Header graphic for print
HL Chronicle of Data Protection Privacy & Information Security News & Trends
Posted in Cybersecurity & Data Breaches, Health Privacy/HIPAA

OCR Highlights Priorities as it Steps Up HIPAA Enforcement

shutterstock_150374810Last week, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) launched the long-awaited Phase 2 HIPAA Audit Program. Earlier this month, the agency posted two resolution agreements that continue the trend toward big dollar settlement amounts and a focus on security risk assessments and business associate agreements. With Phase 2 HIPAA Audits underway and more full-scale compliance reviews triggered by data breach reports, it is more important than ever to appropriately protect health information.

Phase 2 HIPAA Audit Program Begins

OCR announced the start of the Phase 2 HIPAA Audit Program on March 21, 2016. The agency is starting to contact, by email, covered entities and business associates that may be part of the Phase 2 HIPAA audits to obtain and verify contact information. The announcement and corresponding FAQs provide the following additional information:

  • OCR wants to make sure entities are on the lookout for this communication (e.g., checking junk or spam email folder for emails from OSOCRAudit@hhs.gov)
  • OCR has not yet released the updated audit protocol, but it looks like it is coming shortly (perhaps in April). The agency has indicated that the new audit protocol will be released initially in draft form, open to public comment
  • OCR will not audit entities with an open OCR HIPAA investigation or those that are currently undergoing a compliance review
  • OCR plans to complete desk audits by the end of December 2016

Failure to Enter Into a Business Associate Agreement and to Perform a Security Risk Analysis Result in Large Settlement Agreement for Health Care System

A $1.55 million settlement with North Memorial Health Care of Minnesota (NMHC) was announced on March 16, 2016. Through the Resolution Agreement, NMHC settled charges that it violated HIPAA by failing to enter into a business associate agreement with a contractor and by failing to conduct a comprehensive risk analysis as required by the Security Rule.

An unencrypted laptop in the vehicle of a workforce member of NMHC’s vendor, Accretive, was stolen in 2011. The laptop contained ePHI for nearly 10,000 individuals. Though Accretive was receiving PHI from NMHC to perform services on its behalf, the two entities did not enter into a business associate agreement until after the theft. The HHS investigation appears to have concluded that in addition to the improper disclosure resulting from the theft of the unencrypted laptop, from March 21, 2011 through October 14, 2011, NMHC impermissibly disclosed PHI for almost 290,000 individuals to Accretive when it did not obtain appropriate privacy and security assurances in the form of a business associate agreement. NMHC was also found to have failed to conduct an “accurate and thorough risk analysis.”

NMHC agreed to pay a settlement amount of $1.55 million and enter into a two year corrective action plan that requires NMHC to:

  • Develop policies and procedures related to business associate relationships
  • Modify its existing risk analysis process
  • Develop and implement a risk management plan
  • Revise and implement HIPAA training
  • Submit reports to HHS

Research Institution Reaches Near-Record Settlement for Security Shortcomings

OCR also announced that it reached a $3.9 million settlement with the Feinstein Institute for Medical Research (FIMR) related to investigative findings following the 2012 reported theft of an unencrypted laptop from an employee’s car. The stolen laptop stored ePHI, including SSNs and medical information related to approximately 13,000 patients and potential research participants. OCR alleged that FIMR’s security procedures were deficient in several areas and that FIMR failed to:

  • Conduct an accurate and thorough risk analysis of ePHI, including ePHI, on the stolen laptop
  • Implement policies and procedures
    • For granting workforce member access to ePHI
    • That govern receipt and removal of hardware and electronic media that contain ePHI, and the movement of such media within a facility
  • Implement physical safeguards to restrict unauthorized access to a laptop that contained ePHI
  • Implement a mechanism to encrypt ePHI, or an alternative, equivalent safeguard

The settlement amount is one of the largest ever reached for HIPAA violations, and the largest agreed to by a single entity. OCR Director Jocelyn Samuels stated that “[r]esearch institutions subject to HIPAA must be held to the same compliance standards as all other HIPAA-covered entities.” Researchers can be considered HIPAA-covered health care providers when they furnish health care “to individuals, including the subjects of research,” and transmit any electronic health information in connection with a HIPAA-covered transaction. Referencing the critical role played by trust in medical research, she further suggested that “[f]or individuals to trust in the research process and for patients to trust in those institutions, they must have some assurance that their information is kept private and secure.”

As part of the settlement, FIMR also entered into a corrective action plan that requires it to:

  • Improve risk analysis and management
  • Implement a process for evaluating environmental or operational changes that affect the security of ePHI
  • Strengthen policies and procedures
  • Revise and implement HIPAA training
  • Submit reports to HHS

Key Takeaways

Taken together, these three announcements by OCR put organizations on notice that investments for HIPAA compliance may be needed to protect patient privacy and security and avoid significant fines. The key takeaways are:

  • Invest in encrypting laptops and other safeguards that will help prevent unauthorized disclosures and data breaches. Both resolution agreements were the result of full-scale compliance reviews that began with the theft of an unencrypted laptop
  • Identify business associates and put business associate agreements in place. A vendor is a business associate based on its creation, receipt, maintenance, or transmission of PHI on behalf of a covered entity
  • Perform periodic HIPAA security assessments. Both resolution agreements cited a failure of the organization to conduct a thorough and accurate risk analysis
  • HIPAA audits will happen quickly, with little time for organizations to respond. Be prepared by planning ahead.