On April 27, 2015, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced a resolution agreement with Cornell Prescription Pharmacy (CPP) pursuant to which CPP paid a $125,000 resolution amount, and adopted a corrective action plan (CAP) to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 as amended (collectively, HIPAA). This solitary action in the first half of 2015 is in contrast to a pattern of increased enforcement that was evident throughout 2014, during which time OCR entered into seven resolution agreements to settle other alleged violations of HIPAA. Among the seven 2014 enforcement actions, six involved alleged failures to adequately safeguard electronic protected health information (ePHI), and one involved the failure to secure protected health information (PHI) in physical format. In addition, the resolution agreements and corrective action plans (which are publicly available) suggest certain areas of focus for OCR, which we discuss in this On the Subject. Covered entities and business associates should be mindful of these areas of focus when reviewing their HIPAA compliance programs.
Security Risk Assessments
Four of the seven 2014 enforcement actions—involving QCA Health Plan, Inc. (QCA), New York-Presbyterian Hospital (NYP), Trustees of Columbia University in the City of New York (Columbia) and Anchorage Community Mental Health Services, Inc. (ACMHS)—refer to allegations that the entities failed to conduct an accurate and thorough assessment of the risks and vulnerabilities to their ePHI, and failed to implement security measures to reduce such risks and vulnerabilities to a reasonable and appropriate level. Such an assessment is a required administrative safeguard of the HIPAA Security Rule and a fundamental building block of electronic data security. In all four enforcement actions, the final corrective action plans required submission of a recent risk assessment and corresponding risk management plan to OCR within a relatively short period after the effective date of the resolution agreement. Accordingly, covered entities and business associates should review their security-risk management policies and procedures; assure that they have conducted a baseline security risk assessment; and update prior security risk assessments, as needed, to address new threats and changes in their information technology environment.
Risk Management
Unlike the enforcement actions against QCA, NYP, Columbia and ACMHS, OCR acknowledged, in the resolution agreement associated with the enforcement action against Concentra Health Services (CHS), that CHS had conducted a security-risk assessment. However, OCR alleged that CHS failed to follow through with appropriate remediation efforts to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level, as required by the Security Rule. Specifically, the CHS resolution agreement notes that, although CHS had conducted multiple risk assessments recognizing a lack of encryption on its devices containing ePHI, CHS failed to thoroughly implement remediation measures to address the issue for more than three years. OCR expects covered entities and business associates to eliminate or mitigate any threats or vulnerabilities identified by security risk assessments on a reasonable, documented schedule consistent with their size, complexity and capabilities.
Change Management Procedures
Three of the seven enforcement actions—Skagit County, Washington, NYP and Columbia—refer to security-breach incidents attributable to internal changes to technology systems and data management which led to the inadvertent disclosure of ePHI. For example, OCR alleged that Skagit County moved ePHI related to 1,581 individuals to a publicly accessible server; however, Skagit County initially reported a security breach with respect to only seven individuals, allegedly failing to first identify the larger security breach.
OCR alleged that the NYP and Columbia breaches were caused when a Columbia physician attempted to deactivate a personally owned computer server on the network. Due to a lack of technological safeguards, this allegedly led to the public availability of certain ePHI on internet search engines. Accordingly, covered entities and business associates should review and revise, as appropriate, their change management policies and procedures; take care to safeguard ePHI during any system changes or data relocations; and assess the risks associated with such changes from a security perspective prior to making the change.
Additionally, the recent enforcement action against ACMHS indicates a need for covered entities and business associates to implement security patches of their technology systems on an ongoing basis. OCR alleged that ACMHS did not regularly update its information technology resources with available patches but continued to run outdated, unsupported software. Accordingly, covered entities and business associates should review their change management procedures and, on a reasonable schedule, implement all patches and software upgrades that are necessary to safeguard ePHI.
