Audit Prep: Lessons from OCR HIPAA Enforcement
If you are a health care data privacy and security professional who finds sleep a bit more elusive these days, you are not alone. What is keeping us awake at night? First, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) has announced the launch of Phase 2 of the HIPAA Audit Program. While HIPAA Rule violations can always result in enforcement, the Phase 2 audits, and the specter of a permanent audit program, further incentivize covered entities (CE) and business associates (BA) to make the most of their compliance programs.
Compounding our insomnia is the fact that health care data is clearly in the cybercrime bullseye. It exists in more forms and formats than ever before, it is exceedingly valuable on the dark market, and the health care industry, as a whole, is newer to data protection than the commercial and financial sectors. It is no surprise that cybercriminals are capitalizing on this “perfect storm,” sharpening their tools and sharing successful tactics amongst themselves.
Further, the consequences of data privacy and security incidents can be profound. The business itself suffers financial and reputational loss when it must announce and remediate a breach. Its customers – including patients and health plan beneficiaries – face the potential for identity theft and its attendant monetary and reputational consequences. They may also be the victims of medical identity theft, which brings a unique set of troubles including the potential for physical harm resulting from a mixed medical record, and a fear of sharing vital yet sensitive medical information with a provider in which they have lost data protection confidence.
There are several important sources of guidance on HIPAA compliance best practices. The first place to start is a careful reading of the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule themselves. Other resources include the recently-released OCR crosswalk
between the HIPAA Security Rule and the National Institute of Standards and Technology (NIST) Cybersecurity Framework.
This tool helps regulated entities bolster their Security Rule posture by “mapping” Security Rule standards and implementation specifications to relevant provisions of the NIST Framework and other commonly-used security frameworks. NIST guidance documents, such as the Guide for Conducting Risk Assessments
(SP 800-30 r. 1) can also help CEs and BAs assess their security posture. But perhaps the most useful guidance comes from OCR itself. OCR’s enforcement history offers valuable insight to CEs and BAs seeking additional guidance on compliance best practices.
In February 2016, OCR announced that an Administrative Law Judge granted summary judgment for OCR and affirmed a civil money penalty (CMP) against a covered entity. This is only the second time in its history that OCR sought CMPs for HIPAA Rule violations, and each time judicial review upheld the CMP. This most recent case advanced a common theme in OCR enforcement: the importance of safeguarding protected health information (PHI) taken offsite. While CMPs have been infrequent to date, OCR has other compliance tools available, including resolution agreements and corrective action plans (RA/CAP). OCR’s complaint resolution process, and CMPs and RA/CAPs in particular, provide valuable lessons to CEs and BAs on compliance issues of particular importance to OCR: both what to do, and what to avoid.
OCR Complaint Resolution
If a privacy, security, or breach notification complaint is one against which OCR can take action,
OCR may intervene early and resolve the complaint informally, without investigation, by providing technical assistance to the CE or BA. If the agency does investigate and discovers a less serious violation, it may still resolve the complaint by providing technical assistance. One former OCR attorney estimates that OCR resolves as many as 99% of breach investigations without settlement or financial penalty.
For more serious issues, however, OCR may seek a RA/CAP or even CMPs. A resolution agreement is a settlement agreement between HHS and a regulated entity. Under the terms of a resolution agreement (the RA), the CE or BA may agree to pay a fine known as a “resolution amount” – which may be substantial – implement corrective actions (the CAP), and/or agree to a monitoring period during which the CE or BA makes periodic reports to OCR of its compliance with the CAP. However, if a complaint cannot be resolved informally through a RA/CAP, OCR may issue a formal finding of violation and impose CMPs against the entity.
From the compliance date of the Privacy Rule (April 2003) until December 31, 2015, OCR has received more than 125,445 HIPAA complaints and has resolved 96% of them (119,964):
According to OCR, the most-investigated compliance issues are, in order of frequency:
In 73,288 cases (approximately 61% of resolved complaints), OCR determined the complaint did not present an eligible case for enforcement (see fn1).
In 11,701 cases (approximately 10% of resolved complaints), OCR intervened early and resolved the complaint by providing technical assistance, without the need for investigation.
In 10,928 cases (approximately 9% of resolved complaints), OCR investigated and determined no violation had occurred.
In 24,047 cases (approximately 20% of resolved complaints), OCR investigated and required changes in privacy practices by, or provided technical assistance to, CEs and BAs. Corrective actions resulted in systemic changes affecting all individuals served.
In 31 cases, OCR settled with the entity in lieu of imposing a CMP.
In 2 cases, OCR imposed CMPs.
Impermissible uses and disclosures of PHI.
Lack of safeguards for PHI.
Lack of patient access to their PHI.
Lack of administrative safeguards for ePHI.
Use or disclosure of more than the “minimum necessary” PHI.
Already in 2016, OCR has entered three RA/CAPs with covered entities, in addition to having a CMP affirmed. This may signal a ramp-up in settlements versus
informal resolution – and the time may be right for the first enforcement against a BA (so far, all RA/CAPs and CMPs have been against CEs).
Lessons from CMPs and RA/CAPs
With OCR's Phase 2 audits looming, CEs and BAs can glean important lessons from the CMPs and RA/CAPs to date. While regulated entities should attend to all aspects of Privacy Rule, Security Rule, and Breach Notification Rule compliance, these civil enforcement actions likely telegraph situations to which OCR will pay particular attention when investigating complaints or conducting audits. Note that the terms of the RA/CAPs specifically state that they are not admissions, concessions, or evidence of any liability or wrongdoing.
To bolster HIPAA Rule compliance, CEs and BAs should consider:
Lesson 1: Prioritize Top-to- Bottom Compliance
Prioritize top-to-bottom compliance
If OCR investigates? Cooperate
Access rights matter
Perform an accurate, thorough, organization-wide Security Rule risk analysis
Address vulnerabilities and risks identified in the risk analysis
Safeguard PHI taken off-site
Account for unconventional ePHI repositories
Evaluate internet applications
Support your software
Watch IT updates
Execute compliant Business Associate Agreements
Joint arrangements might mean joint liability
Privacy still counts
Terminating employment? Terminate access
Size doesn’t matter (much)
No exceptions for the C-suite
Beef up breach notification
Public entities and government are not exempt
Research institutions are accountable
Mind your marketing
Reasonableness is a cornerstone of HIPAA compliance. For example, the Security Rule requires that CEs and BAs protect against "reasonably anticipated" threats and hazards to, and unpermitted uses and disclosures of, ePHI (45 CFR 164.306(a)(2) and (3)). Regulated entities therefore enjoy a degree of flexibility in their approach to Security Rule compliance, and may use "any" security measures that allow them to "reasonably and appropriately implement" the Security Rule requirements (45 CFR 164.306(b)(1)).
Although CEs and BAs may take a flexible and reasonable approach
to compliance, they still must comply – and comply fully – with Privacy and Security Rule mandates. They cannot pick and choose among requirements, and selective implementation is fraught with enforcement peril.
Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates Inc. – September 2012 (RA/CAP and $1.5M resolution amount)
OCR’s investigation followed notification by the CE reporting the theft of an unencrypted personal laptop containing ePHI of patients and research subjects. According to OCR’s press release, these failures “continued over an extended period of time, demonstrating a long-term, organizational disregard” for Security Rule requirements.
OCR’s investigation indicated the following conduct occurred:
Failure to conduct a thorough analysis of risk to the confidentiality of ePHI on an ongoing basis, as part of its security management process (45 XCFR 164.308(a)(1)(i), (a)(1)(ii)(A)). Specifically, the CE did not fully evaluate the likelihood and impact of potential risks to confidentiality of ePHI maintained in and transmitted using portable devices, implement appropriate security measures to address these potential risks, document the chosen security measures and rationale for adopting them, and maintain ongoing reasonable and appropriate security measures.
Failure to maintain sufficient security measures to ensure, to a reasonable and appropriate level, the confidentiality of ePHI created, maintained, and transmitted using portable devices (45 CFR 164.308(a)(ii)(B)).
Failure to adequately adopt or implement policies and procedures to address security incident identification, reporting, and response (45 CFR 164.308 (a)(6)(ii)).
Failure to adequately adopt or implement policies and procedures to restrict access to portable devices accessing ePHI to authorized users, or to provide the CE with a reasonable means of knowing whether and what type of portable devices were being used to access its network (45 CFR 164.308(a)(3)(i)).
Failure to adequately adopt or implement policies and procedures governing receipt and removal of portable devices into, out of, and within the facility (45 CFR 164.310(d)(1)). Specifically, the CE had no reasonable means of tracking non-CE owned portable media devices containing ePHI.
Failure to adequately adopt or implement technical policies and procedures to allow access to ePHI via portable devices only by authorized persons or software programs (45 CFR 164.312(a)(1)). Specifically, the CE did not implement an equivalent, reasonable, and appropriate alternative to encryption that would have ensured confidentiality, or document rationale supporting the decision not to encrypt (45 CFR 16.312(a)(2)(iv)).
Former OCR Director Leon Rodriguez commented: “In an age when health information is stored and transported on portable devices such as laptops, tablets, and mobile phones, special attention must be paid to safeguarding the information held on these devices .... This enforcement action emphasizes that compliance with the HIPAA Privacy and Security Rules must be prioritized by management and implemented throughout an organization, from top to bottom.”
