. With the higher breach notification standard contained in the final Omnibus Rule (effective September 23, 2013), the incidences of self-reported data breaches and, consequently, OCR enforcement, should continue to increase in the coming years.
Skagit County, Washington
On March 6, 2014, Skagit County, Washington agreed to settle potential violations of the Privacy, Security and Breach Notification Rules and as part of the settlement, agreed to pay $215,000 and to work closely with HHS to correct alleged deficiencies in its HIPAA compliance program. The potential violations occurred at the Skagit County Public Health Department, which provides health services for low income county residents. The investigation began when OCR received a breach report from the County stating that money receipts with the electronic PHI of seven individuals were accessed by unknown parties after the receipts were inadvertently moved to a publicly-assessable server. OCR’s investigation revealed a larger breach which may have compromised the electronic PHI of 1,581 individuals. OCR’s settlement with Skagit Country marks its first settlement with a county government.
QCA Health Plan, Inc.
On April 14, 2014, QCA Health Plan, Inc. (QCA) agreed to settle alleged violations of the Privacy and Security Rules and as part of the settlement, agreed to pay $250,000 and to provide HHS with an updated risk analysis and risk management plan that includes specific security measures to reduce the risks to its electronic PHI. The investigation began when OCR received a breach notice from QCA in 2012 reporting that an unencrypted laptop containing the PHI of 148 individuals was stolen from an employee’s car. OCR alleged that QCA failed to comply with multiple requirements of the Privacy and Security Rules beginning in 2005 and ending in 2012, leaving PHI vulnerable to unauthorized use. As part of the settlement, QCA is also required to retrain its workforce and document its compliance efforts.
Concentra Health Services
On April 21, 2014, Concentra Health Services (Concentra) agreed to settle alleged violations of the Security Rule and as part of the settlement, agreed to pay $1,725,200 and to adopt an action plan that documents its corrective and preventative action. Similar to the case involving QCA, described above, the investigation into Concentra began when OCR received a breach report that an unencrypted laptop was stolen from one of its facilities. OCR alleged that Concentra was previously aware that a lack of encryption on company-owned laptops, desktop computers, medical equipment and other devices left electronic PHI at a critical risk. Although Concentra had begun to take steps to encrypt PHI, OCR alleged that Concentra’s efforts were incomplete, inconsistent, and left patient PHI vulnerable throughout the company. The significance of the monetary settlement is likely a result of OCR’s contention that Concentra was aware that PHI was at critical risk.
New York and Presbyterian Hospital and Columbia University
On May 7, 2014, OCR agreed to settle alleged violations of the Privacy and Security Rules by the New York and Presbyterian Hospital (NYP) and Columbia University (CU) relating to the disclosure of the electronic PHI of 6,800 individuals, including patient status, vital signs, medications and lab results. As part of the settlements, NYP agreed to pay a $3,300,000 monetary settlement, CU agreed to pay $1,500,000, and both organizations agreed to a substantive corrective action plan, which involves undertaking a risk analysis, developing a risk management plan, revising company policies and procedures and retraining staff. The investigation began when NYP and CU, which are separate entities that participate in a joint arrangement involving CU faculty members serving as NYP physicians, submitted a joint breach report in September 2010. The breach occurred when a physician employed by CU attempted to deactivate a personal computer server on the shared data network (between NYP and CU) containing patient PHI. OCR concluded that a lack of technical safeguards resulted in PHI becoming accessible on internet search engines. OCR also concluded that neither NYP or CU had (i) made efforts prior to the breach to assure that the server was secure and protected, (ii) conducted a thorough risk analysis of the shared system or developed an adequate risk management plan, or (iii) implemented sufficient policies and procedures designed to address the risks.
Parkview Health System, Inc.
On June 17, 2014, Parkview Health System, Inc. (Parkview) agreed to settle potential violations of the Privacy Rule and as part of the settlement, agreed to pay $800,000 and adopt a corrective action plan to address alleged deficiencies in its program for HIPAA compliance. The investigation began when OCR received a complaint from a retiring physician who had transferred to Parkview the medical records of approximately 5,000 to 8,000 patients. Parkview took custody of the records in order to assist the physician in transitioning her patients to new providers and to consider the possibility of purchasing a portion of the physician’s practice. In June 2009, Parkview employees left 71 cardboard boxes of medical records unattended and accessible to unauthorized persons on the driveway of the physician’s home, which was 20 feet away from a public road and close to a public shopping venue, even though Parkview was on notice that the physician was away from home.
Anchorage Community Mental Health Services
On December 17, 2014, Anchorage Community Mental Health Services (ACMHS) agreed to settle potential violations of the Security Rule and as part of the settlement, agreed to pay $150,000, adopt a corrective action plan to address alleged deficiencies in its HIPAA compliance program, and to report on its compliance to OCR for a two-year period. The investigation began after OCR received notification from ACMHS that malware discovered on the company’s server had compromised the electronic PHI of 2,743 individuals. OCR learned that ACMHS had previously adopted policies and procedures intended to comply with the Security Rule, but, according to OCR, such policies and procedures were not followed. In addition, OCR alleged that the security incident occurred as a result of ACMHS failing to address and protect against basic risks, such as not regularly updating their IT resources with available fixes and also by running outdated software.
The cases described above should serve as a reminder to covered entities and business associates to adopt, maintain and follow sufficient policies and safeguards designed to prevent the unauthorized use and disclosure of PHI, particularly in electronic form. This is especially true as the health industry continues its rapid migration from paper to electronic records, and as the complexity of information systems grows exponentially.