Compliance with HIPAA Policies and Procedures
The Security Rule requires a covered entity or business associate to implement reasonable and appropriate policies and procedures to comply with the requirements of the Security Rule. Of particular interest from the enforcement perspective: whether the entity actually follows the policies and procedures that it has adopted. For example, within the NYP resolution agreement, OCR alleged that, with respect to the data sharing arrangement with Columbia, NYP had failed to comply with its own policies on information-access management. Similarly, within the HHS bulletin associated with the enforcement action against ACMHS, OCR alleged that ACMHS had adopted sample Security Rule policies and procedures in 2005, but that such policies and procedures were not followed. Therefore, covered entities and business associates should be thoughtful in adopting and revising their policies and procedures with the understanding that they may be held accountable by OCR for enforcing compliance with such policies and procedures through training and employee discipline.
Summary of Recent OCR Enforcement Actions
The following table provides a brief summary of the seven resolution agreements entered into by OCR during 2014 and the most recent enforcement action against CPP earlier this year, as referenced above, including the settlement amount and term of the CAP if any.
Date |
Covered Entity |
Brief Description of Alleged Violation(s) |
Settlement Amount |
Term of CAP |
March 6, 2014 |
Skagit County, Washington |
The covered entity inadvertently moved ePHI of 1,581 individuals to a publicly accessible server maintained by the covered entity. In response to the covered entity’s breach notification, OCR conducted an investigation and alleged widespread non-compliance with the HIPAA privacy, security and breach notification rules. |
$215,000 |
Three years |
April 14, 2014 |
QCA Health Plan, Inc. |
The covered entity included ePHI of 148 individuals on an unencrypted laptop that was stolen from a workforce member’s car. In response to the covered entity’s related breach notification, OCR conducted an investigation and alleged that QCA had not implemented necessary policies and procedures or conducted a security risk assessment, among other issues. |
$250,000 |
Two years |
April 21, 2014 |
Concentra Health Services |
The covered entity included ePHI of an undetermined number of individuals on an unencrypted laptop that was stolen from a physical therapy facility. In response to the covered entity’s breach notification, OCR conducted an investigation and alleged that the covered entity had not implemented necessary policies and procedures or implemented remediation efforts to address threats and vulnerabilities identified as part of its routine security risk assessments, among other issues. |
$1,725,220 |
Two years |
May 7, 2014 |
New York-Presbyterian Hospital |
The covered entities inadvertently made ePHI of 6,800 individuals accessible through internet search engines after a Columbia physician who developed applications for both NYP and Columbia attempted to deactivate a personally owned computer server from a hospital network containing ePHI. In response to the related breach notification, OCR conducted an investigation and alleged that neither NYP nor Columbia had conducted a security risk assessment or complied with their own data security policies and procedures. |
$3,300,000 |
Three years |
May 7, 2014 |
The Trustees of Columbia University in the City of New York |
$1,500,000 |
Three years |
|
June 17, 2014 |
Parkview Health System, Inc. |
The covered entity inadvertently disclosed PHI (in hardcopy) of approximately 5,000–8,000 individuals when it returned certain medical records to a physician. In response to the physician’s complaint, OCR conducted an investigation and alleged that the covered entity did not appropriately safeguard the PHI. |
$800,000 |
One year |
December 17, 2014 |
Anchorage Community Mental Health Services, Inc. |
The covered entity inadvertently disclosed ePHI of 2,743 individuals due to malware that had compromised the security of the covered entity’s information technology systems. In response to the related breach notification, OCR conducted an investigation and alleged that the covered entity had not conducted a security risk assessment or implemented necessary patches and upgrades to its information technology systems. |
$150,000 |
Two years |
April 27, 2015 |
Cornell Prescription Pharmacy |
The covered entity disposed of PHI in a dumpster accessible to the public. In response to a media report, OCR alleged that the covered entity failed to implement reasonable safeguards and implement written privacy policies and procedures. |
$125,100 |
Two years |