Lesson 2: If OCR Investigates? Cooperate
Lesson 3: Access Rights Matter
Under the Privacy Rule, CEs must allow individuals to access PHI about them in the designated record sets
the CE maintains (45 CFR 164.524). This includes allowing individuals to inspect and copy PHI, and to direct the CE to transmit a copy to others. The individual may exercise this right as long as the CE or its BA maintains the information in the designated record set, regardless of when it was created, where it originated, or in what form the CE or BA keeps it.
OCR's focus on access rights cannot be overstated. In January 2016, OCR released a fact sheet
to clarify individuals' "core right" to access and obtain a copy of their health information. Commenting on what it called an "important step" for access rights, OCR emphasized: "Unfortunately, based on recent studies and our own enforcement experience, far too often individuals face obstacles to accessing their health information, even from entities required to comply with the HIPAA Privacy Rule. This must change."
On what was this "experience" based? Non-compliance with access rights was one of OCR's top findings from the 2011/2012 pilot audit program, and will surely be an area of focus in the upcoming second round of compliance audits. However, the agency's emphasis became apparent much earlier – with its first imposition of civil money penalties.
OCR's First CMP: Cignet Health
– February 2011(CMP - $4.3M)
Cignet Health's troubles began when it failed to provide access to 41 individuals who had requested copies of their medical records. Most of these individuals lodged complaints with OCR, and the agency launched an investigation. Cignet's troubles compounded when it failed to cooperate in any meaningful way with the investigation. Specifically, Cignet did not respond to letters, telephone calls, a document production subpoena, and a show cause order. Only after the court entered a default judgment against Cignet did it summarily deliver 59 boxes of original medical records to the attorney representing OCR – including records for approximately 4,500 individuals for whom OCR made no request or demand, and for whom Cignet had no basis to disclose PHI to OCR.
OCR notified Cignet of the preliminary indications of noncompliance, and offered Cignet the opportunity to present evidence of mitigating factors, affirmative defenses, or "good cause" for noncompliance. Cignet did not respond.
As a basis for imposing the CMP, OCR determined:
The CE failed to provide 41 individuals timely access to obtain a copy of PHI about them in the CE’s designated record sets (45 CFR 164.524). The CE’s failure to provide each individual with access constituted a separate violation, and each day the violation continued counted as a separate violation.
The CE failed to cooperate with OCR’s investigation of 27 complaints regarding the CE’s noncompliance (45 CFR 160.310(b)). The failure to cooperate with each complaint constituted a separate violation, and each day the violation continued constituted a separate violation. Each violation was due to the CE’s “willful neglect of its obligation to comply.” “Willful neglect” means the “conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision ….” (45 CFR 160.401).
OCR proposed a CMP of $4,351,600. The Notice of Proposed Determination notified the CE of its right to request a hearing, and gave appropriate instructions. The CE did not request a hearing within the 90-day period, and there was no settlement of the matter. The CMP became final, without appeal rights.
Commenting on OCR's Notice of Final Determination, OCR Director Georgina Verdugo admonished: "Covered entities and business associates must uphold their responsibility to provide patients with access to their medical records, and adhere closely to all of HIPAA’s requirements ….The U.S. Department of Health and Human Services will continue to investigate and take action against those organizations that knowingly disregard their obligations under these rules.”
Lesson 4: Perform an Accurate, Thorough, Organization-Wide Security Rule Risk Analysis
As part of the required Administrative Safeguards for ePHI, the Security Rule requires that CEs and BAs implement a security management process – policies and procedures to prevent, detect, contain, and correct security violations. A required implementation specification of the security management is a risk analysis
, which is “an accurate and thorough assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by” the CE or BA (45 CFR 164.308(a)(ii)(A)).
As with all Security Rule requirements, CEs and BAs can take a flexible approach to risk analysis, considering – among other things – their size, complexity, and capabilities as well as the probability and criticality of potential risks to ePHI (45 CFR 164.306(b)). While the Security Rule emphasis is always on what is “reasonable and appropriate” for a particular entity, it is impossible to overstate the importance of the risk analysis as a foundational element of the CE’s or BA’s security management process. OCR enforcement bears this out.
The University of Washington Medicine
– December 2015 (RA/CAP and $750,000 resolution amount)
UWM is an “affiliated covered entity” composed of the University of Washington’s designated health care components. An affiliated covered entity is a group of legally separate CEs under common ownership and control that have designated themselves a single CE for purposes of the HIPAA Rules (45 CFR 164.105(b)(1)). ACEs must have policies and processes in place to ensure that each component entity complies with the HIPAA Rules.
OCR began its investigation after receiving a breach report indicating that approximately 90,000 individuals’ ePHI was accessed after an employee downloaded an email attachment containing malware. OCR’s investigation indicated that UWM failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI (45 CFR 164.308(a)(1)(i)). Specifically, while the ACE’s policies and procedures required risk analyses and Security Rule compliance by each affiliated entity, it did not in fact ensure that each entity complied.
OCR Director Samuels commented: “All too often we see covered entities with a limited risk analysis that focuses on a specific system such as the electronic medical record or that fails to provide appropriate oversight and accountability for all parts of the enterprise …. An effective risk analysis is one that is comprehensive in scope and is conducted across the organization to sufficiently address the risks and vulnerabilities to patient data.”
Idaho State University – May 2013 (RA/CAP and $400,000 resolution amount)
OCR opened its investigation after the CE reported a breach of 17,500 patients’ ePHI due to the disabling of firewall protections at the CE’s servers. OCRs investigation indicated the following conduct occurred:
Failure to conduct an analysis of the risk to the confidentiality of ePHI as part of its security management process (45 CFR 164.308(a)(1)(ii)(A)).
Failure to adequately implement security measures sufficient to reduce vulnerabilities of and risks to ePHI to a reasonable and appropriate level (45 CFR 164.308(a)(1)(ii)(B)).
Failure to adequately implement procedures to regularly review records of information system activity to determine if ePHI was inappropriately used or disclosed (45 CFR 164.312(b)).
Former OCR Director Rodriguez emphasized: “Risk analysis, ongoing risk management, and routine information system reviews are the cornerstones of an effective HIPAA security compliance program …. Proper security measures and policies help mitigate potential risk to patient information.”
Lesson 5: Address Vulnerabilities and Risks Identified In the Security Rule Risk Analysis
The Security Rule requires CEs and BAs to implement a security management process
in which it implements policies and procedures to “prevent, detect, contain, and correct security violations.” (45 CFR 164.308(a)(1)(i)). Risk analysis
is the “detection” component, but the process does not stop there. Another required piece of the security management process is risk management
: implementation of security measures “sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level ….” (45 CFR 164.308(a)(1)(ii)(B)).
OCR does not intend security management to begin and end with the risk analysis. Identifying vulnerabilities and risks is only half the battle. You also must do something about them.
Concentra Health Services – April 2014 (RA/CAP and $1,725,220 resolution amount)
OCR opened a compliance review of the CE after receiving a breach report that an unencrypted laptop had been stolen from one of its facilities. According to HHS, the CE had previously recognized in “multiple risk analyses” that lack of encryption for devices containing ePHI was a critical risk. While the CE had taken steps to begin encryption, OCR described its efforts as “incomplete and inconsistent over time leaving patient PHI vulnerable throughout the organization.”
OCR’s investigation indicated the following conduct occurred:
Failure to adequately remediate and manage its identified lack of encryption or, alternatively, document why encryption was not reasonable and appropriate and implement an equivalent alternative measure to encryption, if reasonable and appropriate (45 CFR 164.312(a)(2)(iv)).
Failure to sufficiently implement policies and procedures to detect, contain, and correct security violations under the security management process standard. Specifically, the CE did not adequately execute risk management measures to reduce its identified lack of encryption to a reasonable and appropriate level (45 CFR 164.308(a)(1)(i)).
Commenting on this enforcement former OCR Deputy Director of Health Information Privacy Susan McAndrew focused on the importance of encryption to mobile device security. While this is certainly an important lesson and is discussed in detail below regarding the contemporaneous QCA Health Plan, Inc. enforcement perhaps a stronger message to take from Concentra is to avoid letting your Security Rule risk analysis gather dust. The risk analysis should be an active, living document that guides timely corrective action. Only then can it truly be part of a security management
process, as the Security Rule intends.
Lesson 6: Safeguard PHI Taken Off-Site
CEs and BAs lose a measure of control over PHI once it leaves the entity’s premises. According to a 2015 study of 949 large breaches between 2010 and 2013, more than half resulted from loss or theft of laptops, other portable media, and paper.
Considering that these breaches affected alone affected more than 29 million records, CEs and BAs are rightly concerned about the risks attendant to offsite use.
The Security Rule addresses the issue directly: as part of their physical safeguards for ePHI, CEs and BAs must implement policies and procedures for device and media control, including “receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility" (45 CFR 164.310(d)(1)). The Privacy Rule more generally requires appropriate administrative, technical, and physical safeguards to protect the privacy of PHI, including safeguarding PHI from unauthorized use or disclosure, whether intentional or unintentional (45 CFR 164.530(c)(2)(i)).
