OCR is now targeting BA’s for HIPAA violations as settlements are announced
The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is taking an aggressive stand on HIPAA enforcement and targeting violations related to security risk assessments and business associate agreements. Three resolution agreements posted in the last month make clear that the agency expects entities subject to HIPAA to take appropriate steps to secure their data, regardless of the size or type of the entity.
It’s a HIPAA first. A business associate has settled a direct enforcement action over allegations that it potentially violated HIPAA. We can expect future HIPAA enforcement actions against business associates.
What Happened? It all started with the theft of a smart phone.
On June 24, 2016, the U.S. Department of Health & Human Services OCR entered into a resolution agreement with Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS), a non-profit organization that provides, as a business associate, management and information technology services to its six nursing homes. The theft of an employee’s CHCS-issued smartphone triggered the investigation.
The unencrypted smartphone contained information on 412 nursing home residents, including Social Security numbers, diagnosis and treatment information, and medical procedures. In addition to the loss of the smartphone CHCS allegedly:
- Did not have policies addressing the removal of mobile devices that contain electronic protected health information (ePHI);
- Had not undertaken a risk analysis; and
- Did not have a risk management plan in place at time of the theft.
What was the Settlement?
CHCS agreed to pay $650,000 and adhere to a two-year corrective action plan. The corrective action plan requires the business associate to:
- Conduct a risk analysis on an annual basis;
- Develop, maintain, and revise its policies and procedures to address a number of HIPAA security requirements, including encryption of ePHI, audit controls, integrity controls, log-in monitoring, and password management;
- Provide training for all workforce with access to ePHI; and
- Submit annual compliance reports to OCR, among other provisions.
It was only a matter of time before a business associate was targeted for a HIPAA settlement. OCR settlement agreements tend to arise two to three years after the breach incident that caught OCR’s attention, providing time for agency investigation and negotiations. Since OCR first began holding business associates directly liable under HIPAA in September 2013, it seemed likely that the first settlement agreement with a business associate would come around this time, close to three years later. OCR already has taken enforcement actions against covered entities related to their business associates, usually related to a lack of a business associate contract. It is safe to say that we will begin to see settlements with business associates interspersed with covered entity settlements in the coming years.
In addition to the CHCS settlement, on July 18 the OCR announced a $2.7 million settlement and three-year corrective action plan with Oregon Health and Science University (OHSU), after they reported several breaches involving unencrypted laptops and a stolen unencrypted thumb drive. During their investigation OCR discovered that OHSU was storing the ePHI, including sensitive health information, of more than 3,000 individuals on a cloud-based server without a business associate agreement. In addition the OCR found that although OHSU had performed security risk analyses in the past, those analyses did not cover all ePHI in OHSU’s enterprise, and OHSU did not act in a timely manner to address the risks identified. The OCR emphasized that OHSU should have addressed the lack of a business associate agreement before allowing a vendor to store ePHI.
As part of the corrective action plan, OHSU will:
- Implement encryption for all mobile devices with access to PHI; and
- Develop a comprehensive risk management plan covering all systems, networks, and devices engaging with PHI.
On July 21, the OCR announced a $2.75 million settlement and a three-year corrective action plan with the University of Mississippi Medical Center (UMMC) after a stolen laptop was reported to OCR as a breach. OCR’s investigation revealed that UMMC maintained an unsecured network drive accessible by generic username and password to UMMC wireless network users. That drive contained the ePHI of an estimated 10,000 individuals. In its resolution agreement, OCR focused on UMMC’s alleged failure to implement safeguards against known risks and vulnerabilities in the systems storing ePHI. Specifically that the generic username and password used by UMMC was insufficient security for a wireless network containing ePHI. UMMC should have implemented a unique user ID system, so it could track which specific users accessed ePHI. Under its corrective action plan, UMMC is required to draft an enterprise-wide risk analysis and risk management plan to reduce the risks and vulnerabilities to ePHI in its systems.
These three resolution agreements provide the following insights into the OCRs focus and approach to HIPAA investigations and enforcement:
- Appropriate security risk analysis and management are critical to HIPAA compliance for covered entities and business associates and the failure to document compliance efforts can result in significant penalties.
- Entities should ensure that a comprehensive risk management plan covers everywhere ePHI is maintained—including mobile phones, wireless networks, laptops, thumb drives, and cloud storage centers—and ensure appropriate safeguards are in place for its protection.
- Business associates are officially on notice that breaches and investigations of their compliance can result in significant settlement amounts and corrective action plans.
A single breach or incident may lead to a much more extensive OCR investigation. Many of the findings on which settlement amounts and corrective action plans are based not to the incident initially investigated, but on other issues identified through the investigation. Many incidents now lead to a comprehensive HIPAA compliance investigation, and entities reporting breaches should be prepared to provide information and documentation related to their entire HIPAA compliance program.
To avoid HIPAA trouble, covered entities and business associates should note the following takeaways from these settlements:
- Settlements focused on the absence of risk analysis and risk management. Once again, the OCR is sounding the alarm for the need for periodic risk analysis.
- Verifying HIPAA compliance now will help business associates put their best foot forward should they become subject to an audit or a HIPAA investigation. As part of this verification, business associates should review whether they have an up-to-date HIPAA compliance program in place and fine-tune existing policies and procedures based on experience.
Covered entities should ensure that they themselves and their business associate’s HIPAA compliance plans cover, as a minimum, the following requirements:
- Limit uses and disclosures of protected health information, and address minimum necessary obligations.
- Perform and document risk analysis and risk management processes—and revisit these regularly, particularly in response to changes in the organization, and/or its services and operations, or in light of new security threats.
- Implement reasonable and appropriate administrative, physical, and technical safeguards for protected health information (PHI) in any form or format.
- Don’t forget about portable media and devices—theft and loss of portable devices, such as cell phones and laptops, have triggered a large percentage of HIPAA settlements, including this one.
- Formalize privacy and security efforts through policies and procedures.
- Appoint a security officer (and a privacy officer).
- Verify compliance with existing business associate agreements – failure to comply may result in increased liability beyond breach of contract.
- Train workforce members and promote ongoing security awareness.
- Follow-up after a breach. Any institution that suffers a breach involving unsecured PHI must investigate the breach, take corrective action, notify its covered entity customer, and document the event as required under HIPAA. Usually, the customer will notify affected individuals and OCR. OCR regularly investigates breaches and could follow-up with the business associate.
If you have any questions about the new compliance landscape and the importance of information security throughout your business, give ITPAC a call today.