Two recent settlements of HIPAA violations related to security breaches at a small healthcare provider and a health system highlight the continued HIPAA enforcement priorities of the Department of Health and Human Services’ Office for Civil Rights (OCR), despite the COVID-19 pandemic. Failure to maintain security of systems that store or transmit protected health information (PHI) has cost HIPAA-covered entities, big and small, significantly. The settlements discussed below resulted in penalties totaling over $1 million.
On July 23, 2020, OCR announced that Metropolitan Community Health Services (Metro) agreed to pay $35,000 and enter into a corrective action plan as part of a settlement following OCR’s investigation of Metro’s compliance with the HIPAA Security Rule. OCR reports that Metro submitted a breach report in 2011 regarding an impermissible disclosure of electronic protected health information (ePHI) to an unknown email account. The breach affected 1,263 patients.
OCR’s investigation uncovered longstanding noncompliance with the HIPAA Security Rule. For example, Metro did not conduct any Security Rule risk analysis, did not implement any HIPAA Security Rule policies and procedures, and did not provide its workforce with security training until 2016. In response to this breach, OCR Director Roger Severino said providers “owe it to their patients to comply with HIPAA,” and if informed of a HIPAA violation, providers “owe it to their patients to quickly address problem areas to safeguard individuals’ health information.” This settlement also shows that small providers are not exempt from HIPAA compliance or enforcement actions.
Additionally, Rhode Island-based Lifespan Health System Affiliated Covered Entity (Lifespan ACE) agreed to implement a corrective action plan and pay OCR $1.04 million for potential violations of the Privacy and Security Rules related to the theft of an unencrypted laptop. In April 2017, Lifespan ACE’s parent company reported the theft of a hospital employee’s laptop containing ePHI. The breach affected 20,431 individuals. OCR determined as part of its investigation that the failure to encrypt ePHI was part of a pattern of systemic noncompliance with HIPAA, in addition to a general lack of media and device controls and the absence of a business associate agreement with Lifespan ACE’s parent company. In response to this breach, Severino said the theft of mobile devices is a “hard reality,” and that covered entities “can best protect their patients’ data by encrypting mobile devices to thwart identity thieves.”
Aside from confirming that HIPAA enforcement is still a priority for OCR, these settlements demonstrate the continued importance of Security Rule compliance. OCR’s corrective action plans specifically highlighted the following key requirements of covered entities (and business associates) for Security Rule compliance:
- Maintain adequate security policies and procedures to prevent, detect, contain and correct security violations.
- Conduct a risk assessment following any potential ePHI breaches.
- Conduct a thorough periodic risk analysis of any security risks and vulnerabilities that incorporates electronic equipment, data systems and programs.
- Implement a workforce training program for HIPAA Security Rule protocols and procedures.
- Respond to all potential breaches with procedures designed to mitigate any security risks and vulnerabilities.
If you need assistance implementing a HIPAA compliance program to minimize risks to health information privacy and security, or assistance responding to a breach of PHI, please contact your McGuireWoods attorney or one of the authors of this legal alert.