OCR enforcement, including imposition of civil money penalties in one case, underscores the importance of analyzing the risks and vulnerabilities attendant to offsite use, implementing policies and procedures to reduce those risks and vulnerabilities to an acceptable level, and appropriately training workforce members.
OCR's First Settlement: Providence Health & Services – July 2008 (RA/CAP and $100,000 resolution amount)
On several occasions over a 6-month period, backup tapes, optical disks, and laptops containing unencrypted ePHI of more than 386,000 patients were removed from the CE’s premises, left unattended, and subsequently lost or stolen. More than 30 patients filed complaints with OCR after the CE notified affected individuals under State notification laws, and reported the incident to HHS. The Centers for Medicare and Medicaid Services (CMS) and OCR jointly investigated.
Although OCR had to date resolved more than 6,700 Privacy Rule and Security Rule complaints by requiring systemic changes to entities information control practices, on this occasion it chose to impose its first RA/CAP. Commenting on the enforcement, then-OCR Director Winston Wilkinson stated: “We are committed to effective enforcement of health information privacy and security protections for consumers. Other covered entities that are not in compliance with the Privacy and Security Rules may face similar action.”
Massachusetts General Hospital – February 2011 (RA/CAP and $1M resolution amount)
A later RA/CAP addressed off-site protections in the context of paper PHI. An MGH employee left documents containing the PHI of 192 individuals – including some with HIV/AIDS – on a subway while commuting to work. The documents were never recovered.
Commenting on the RA/CAP, former OCR Director Georgina Verdugo admonished the health care industry to take a "close look" at the agreement and recognize that OCR is "serious" about HIPAA enforcement. To avoid enforcement penalties, covered entities and business associates "must ensure they are always in compliance with the HIPAA Privacy and Security Rules …. A robust compliance program includes employee training, vigilant implementation of policies and procedures, regular internal audits, and a prompt action plan to respond to incidents.”
OCR’s Second-Ever CMP: Lincare, Inc.
– February 2016 ($239,800 CMP)
OCR began investigating the health care provider after receiving a complaint that a Lincare employee left behind documents containing 278 patients’ PHI after moving residences. In its Notice of Proposed Determination, OCR determined that Lincare was liable for the following Privacy Rule violations:
Impermissible disclosure of PHI (45 CFR 164.502(a)). While OCR determined that the employee knew or should have known that she violated the Privacy Rule, did not act with willful neglect.
Failure to safeguard PHI (45 CFR 164.530(c)). Again, OCR determined that the employee knew or should have known that she violated the Privacy Rule, but did not act with willful neglect.
Inadequate policies and procedures (45 CFR 164.530(i)(1)). The CE implemented policies and procedures allowing workforce members to remove PHI from the premises and maintain it in vehicles overnight and for indefinite periods of time, without specifying reasonable and appropriate administrative and/or physical safeguards for workforce members to follow to protect PHI from disclosure. OCR determined that the CE knew or should have known of the violations, but did not act with willful neglect.
OCR proposed a CMP of $239,800.
The HIPAA Enforcement Rule allows the subject of a CMP to request a hearing on the proposed penalty before an ALJ (45 CFR 160.420(b)). As with other civil matters, the ALJ may rule by order after motion (45 CFR 160.528(a)). In this case, the ALJ granted OCR’s motion for summary judgment, and sustained the proposed CMP. The CE had argued to OCR, and before the ALJ, that it should not be liable for HIPAA violations because the complainant – the employee’s estranged spouse – “stole” the information. Both OCR and the ALJ rejected this “defense,” with the ALJ noting it actually presented the more damaging scenario of the employee leaving PHI accessible to a purportedly untrustworthy individual and then, “without giving a thought to security,” abandoning them entirely.
The ALJ also determined that the CE, even after learning of the breach, took no steps to prevent further disclosure. Indeed, “managers did not seem to recognize that they had a significant problem protecting PHI that was removed from the office.” For instance, when asked whether the CE considered revising its policies to include guidelines for safeguarding PHI taken offsite, the CE’s corporate compliance officer replied that the CE “considered putting a policy together that said thou shalt not let anybody steal your protected health information.” The ALJ did not consider this a “serious response.”
Several other ALJ findings bear consideration:
The ALJ rejected an argument that it satisfied HIPAA’s policy and procedure requirement because its workforce members were well-trained. However, the ALJ noted “even if this training were flawless (and no evidence suggests it was even adequate), staff training does not compensate for missing policies.”
The CE had no policies – written or otherwise – to monitor documents taken offsite and ensure their return. PHI “could be missing for indefinite periods without the company’s knowledge ….”
The CE offered “no real evidence” of its training curriculum. Rather, it relied on “selected quotes from company employees describing their training” that were “far from comprehensive.”
In addressing the CMP, Director Jocelyn Samuels emphasized: “While OCR prefers to resolve issues through voluntary compliance, this case shows that we will take the steps necessary, including litigation, to obtain adequate remedies for violations of the HIPAA Rules ….The decision in this case validates the findings of our investigation. Under the ALJ’s ruling, all covered entities, including home health providers, must ensure that, if their workforce members take protected health information offsite, they have adequate policies and procedures that provide for the reasonable and appropriate safeguarding of that PHI, whether in paper or electronic form.”
Lesson 7: Encrypt ePHI
Encryption is an important concept in both the Breach Notification Rule and the Security Rule. The BNR required CEs to notify individuals, HHS, and sometimes the media, of breaches of “unsecured protected health information.” (45 CFR 164.404(a) (individuals); 164.406(a) (media); 164.408(a) (HHS)). “Unsecured protected health information” is PHI that is not rendered “unusable, unreadable, or indecipherable to unauthorized persons” through methods authorized by HHS (45 CFR 164.402).
HHS guidance issued in 2009
states that ePHI has been rendered unusable, unreadable, or indecipherable if it has been encrypted by use of an “algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key, and the confidential process or key that might enable decryption has not been breached.” The guidance specifies certain encryption processes for ePHI at rest and in motion that NIST has tested and judged to meet appropriate Security Rule standards.
The Security Rule’s “transmission security” technical safeguard standard requires CEs and BAs to implement technical security measures to guard against unauthorized access to ePHI transmitted over an electronic communications network (45 CFR 164.312(e)(1)). “Encryption” is an addressable implementation specification requiring CEs and BAs to implement a mechanism to encrypt ePHI “whenever deemed appropriate.” (45 CFR 164.312(e)(2)(ii)).
So, when is it appropriate to encrypt ePHI at rest and in motion? The answer may be “always,” particularly in the context of mobile device security.
QCA Health Plan, Inc. – April 2014 (RA/CAP and $250,000 resolution amount)
OCR received a breach notice from QCA reporting that an unencrypted laptop containing 148 individuals’ ePHI had been stolen from a workforce member’s car. According to OCR, while QCA encrypted devices after it discovered the breach, it had failed to comply with “multiple requirements” of the Privacy and Security Rules.
OCR’s investigation indicated the following conduct occurred:
Failure to implement policies and procedures to prevent, detect, contain, and correct security violations, including conducting a Security Rule risk analysis, and implementing security measures sufficient to reduce vulnerabilities of and risks to ePHI to a reasonable and appropriate level. (45 CFR 164.306).
Failure to implement physical safeguards for all workstations that access ePHI to restrict access to authorized users.
Impermissible disclosure of 148 individuals’ ePHI.
Commenting on the QCA enforcement (and Concentra) enforcements, former OCR Deputy Director of Health Information Privacy McAndrew emphasized: “Covered entities and business associates must understand that mobile device security is their obligation …. Our message to these organizations is simple: encryption is your best defense against these incidents.”
Lesson 8: Account for Unconventional ePHI Repositories
OCR provides little direct guidance on conducting the required Security Rule risk analysis, apart from the requirements that it be “accurate and thorough,” and the caveat that it may be flexible to accommodate the CE’s or BA’s specific circumstances, so long as it is reasonable and appropriate for the entity (45 CFR 164.308(a)(ii)(A) and 306(b)). However, the purpose of the risk analysis – like all Security Rule standards and implementation specifications – is to enable CEs and BAs to carry out their mission of ensuring the confidentiality, integrity, and availability of “all” ePHI the entity creates, receives, maintains, or transmits – wherever it is located (45 CFR 164.306(a)(1)).
An important first step in conducting an appropriate risk analysis is to map the location of ePHI and its flows into, within, and out of the entity. This involves considering “unconventional” repositories of ePHI.
Lahey Hospital and Medical Center
– November 2015 (RA/CAP and $850,000 resolution amount)
OCR’s investigation after a laptop containing 599 individuals’ PHI was stolen from an unlocked treatment room at the hospital. The laptop, located on a stand accompanying a portable CT scanner, operated the scanner and produced images for viewing. OCR’s investigation indicated the following conduct occurred:
Failure to conduct an accurate and thorough risk analysis as part of the CE’s security management process (45 CFR 164.308(a)(1)(ii)(A).
Failure to implement reasonable and appropriate physical safeguards restricting access to the workstation to authorized users (45 CFR 164.310(c)).
Failure to implement policies and procedures governing the receipt and removal of hardware and electronic media containing ePHI into and out of the facility, and their movement within the facility (45 CFR 164.310(d)(1)).
Failure to assign a unique user name for identifying and tracking user identity for the laptop (45 CFR 164.312(a)(2)(i)).
Failure to implement a mechanism to record and examine activity on the laptop (45 CFR 164.312(b)).
Impermissible disclosure of ePHI in violation of the Privacy Rule (45 CFR 164.502(a)).
OCR Director Samuels emphasized regarding the Lahey RA/CAP: “It is essential that covered entities apply appropriate protections to workstations associated with medical devices such as diagnostic or laboratory equipment …. Because these workstations often contain ePHI and are highly portable, such ePHI must be considered during an entity’s risk analysis, and entities must ensure that necessary safeguards that conform to HIPAA’s standards are in place.”
Accounting for unconventional PHI repositories is also an important part of the disposal process. The Security Rule requires CEs and BAs to implement policies and procedures addressing the final disposition of ePHI and/or the hardware or electronic media on which it is stored, as well as procedures for removing PHI from electronic media before the media are made available for re-use (45 CFR 164.310(d)(2)(i) and (ii)). Failure to implement reasonable safeguards to protect PHI in connection with disposal could result in impermissible disclosures.
The disposal rules make intuitive sense for “obvious” ePHI repositories such as computers and flash drives – one might readily think of wiping or sanitizing the devices before disposing of or reusing them. But photocopiers?
As more and more of the things we use become smarter and higher-tech, even old office standbys like the photocopier look and act nothing like we remember from back when. Far from just passively regurgitating, modern copiers can receive, transmit, process, and store electronic data, without regard for subject matter or sensitivity. A CE that leased and returned photocopiers learned a hard lesson about where ePHI can hide, and how important it is to conduct a comprehensive Security Rule risk analysis.
Affinity Health Plan, Inc. – August 2013 (RA/CAP and $1,215,780 resolution amount)
As part of an investigatory report, a national news station purchased a photocopier that the CE had previously leased – and then notified Affinity that the copier’s hard drive contained confidential medical information. Affinity estimated that the breach affected as many as 344,579 individuals. OCR’s subsequent investigation indicated that the following conduct occurred:
Impermissible disclosure of ePHI as a result of failure to properly erase photocopier hard drives before returning them to the lessee.
Failure to assess and identify the potential vulnerabilities of and risks to ePHI stored in the photocopier hard drives.
Failure to implement the CE’s policies for disposal of ePHI on the photocopier hard drives.
Former OCR Director Rodriguez commented: "This settlement illustrates an important reminder about equipment designed to retain electronic information: Make sure that all personal information is wiped from hardware before it’s recycled, thrown away or sent back to a leasing agent …. HIPAA covered entities are required to undertake a careful risk analysis to understand the threats and vulnerabilities to individuals’ data, and have appropriate safeguards in place to protect this information.”
Lesson 9: Protect Paper
As electronic records proliferate, it can be easy to view – and handle – paper with more casual eyes and hands. While the Security Rule governs only ePHI, the Privacy and Breach Notification Rules apply with full force to paper.
Like the Security Rule, the Privacy Rule requires that CEs and BAs implement and maintain appropriate administrative, technical, and physical safeguards to protect the privacy of PHI in any form (45 CFR 164.530(c)). To comply, entities must implement limit incidental uses and disclosures and avoid prohibited uses and disclosures, including when disposing of documents containing PHI. Clearly, CEs and BAs may not “simply abandon PHI or dispose of it in dumpsters or other containers that are accessible by the public or other unauthorized persons."
While the Privacy Rule requires secure disposal, it does not mandate a particular method:
Covered entities must review their own circumstances to determine what steps are reasonable to safeguard PHI through disposal, and develop and implement policies and procedures to carry out those steps. In determining what is reasonable, covered entities should assess potential risks to patient privacy, as well as consider such issues as the form, type, and amount of PHI to be disposed. For instance, the disposal of certain types of PHI such as name, social security number, driver’s license number, debit or credit card number, diagnosis, treatment information, or other sensitive information may warrant more care due to the risk that inappropriate access to this information may result in identity theft, employment or other discrimination, or harm to an individual’s reputation.
Proper disposal of paper records may include, but is not limited to, shredding, burning, pulping, or pulverizing the records to render them “essentially unreadable, indecipherable, and otherwise cannot be reconstructed."
Three RA/CAPs prove that OCR does not take paper lightly:
Cornell Prescription Pharmacy – April 2015 (RA/CAP and $125,000 resolution amount)
OCR opened a compliance review after a local news outlet notified it of the disposal of unsecured documents containing 1,610 individuals’ PHI in an unlocked, open contained on the CE’s premises. The documents were not shredded and contained identifiable information for specific patients. OCR’s investigation indicated the following conduct occurred:
Failure to reasonably safeguard PHI (45 CFR 164.530(c)(1)).
Failure to implement written policies and procedures to comply with the Privacy Rule (45 CFR 154.530(i)(1)).
Failure to provide and document necessary and appropriate workforce training on Privacy Rule policies and procedures (45 CFR 164.530(b)(1)).
OCR Director Samuels stated: “Regardless of size, organizations cannot abandon protected health information or dispose of it in dumpsters or other containers that are accessible by the public or other unauthorized persons …. Even in our increasingly electronic world, it is critical that policies and procedures be in place for secure disposal of patient information, whether that information is in electronic form or on paper.”
CVS Pharmacies, Inc.
– January 2009 (RA/CAP and $2.25M resolution amount)
OCR opened its Privacy Rule compliance investigation after media reported that several retail pharmacy chains were disposing of PHI in dumpsters that were not secure and that the public could access. For the first time, OCR and FTC coordinated investigation and resolution. OCR’s review indicated the following conduct occurred:
The CE also entered a consent order with FTC to settle charges of failure to take reasonable and appropriate security measures to protect sensitive medical and financial information, in violation of federal law.
Disposal of non-electronic PHI in open dumpsters potentially accessible to persons other than workforce members.
Existing policies and procedures establishing physical and administrative safeguards were inadequate to appropriately and reasonably safeguard PHI.
Failure to adopt a sanctions policy for workforce members who failed to comply with existing policies and procedures.
Insufficient training to ensure that workforce members knew how to dispose of non-electronic PHI consistent with the Privacy Rule.
Former Acting OCR Director Robinsue Frohboese stated: “OCR is committed to strong enforcement of the HIPAA Privacy Rule to protect patients’ rights to privacy of their health information. We hope that this agreement will spur other health organizations to examine and improve their privacy protections for patient information during the disposal process …. Such safeguards will benefit consumers everywhere.”
Rite Aid Corporation
– July 2010 (RA/CAP and $1M resolution amount)
OCR opened an investigation after television media videotaped disposal of prescriptions and labeled pill bottles in industrial trash containers accessible to the public. OCR and FTC again coordinated investigation and resolution. OCR’s review indicated the following conduct occurred:
Failure to adopt policies and procedures establishing physical and administrative safeguards adequate to appropriately and reasonably safeguard non-electronic PHI.
Failure to maintain a sanctions policy for workforce members who failed to comply with existing policies and procedures.
Failure to provide and document necessary and appropriate workforce training on disposal of non-electronic PHI.
The CE also entered a consent order with FTC to settle charges of failure to take reasonable and appropriate security measures to protect sensitive medical and financial information, in violation of federal law.
Former OCR Director Georgina Verdugo emphasized: “It is critical that companies, large and small, build a culture of compliance to protect consumers’ right to privacy and safeguard health information. OCR is committed to strong enforcement of HIPAA ….We hope that this agreement will spur other health organizations to examine and improve their policies and procedures for protecting patient information during the disposal process.”
Parkview Health System, Inc.
– June 2014 RA/CAP and $800,000 resolution amount)
Dumpsters are not the only dangerous places in which to dispose of paper PHI. OCR investigated medical records “dumping” of a different sort after receiving a report of potential Privacy Rule violations by a retiring physician. OCR’s investigation indicated the following conduct occurred:
The CE took custody and control of 5,000-8,000 patients’ medical records while assisting the retiring physician with transitioning her practice.
The CE’s employees, with notice that the physician had refused delivery and was not home, left 71 boxes of medical records on the physician’s driveway, unattended and accessible to unauthorized persons.
The CE failed to appropriately and reasonably safeguard the PHI while it was in the CE’s possession, until it was permissibly transferred in accordance with 45 CFR 164.502, or was rendered unreadable, unusable, or indecipherable to unauthorized persons (45 CFR 164.530(c)).
Former OCR Acting Deputy Director of Health Information Privacy Christina Heide commented: “All too often we receive complaints of records being discarded or transferred in a manner that puts patient information at risk ….It is imperative that HIPAA covered entities and their business associates protect patient information during its transfer and disposal.”
Lesson 10: Evaluate Internet Applications
The Security Rule requires every CE and BA to ensure the confidentiality, integrity, and availability of ePHI it “creates, receives, maintains, or transmits
.” (45 CFR 164.306(a)(1) (emph. added). Many providers are turning to the cloud to address their ePHI storage needs. Properly managed, cloud storage may be more
secure than paper or portable media, which may be physically lost or stolen. For all its possible advantages, however, the cloud presents a unique disadvantage: the CE loses a measure of control over the data, beginning at the application level.
The cloud presents unique challenges to the administrative, physical, and technical safeguards the Security Rule requires. As a recent RA/CAP shows, CEs and BAs should approach cloud storage thoughtfully, should discourage user-level/ad hoc decisions on whether and which cloud storage options are appropriately secure, and should consider the risks and vulnerabilities specific to cloud storage when conducting their Security Rule risk analysis.
St. Elizabeth’s Medical Center – June 2015 (RA/CAP and $218,000 resolution amount)
OCR investigated a complaint alleging that the CE’s workforce members used an internet-based document sharing application to store documents containing at least 498 individuals’ ePHI, without having analyzed associated risks. In a separate incident, the CE notified OCR of a breach of 595 individuals’ unsecured ePHI stored on a former workforce member’s personal laptop and flash drive.
OCR’s investigation indicated the following conduct occurred:
Unauthorized disclosure of at least 1,093 individuals’ ePHI (45 CFR 160.103 and 164.502(a)).
Failure to implement sufficient security measures regarding the transmission and storage of ePHI, to reduce risks and vulnerabilities to a reasonable and appropriate level (45 CFR 164.308(a)(1)(ii)(B)).
Failure to timely identify and respond to a known security incident, mitigate its harmful effects, and document the incident and its outcome (45 CFR 164.308(a)(6)(ii)).
OCR Director Samuels emphasized: “Organizations must pay particular attention to HIPAA’s requirements when using internet-based document sharing applications …. In order to reduce potential risks and vulnerabilities, all workforce members must follow all policies and procedures, and entities must ensure that incidents are reported and mitigated in a timely manner.”
Lesson 11: Support Your Software
OCR makes clear that CEs and BAs must consider “known security vulnerabilities” as part of its Security Rule risk analysis – for example, they should assess whether “an operating system include[s] known vulnerabilities for which a security patch is unavailable, e.g., because the operating system is no longer supported by its manufacturer.”
This is all part of the organization’s general responsibility to ensure confidentiality, integrity, and availability of PHI (45 CFR 164.306(a)(1)), to protect ePHI against reasonably anticipated threats and hazards (45 CFR 164.306(a) (2)); and to guard against unauthorized access to ePHI (45 CFR 164.312(e)(1)). A recent RA/CAP demonstrates OCR’s focus on an entity supporting its IT.
Anchorage Community Mental Health Services – December 2014 (RA/CAP and $150,000 resolution amount)
OCR opened its investigation after the CE notified it of a breach affecting 2,743individuals’ ePHI due to malware compromising its IT resources. OCR’s investigation indicated that the following conduct occurred:
Failure to conduct an accurate and thorough Security Rule risk analysis (45 CFR 164.308(a)(1)(ii)(A)).
Failure to implement policies and procedures requiring security measures sufficient to reduce vulnerabilities of and risks to ePHI to a reasonable and appropriate level (45 CFR 164.308(a)(1)(ii)(B)).
Failure to implement technical security measures to guard against unauthorized access to ePHI transmitted over an electronic communications network (45 CFR 164.312(e)). Specifically, the CE failed to ensure that firewalls were in place with threat identification monitoring of inbound and outbound traffic, and that the CE supported and regularly updated its IT resources with available patches.
OCR Director Samuels noted: “Successful HIPAA compliance requires a common sense approach to assessing and addressing the risks to ePHI on a regular basis …. This includes reviewing systems for unpatched vulnerabilities and unsupported software that can leave patient information susceptible to malware and other risks.”
Lesson 12: Watch IT Updates
“Access control” is a Security Rule technical safeguards standard that requires CEs and BAs to “[i]mplement technical policies and procedures of electronic information systems that maintain [ePHI] to allow access only to those persons or software programs that have been granted access rights ….” (45 CFR 164.312(a)(1)). “Evaluation” is an administrative safeguards standard that requires CEs and BAs to “[p]erform a periodic technical and nontechnical evaluation … in response to environmental or operational changes affecting the security of [ePHI],” that establishes the extent to which the entity’s security policies and procedures meet Security Rule requirements. Together, these two standards help the CE or BA ensure the confidentiality, integrity, and availability of ePHI by ensuring that operational changes such as software upgrades do not inadvertently give unauthorized individuals access to the entity’s ePHI.
Inadequate attention performing technical evaluations of operational changes can result in significant data breaches, and compromise the confidentiality, integrity, and accessibility of ePHI.
WellPoint, Inc. – July 2013 (RA/CAP and $1.7M resolution amount
OCR began its investigation after the CE submitted a breach of unsecured PHI. The report indicated that security weaknesses in an online application database left 612,402 individuals’ ePHI accessible to unauthorized persons over the internet. OCR’s investigation indicated the following conduct occurred:
Failure to implement adequate policies and procedures for authorizing access to ePHI maintained in the CE’s web-based application database.
Failure to perform an adequate technical evaluation in response to a software upgrade – an operational change affecting the security of ePHI maintained in the CE’s web-based application database – that would establish the extent to which configuration of the software providing authentication safeguards for the web-based application met Security Rule requirements.
Impermissible disclosure of approximately 612,000 individuals’ ePHI maintained in the web-based application database.
OCR’s press release announcing the settlement stated: “This case sends an important message to HIPAA-covered entities to take caution when implementing changes to their information systems, especially when those changes involve updates to Web-based applications or portals that are used to provide access to consumers’ health data using the Internet.”
Lesson 13: Execute Compliant Business Associate Agreements
A “business associate” is a person who creates, receives, maintains, or transmits PHI to provide certain services to the CE (45 CFR 160.103). Both the Privacy Rule and the Security Rule prohibit disclosing PHI to a business associate unless and until the BA has provided “written assurances” that it will appropriately safeguard the information (45 CFR 164.502(e)(1) (Privacy Rule); 45 CFR 164.314(a) (Security Rule)). These assurances must be documented in a “written contract or other arrangements” that meets the requirements of a business associate agreement (45 CFR 164.502(e)(2)). A compliant BAA also clarifies and limits the BA’s permissible uses and disclosures of PHI, based upon the parties’ relationship and the services the BA performs. A BA may only use and disclose PHI as permitted or required by the BAA, or as required by law. BAs are now directly liable under the HIPAA Rules for uses and disclosures that the BAA does not authorize.
Business associates are eligible for audit in Phase 2. To aid compliance, OCR offers sample business associate agreement provisions
Raleigh Orthopaedic Clinic, P.A. – April 2016 (RA/CAP and $750,000 resolution amount)
OCR investigated the CE after receiving a breach report in 2013. The agency’s investigation showed that the CE released x-ray films and related PHI of 17,300 patients to an entity that would transfer the images to electronic media in exchange for harvesting the silver from the x-ray films. The CE had not executed a business associate agreement with the entity, “acting its business associate,” before disclosing the PHI, in violation of 45 CFR 164.502(e).
OCR Director Samuels commented: “HIPAA’s obligation on covered entities to obtain business associate agreements is more than a mere check-the-box paperwork exercise …. It is critical for entities to know to whom they are handing PHI and to obtain assurances that the information will be protected.”
North Memorial Health Care – March 2016 (RA/CAP and $1.55M resolution amount)
OCR began investigation of North Memorial Health Care – a comprehensive not-for-profit health care system – after receiving a report that an unencrypted, password-protected laptop was stolen from the vehicle of a business associate’s employee. This impacted 9,497 individuals’ ePHI. According to OCR’s investigation, the following conduct appears to have occurred:
Providing a BA access to the CE’s PHI without obtaining satisfactory assurance from the BA (in the form of a written business associate agreement) that the BA would appropriately safeguard PHI (45 CFR 164.308(b) and 164.502(e)).
Impermissible disclosure of at least 289,904 individuals’ PHI to the BA by providing access to PHI without obtaining the BA’s satisfactory assurances (in the form of a written BAA) that the BA would appropriately safeguard the PHI (45 CFR 164.502(a)).
Failure to conduct an accurate and thorough risk analysis that incorporated all of the CE’s information technology equipment, applications, and data systems using ePHI (45 CFR 164.308(a)(1)(ii)(A)).
OCR Director Samuels commented: “Two major cornerstones of the HIPAA Rules were overlooked by this entity …. Organizations must have in place compliant business associate agreements as well as an accurate and thorough risk analysis that addresses their enterprise-wide IT infrastructure.”
Lesson 14: Joint Arrangements Might Mean Joint Liability
Entities may enjoy economies of scale or other business- or patient-care benefits when they share ePHI functions or platforms. However, entities that share in this way also risk sharing HIPAA liability when a breach occurs.
New York Presbyterian Hospital – May 2014 (RA/CAP and $3.3M resolution amount)
Columbia University – May 2014 (RA/CAP and $1.5M resolution amount)
NYP and CU are separate CEs that participated in a joint arrangement in which CU faculty served as NYP attending physicians. The CEs operated a shared data network and shared network firewall administered by both. The shared network linked to NYP information systems containing ePHI.
OCR opened its investigations when the CEs jointly reported a breach of 6,800 NYP patients’ ePHI. The breach resulted when a CU physician, who developed applications for both entities, tried to deactivate a personally-owned computer server on the shared network. Deactivating the server resulted in ePHI being accessible on internet search engines. The CEs became aware of the breach when an individual notified them that ePHI for the individual’s deceased partner – a former NYP patient – was available on the internet.
OCR’s investigations indicated the following conduct occurred:
NYP impermissibly disclosed 6,800 patients’ ePHI to internet search engines when a computer server with access to NYP ePHI was errantly reconfigured.
NYP and CU failed to conduct an accurate and thorough Security Rule risk analysis incorporating all IT equipment, applications, and data systems utilizing ePHI.
NYP failed to implement processes for assessing and monitoring all IT equipment, applications, and data systems linked to NYP patient databases, and failed to implement security measures sufficient to reduce vulnerabilities of and risks to ePHI to a reasonable and appropriate level.
CU failed to implement processes for assessing and monitoring all IT equipment, applications, and data systems linked to NYP patient databases, and failed to implement security measures sufficient to reduce risks of inappropriate disclosure to an appropriate level.
NYP failed to implement appropriate policies and procedures for authorizing access to its patient databases, and failed to comply with its own policies on information access management.
Former OCR Acting Deputy Director of Health Information Privacy Heide stated: “When entities participate in joint compliance arrangements, they share the burden of addressing the risks to protected health information ….Our cases against NYP and CU should remind health care organizations of the need to make data security central to how they manage their information systems.”
Lesson 15: Privacy Still Counts
Lesson 16: Terminating Employment? Terminate Access
With 2015 designated “the year of the health care hack,” and information security breaches regularly making front-page news, Security Rule compliance is certainly in the spotlight. As tempting as it may be to focus time and resources exclusively in this realm, one of OCR’s largest enforcements emphasizes that Privacy Rule compliance should not get the short shrift.
“Authorization” is fundamental to the Privacy Rule. Except as the Privacy Rule otherwise permits or requires, a CE may not use or disclose PHI without a valid authorization from the subject individual (45 CFR 508(a)(1)). The Privacy Rule describes the “core elements” and other “required statements” for a valid authorization (45 CFR 164.508(c)(1)). A recent multi-million dollar settlement highlights the potential consequences of failing to acquire authorization to use and disclose PHI.
New York Presbyterian – April 2016 (RA/CAP and $2.2M resolution amount)
The settlement results from what OCR describes as “egregious disclosure” of two patients’ PHI, without authorization, to film crews and staff during filming of a popular television medical drama. OCR found that the CE allowed film crews “virtually unfettered access” to its facility, “effectively creating an environment where PHI could not be protected from impermissible disclosures” to the crew. OCR’s investigation indicated that the following conduct occurred:
Impermissible disclosure of two identified patients’ PHI to the film crews and staff (45 CFR 164.502(a)).
Failure to appropriately and reasonably safeguard PHI from disclosure during filming on its premises, as well as failure to implement appropriate policies and procedures to protect patients’ privacy during filming (45 CFR 154.530(c)).
OCR Director Samuels emphasized: “This case sends an important message that OCR will not permit covered entities to compromise their patients’ privacy by allowing news or television crews to film the patients without their authorization …. We take seriously all complaints filed by individuals, and will seek the necessary remedies to ensure that patients’ privacy is fully protected
OCR has developed an FAQ for film and media access to PHI
As the FAQ makes clear:
Health care providers cannot invite or allow media personnel, including film crews, into treatment or other areas of their facilities where patients’ PHI will be accessible in written, electronic, oral, or other visual or audio form, or otherwise make PHI accessible to the media, without prior written authorization from each individual who is or will be in the area or whose PHI otherwise will be accessible to the media. Only in very limited circumstances … does the HIPAA Privacy Rule permit health care providers to disclose protected health information to members of the media without a prior authorization signed by the individual.
Health care providers may not
allow media into treatment areas, or other areas where PHI will be accessible in any form, without patients’ prior authorization.
Two other central Privacy Rule concepts are business associate agreements, and “minimum necessary.” As discussed regarding the North Memorial Health Care and the Raleigh Orthopaedic Clinic, P.A., enforcements, a CE cannot disclose PHI to a business associate, and may not allow the BA to create, receive, maintain, or transmit PHI on its behalf, unless and until a compliant business associate agreement is in place (45 CFR 164.502(e)). Further, with limited exceptions, a CE or BA must make reasonable efforts to limit uses and disclosures of, and requests for, PHI to the minimum necessary to accomplish the intended purpose (45 CFR 164.502(b)). The BA and minimum necessary provisions are “general rules” under the Privacy Rule, and underlie many of its other requirements.
Role-based access is an important safeguard for PHI. As part of its "minimum necessary" mandates,
the Privacy Rules requires CEs and BAs to identify the workforce members who need access to PHI, the PHI to which they need access, and any conditions on access (45 CFR 164.514(d)(2)(A) and (B)). The Security Rule addresses role-based access as both an administrative and technical safeguard for ePHI. As an administrative safeguard, a CE or BA must implement "policies and procedures for authorizing access to electronic protected health information that are consistent with the applicable requirements of [the Privacy Rule]." (45 CFR 164.308(a)(4)). As a complementary technical safeguard, a CE or BA must implement "technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights …." (45 CFR 164.312(a)(1)).
Failure to terminate access, and lack of compliant BAAs, are compliance issues in and of themselves. But when combined, these HIPAA violations create an environment ripe for enforcement.
Triple-S Management Corporation
– November 2015 (RA/CAP and $3.5M resolution amount)
Triple-S is an insurance holding company offering a wide range of insurance products and services through its subsidiaries. Several breaches involving various wholly-owned subsidiaries underlie this significant enforcement:
Former workforce members employed by a competitor were able to access a subsidiary’s proprietary database containing ePHI because their access rights were not terminated upon leaving employment. This breach affected more than 500 individuals.
Two vendors with which no BAAs were in place improperly disclosed certain beneficiaries’ PHI on the back of pamphlets mailed to beneficiaries. Each breach affected more than 500 individuals.
A business associate’s employee copied beneficiary ePHI onto a portable medium and subsequently downloaded it to his new employer’s computer. This breach affected more than 500 individuals.
Enrollment staff incorrectly placed incorrect member ID cards in mailing envelopes, resulting in beneficiaries receiving another member’s ID card. This breach affected more than 500 individuals.
Beneficiaries’ Health Plan Identification numbers were incorrectly placed on mailing labels. This breach affected fewer than 500 individuals.
PHI for the wrong member was included in a preventive mailing to beneficiaries. This breach affected fewer than 500 individuals.
OCR’s investigation indicated that the following conduct occurred:
Impermissible disclosure of PHI in violation of the Privacy Rule (45 CFR 164.502(a)).
Failure to implement appropriate administrative, physical, and technical safeguards to protect the privacy of beneficiaries’ PHI, in violation of the Privacy Rule (45 CFR 164.530(c)(1) and (c)(2)(i)).
Impermissible disclosure of PHI to vendors with which no appropriate BAA was in place, in violation of the Security Rule (45 CFR 164.314(a)(2)(1)).
Disclosure of more PHI than was necessary to accomplish the purpose for which it hired the vendor, in violation of the Privacy Rule. (45 CFR 164.514(d)).
Failure to conduct an accurate and thorough risk analysis, in violation of the Security Rule (45 CFR 164.308(a)(1)(ii)(A)).
Failure to implement security measures sufficient to reduce the risks to and vulnerabilities of ePHI to a reasonable and appropriate level, in violation of the Security Rule (45 CFR 164.308(a)(1)(ii)(B)).
Failure to implement procedures for terminating access to ePHI when employment ends, in violation of the Security Rule (45 CFR 164.308(a)(3)(ii)(c)).
OCR Director Samuels commented: “OCR remains committed to strong enforcement of the HIPAA Rules …. This case sends an important message for HIPAA Covered Entities not only about compliance with the requirements of the Security Rule, including risk analysis, but compliance with the requirements of the Privacy Rule, including those addressing business associate agreements and the minimum necessary use of protected health information.”
Lesson 17: Size Doesn’t Matter (Much)
Neither the size of the entity, nor the size of the breach, shields a CE or BA from enforcement. True, there are some differences: different timetables under which to notify HHS of breaches of 500 or more individuals versus
fewer than 500 individuals (45 CFR 164.408(b) and (c)); different media notification requirements for breaches involving more than 500 residents of a State or jurisdiction (45 CFR 164.406(a)); flexibility to implement security measures depending in part on the CE’s or BA’s size, complexity, and capabilities (45 CFR 164.306(b)(2)(i)). While size of the entity or scope of the breach may influence some aspects
of compliance, it does not insulate a CE or BA from the need
to comply – or from OCR enforcement.
Adult & Pediatric Dermatology, P.C. – December 2013 (RA/CAP and $150,000 resolution amount)
The CE’s troubles began, as others have, with a stolen portable media device. OCR opened its investigation after the CE reported that an unencrypted thumb drive containing ePHI had been stolen from a workforce member’s vehicle. OCR’s investigation indicated the following conduct occurred:
Failure to conduct a Security Rule risk analysis as part of its security management process.
Failure to fully comply with the requirements to have written policies and procedures in place, and to train workforce members, regarding Breach Notification Rule requirements (OCR did note that the CE notified patients of the theft within 30 days, and provided media notice).
Impermissible disclosure of up to 2,200 individuals’ ePHI when it failed to reasonably safeguard the unencrypted thumb drive.
Former OCR Director Leon Rodriguez commented: “As we say in health care, an ounce of prevention is worth a pound of cure. That is what a good risk management process is all about – identifying and mitigating the risk before the bad thing happens. Covered entities of all sizes need to give priority to securing electronic protected health information.”
Phoenix Cardiac Surgery – April 2012 (RA/CAP and $100,000 resolution amount)
PCS was a one-location, two-physician provider of cardiothoracic surgery services. Over a 2.5-year period, employees posted more than 1,000 entries of PHI into a publicly-accessible, internet-based calendar. Over a four-year period, the CE "daily" transmitted ePHI from an internet-based email account to employees' internet-based email accounts.
OCR’s investigation revealed the following conduct occurred:
Failure to provide and document workforce training on required policies and procedures regarding PHI, as necessary and appropriate for each workforce member to do his/her job.
Failure to have in pace reasonable and appropriate administrative and technical safeguards to protect the privacy of PHI.
Failure to obtain satisfactory assurance from BAs (internet-based calendar and public email providers) that they would appropriately safeguard ePHI from the CE.
Former OCR Director Rodriguez stated: “This case is significant because it highlights a multi-year, continuing failure on the part of this provider to comply with the requirements of the Privacy and Security Rules .... We hope that health care providers pay careful attention to this resolution agreement and understand that the HIPAA Privacy and Security Rules have been in place for many years, and OCR expects full compliance no matter the size of a covered entity.”
First Settlement Involving a Breach Affecting <500 Individuals: Hospice of North Idaho – December 2012 (RA/CAP and $50,000 resolution amount)
The underlying facts of HONI’s breach are not remarkable: the CE reported the theft of a laptop containing unencrypted ePHI. Unlike with previous settlements, however, the number of affected individuals – 441 – was relatively small. OCR’s investigation indicated the following conduct occurred:
Failure to conduct a Security Rule risk analysis as part of its security management process. Specifically, the CE did not evaluate the likelihood and impact of potential risks to the confidentiality of ePHI maintained in and transmitted by portable devices, implement appropriate security measures to address these risks, document the chosen security measures and rationale for adopting them, and maintain ongoing reasonable and appropriate security measures.
Failure to adopt or implement security measures sufficient manage risk to the confidentiality of ePHI maintained in and transmitted by portable devices to a reasonable and appropriate level.
Former OCR Director Rodriguez emphasized: “This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information …. Encryption is an easy method for making lost information unusable, unreadable and undecipherable.”
Lesson 18: No Exceptions for the C-Suite
The Privacy Rule applies to covered entities – and, where provided, business associates – with respect to PHI (45 CFR 164.500(a) and (c)). If a CE or BA is not a natural person, its workforce members, at all levels of the organization, act on its behalf to safeguard the confidentiality, integrity, and availability of PHI. The c-suite, like all other workforce members, must comply with the HIPAA Rules when using and disclosing the organization’s PHI. When a violation occurs, the fact that a member of “upper management” was responsible will not shield the CE or BA from liability.
Shasta Regional Medical Center – June 2013 (RA/CAP and $275,000 resolution amount)
OCR opened a compliance review after a newspaper article indicated that two senior leaders had met with media to discuss medical services provided to a patient. According to OCR’s press release, the CE impermissibly disclosed the patient’s PHI to multiple media outlets on at least three separate occasions, without obtaining a valid authorization.
OCR’s investigation indicated the following conduct occurred:
Former OCR Director Rodriguez admonished: “When senior level executives intentionally and repeatedly violate HIPAA by disclosing identifiable patient information, OCR will respond quickly and decisively to stop such behavior …. Senior leadership helps define the culture of an organization and is responsible for knowing and complying with the HIPAA privacy and security requirements to ensure patients’ rights are fully protected.”
Lesson 19: Beef Up Breach Notification
Failure to safeguard the patient’s PHI from any impermissible intentional or unintentional disclosure on multiple occasions, including:
Sending a letter to a media outlet responding to a story about Medicare fraud, describing the patient’s medical treatment and specifics about her lab results.
Two senior leaders meeting with a media editor to discuss the patient’s medical record in detail.
Sending a letter to a media outlet containing detailed information about the patient’s treatment.
Impermissible use of the patient’s PHI, specifically, sending an email to its entire workforce and medical staff (785-900 individuals) describing the patient’s medical condition, diagnosis, and treatment in detail.
Failure to sanction workforce members pursuant to its internal sanctions policy.
The Interim Final Rule for Breach Notification for Unsecured Protected Health Information (Breach Notification Rule),
issued under the Health Information Technology for Economic and Clinical Health (HITECH) Act, became effective on September 23, 2009. The Breach Notification Rule requires CEs and BAs to provide notice after a breach of unsecured PHI.
One of the most prominent provisions of the BNR is self-reporting. If a breach involves 500 or more individuals’ PHI, the CE must report the breach to HHS contemporaneously with notifying affected individuals (45 CFR 164.408(b)). If the breach involves fewer than 500 individuals’ PHI, the CE must report the breach annually, along with other such breaches (45 CFR 164.408(c)).
Regardless of size, however, the CE must eventually report the breach to HHS. The first self-reported breach resulting in a RA/CAP involved a hefty resolution amount, and an admonishment regarding the BNR’s importance as an enforcement tool. This case also highlights the importance of top-to-bottom enforcement, including an organization-wide Security Rule risk analysis.
BlueCross BlueShield of Tennessee – March 2012 (RA/CAP and $1.5M resolution amount)
OCR opened its investigation after the CE notified it that 57 unencrypted computer hard drives – containing more than 1 million individuals’ ePHI – had been stolen from a leased facility. According to OCR’s investigation, the CE received an alert that a server at the facility was unresponsive, but did not respond or investigate until three days later “because the unresponsive server message did not alert [the CE] that there and been a theft, and the server did not appear to adversely impact operations.”
Commenting on the RA/CAP, former OCR Director Rodriguez stated: "This settlement sends an important message that OCR expects health plans and health care providers to have in place a carefully designed, delivered, and monitored HIPAA compliance program .... The HITECH Breach Notification Rule is an important enforcement tool and OCR will continue to vigorously protect patients’ right to private and secure health information.”
Lesson 20: Don't Snoop
The importance of role-based access is addressed above. Humans may be curious by nature, but using or disclosing PHI in violation of HIPAA can most definitely kill the cat. There is no such thing as "just a peek" at your neighbor's, ex-spouse's, or co-worker's PHI. An RA/CAP involving just this situation illustrates just how seriously OCR takes access rights.
UCLA Health Systems – July 2011 (RA/CAP and $865,500 resolution amount)
Two celebrity patients who received health care at the covered entity filed complaints with OCR alleging that unauthorized workforce members accessed and reviewed their ePHI. OCR’s investigation indicated the following conduct occurred:
“[N]umerous” workforce members “repeatedly and without permissible reason” examined patients’ ePHI.
A workforce member “repeatedly and without a permissible reason” examined the ePHI of “many” patients.
The CE did not provide and/or did not document providing necessary and appropriate Privacy Rule and Security Rule training for workforce members.
The CE did not apply and/or document appropriate sanctions for workforce members who impermissibly examined ePHI.
The CE failed to implement security measures sufficient to reduce risks of impermissible access to a reasonable and appropriate level.
Former OCR Director Georgina Verdugo commented: "Covered entities are responsible for the actions of their employees. This is why it is vital that trainings and meaningful policies and procedures, including audit trails, become part of the every day operations of any health care provider .... Employees must clearly understand that casual review for personal interest of patients’ protected health information is unacceptable and against the law.”
Lesson 21: Public Entities and Government Are Not Exempt
The HIPAA Rules’ standards, requirements, and implementation specifications apply to covered entities, and – where provided in the Rules – to business associates (45 CFR 160.201(a) and (b)). The definition of covered entity
, health care provider
, health care clearinghouse,
or health plan
is not limited to private entities, and OCR has shown its willingness to enforce against public entities and government.
First Settlement With A Public Entity: Alaska Department of Health and Social Services – June 26, 2012 (RA/CAP and $1.7M resolution amount)
The CE reported to OCR that a USB hard drive, possibly containing ePHI, was stolen from an employee’s vehicle. OCR determined, after investigation, that the CE had not:
Completed a Security Rule risk analysis (45 CFR 164.308(a)(1)(ii)(A)).
Implemented sufficient risk management measures (45 CFR 164.308(a)(1)(ii)(B)).
Completed security training for workforce members (45 CFR 164.308(a)(5)(i)).
Implemented device and media controls (45 CFR 164.310(d)(1)).
Addressed device and media encryption (45 CFR 164.312(a)(2)(iv)).
Commenting on the RA/CAP, former OCR Director Rodriguez emphasized: “Covered entities must perform a full and comprehensive risk assessment and have in place meaningful access controls to safeguard hardware and portable devices .... This is OCR’s first HIPAA enforcement action against a state agency and we expect organizations to comply with their obligations under these rules regardless of whether they are private or public entities.”
First Settlement With Government: Skagit County, Washington – March 2014 (RA/CAP and $215,000 resolution amount)
OCR received a breach report that unknown persons accessed seven individuals’ ePHI after the information was moved to a publicly-accessible server the CE maintained. OCR discovered a broader exposure of 1,581 individuals’ ePHI, including sensitive information such as infectious disease testing and treatment.
OCR’s investigation indicated the following conduct occurred:
Disclosure of 1,581 individuals’ ePHI in violation of the Privacy Rule (45 CFR 160.103 and 164.502(a)).
Failure to provide notification to affected individuals in violation of the Breach Notification Rule (45 CFR 164.404).
Failure to implement sufficient policies and procedures to prevent, detect, contain, and correct security violations (45 CFR 164.308(a)(1)(ii)).
Failure to implement and maintain policies and procedures reasonably designed to ensure Security Rule compliance (45 CFR 164.316(a) and (b)).
Failure to provide security awareness training to all workforce members, including IT staff, as necessary and appropriate for them to carry out their functions within the CE (45 CFR 164.308(a)(5)).
Former OCR Deputy Director of Health Information Privacy McAndrew stated: “This case marks the first settlement with a county government and sends a strong message about the importance of HIPAA compliance to local and county governments, regardless of size …. These agencies need to adopt a meaningful compliance program to ensure the privacy and security of patients’ information.”
Lesson 22: Research Institutions are Accountable
Feinstein Institute for Medical Research – March 2016 (RA/CAP and $3.9M resolution amount)
The CE – a biomedical research institute – notified OCR that an unencrypted laptop computer containing approximately 13,000 patients’ and research subjects’ ePHI had been stolen from an employee’s car. OCR’s investigation indicated the following conduct occurred:
Impermissible disclosure of 13,000 individuals’ ePHI when a CE-owned laptop containing ePHI was left unsecured in the back seat of an employee’s car (45 CFR 164.502(a)).
Failure to conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all ePHI held by the CE, including the ePHI on the stolen laptop (45 CFR 164.308(a)(1)(ii)(A)).
Failure to implement policies and procedures for granting access to ePHI by the CE’s workforce members (45 CFR 164.308(a)(4)(ii)(B)).
Failure to implement physical safeguards for the laptop containing ePHI so as to restrict access by unauthorized users (45 CFR 164.310(c)).
Failure to implement policies and procedures governing receipt and removal of hardware and electronic media containing ePHI into and out of the facility, and the movement of these items within the facility (45 CFR 164.310(d)).
Failure to implement a mechanism to encrypt ePHI or, alternatively, to document why encryption was not reasonable and appropriate and implement an equivalent alternative measure to encryption to safeguard ePHI (45 CFR 164.312(a)(2)(iv)).
OCR Director Samuels commented: “Research institutions subject to HIPAA must be held to the same compliance standards as all other HIPAA-covered entities …. For individuals to trust in the research process and for patients to trust in those institutions, they must have some assurance that their information is kept private and secure.”
Lesson 23: Mind Your Marketing
Under the Privacy Rule, “marketing” is “mak[ing] a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.” (45 CFR 164.501). While common usage of the terms “treatment,” “healthcare operations,” and “marketing” unavoidably overlap, the Privacy Rule specifically defines these terms so regulated entities can distinguish them. With limited exceptions, a CE or BA must obtain the individual’s written authorization before using or disclosing PHI for marketing purposes.
The HIPAA marketing rules are complex. However, two RA/CAPs emphasize the importance of prudent uses and disclosures for marketing.
Management Services Organization Washington, Inc.
– December 2010 (RA/CAP and $35,000 resolution amount)
HHS began investigating the CE based on a referral from the HHS Office of Inspector General and Department of Justice, Civil Division, which had been investigating the CE and its owner for violations of the Federal False Claims Act. During its investigation, OIG discovered that the CE’s owner also owned an entity that earned commissions by marketing and selling Medical Advantage plans (Entity).
OCR’s investigation indicated that the following conduct occurred:
Impermissible disclosure of ePHI to Entity without a valid authorization, for Entity’s purpose of marketing Medical Advantage plans to the subject individuals.
“Intentional” lack of appropriate and reasonable administrative, technical, and physical safeguards to protect the privacy of the ePHI, and failure to implement required administrative, physical, and technical safeguards for ePHI.
Since the MSO RA/CAP, HHS published the HIPAA/HITECH Omnibus Final Rule, which substantially changed – and further restricted – the circumstances under which a covered entity or business associate can use or disclose PHI for marketing purposes. Certain marketing communications that were once possible without an authorization now require one, and as a result, it is even more difficult for CEs and BAs to use or disclose PHI for marketing purposes without obtaining the individual's valid authorization.
Complete P.T., Pool & Land Physical Therapy, Inc.
– February 2016 (RA/CAP and $25,000 resolution amount)
OCR began its investigation after receiving a complaint that the CE had impermissibly disclosed individuals’ PHI by posting patient testimonials – including full names and full-face photographic images – to its website without obtaining HIPAA-compliant authorizations. OCR’s investigation indicated that the following conduct occurred:
Failure to reasonably safeguard PHI under the Privacy Rule (45 CFR 164.530(c)(1)).
Impermissible disclosure of PHI (45 CFR 164.502(a)).
Failure to implement policies and procedures with respect to PHI designed to comply with authorization requirements (45 CFR 164.530(i)(1)).
OCR Director Samuels commented: “The HIPAA Privacy Rule gives individuals important controls over whether and how their protected health information is used and disclosed for marketing purposes. With limited exceptions, the Rule requires an individual’s written authorization before a use or disclosure of his or her protected health information can be made for marketing …. All covered entities, including physical therapy providers, must ensure that they have adequate policies and procedures to obtain an individual’s authorization for such purposes, including for posting on a website and/or social media pages, and a valid authorization form.”
Threats to the confidentiality, integrity, and availability of PHI abound. Protected health information is a valuable commodity and cybercrime is easier than ever, making health information a prime target for wrongdoers. Even apart from the criminal element, IT systems and processes may fail, and employees may not know how to safeguard PHI or may make mistakes when trying to do so. Given the threat environment and the high stakes involved with data breaches and security incidents, it makes sense for CEs and BAs to use all resources at their disposal to maintain and strengthen their HIPAA compliance.
OCR’s enforcement history provides valuable lessons to CEs and BAs, and CMPs and RA/CAPs highlight areas of significant enforcement upon which OCR may focus in the Phase 2 audits, as well as in complaint resolution. Studying these lessons and putting them into action may help your organization avoid patient, financial, and reputational injury in the HIPAA arena.
For more information, please contact Kimberly Metzger or a member of our Data Security and Privacy practice.
This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.
NIST is a non-regulatory federal agency within the U.S. Department of Commerce that works, among other things, to advance state-of-the-art IT in areas such as cybersecurity. In February 2013, President Obama charged NIST to collaborate with the private sector and develop a framework for reducing cyber-risks to critical infrastructure across industries. After a year-long, open process involving public and private organizations, NIST released the NIST Framework in February 2014.
During intake and review of a complaint, OCR must first determine that is one against which OCR can take action. OCR can only take action against complaints that (1) arose after the compliance date for the Privacy Rule (April 14, 2003) or Security Rule (April 20, 2005); (2) are against a covered entity or business associate; (3) allege an activity that, if true, violates the Privacy Rule or Security Rule; and (4) are filed within 180 days of when the complainant knew or should have known of the alleged violation, unless OCR waives this requirement for good cause. If the complaint does not meet all these criteria, it is “resolved” at intake and review, and OCR takes no further action. OCR may also resolve at intake if the complaining party withdraws the complaint.
A designated record set is a group of records maintained by or for the CE that is composed of: (1) Medical records and billing records about individuals maintained by or for a covered health care provider; (2) enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or (3) other records that are used, in whole or in part, by or for the covered entity to make decisions about the individual or others. (45 CFR 164.501).
Liu, V., Musen, MA, and Chou, T. Data Breaches of Protected Health Information in the United States. JAMA
2015; 313(14): 1417-1473. Doi:10.1001/jama.2015.2252.
74 Fed. Reg. 162 (August 24, 2009).
“Addressable” does not mean “optional.” When a standard includes addressable implementation specifications, the CE or BA must (1) implement the implementation specification of reasonable and appropriate, or (2) document why implementation is not reasonable and appropriate, and implement an equivalent alternative measure if reasonable and appropriate. (45 CFR 164.306(d)(3)).
OCR makes clear that a CE or BA need not use the sample provisions to achieve compliance, and may change it “to more accurately reflect” the parties business arrangements. The provisions are designed to reflect the HIPAA Rules, and alone may not result in a binding contract under State law. Further, relying on the sample provisions may not be sufficient to comply with State law, and “does not replace consultation with a lawyer or negotiations between the parties to the contract.” See http://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html
, accessed April 21, 2016.
For example, a CE may need to seek media assistance to identify or locate the family of an unidentified and incapacitated patient in its care. In that case, HIPAA permits disclosure of PHI to the media if the CE determines, in its professional judgment, that doing so is in the patient’s best interest (45 CFR 164.510(b)(1)(ii)).
When using or disclosing PHI, or when requesting PHI from another covered entity or business associate, a CE or BA "must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request." (45 CFR 164.502(b)).
45 CFR 164.400-414. The Interim Final Rule that became effective on September 23, 2009, remains in effect until HHS issues a new final rule.
The Federal Trade Commission (FTC) implements and enforces similar breach notifications which – under HITECH – apply to vendors of personal health records and their third-party service providers.