OCR Announces Initiative to More Widely Investigate Small Health Data Breaches
Covered entities (CE) and business associates (BA) steeped in the world of HIPAA compliance are more than aware of the “wall of shame
:” the U.S. Department of Health and Human Services (HHS), Office for Civil Rights’ (OCR) electronic posting of breaches of protected health information (PHI) affecting 500 or more individuals reported to the agency. Although OCR’s Regional Offices investigate all of these “large breaches,” they also review all reports of “small breaches”—breaches affecting fewer than 500 individuals—and then selectively determine which of these small breaches warrant investigation, taking into account both the factual circumstances surrounding the breaches and regional resources. A recent OCR announcement indicates that the agency will now make its investigation of small breaches a greater priority, signaling a likely shift in resource allocation and a corresponding anticipated uptick in small breach investigations.
Specifically, on August 18, 2016, OCR announced an “initiative to more widely investigate breaches affecting fewer than 500 individuals.” OCR’s Regional Offices will devote increased attention to examining the root causes of these small breaches and obtaining corrective actions from CEs and BAs to remedy any noncompliance that may have contributed to these breaches. The announcement comes at a time of heightened OCR enforcement activity, as OCR’s Phase 2 Audit Program
, which consists of random compliance audits of both CEs and BAs, are currently underway. The announcement also addresses concerns expressed in a report that the HHS Office of the Inspector General published last fall
, in which it recommended that OCR expand its oversight of entities reporting small breaches.
But as OCR noted in its announcement, the agency has historically scrutinized small breach reports and complaints alleging smaller incidents and has even announced settlements with several entities (including its first with a BA) involving small breaches, such as the following:
First Settlement Against a Business Associate: Catholic Health Care Services – June 2016 (Resolution Agreement (RA)/Corrective Action Plan (CAP) and $650,000 resolution amount)
OCR announced that it settled potential HIPAA Security Rule violations with the entity, an entity that provided management and information technology services as a BA of nursing homes. The alleged violations stemmed from the theft of a mobile device, affecting the electronic protected health information (ePHI) of 412 individuals.
OCR began investigating the BA after receiving breach notifications from six CEs that a CHCS employee’s iPhone, issued by CCHS, had been stolen. The iPhone was neither encrypted nor password protected, and contained 412 individuals’ “extensive” electronic protected health information (ePHI), including Social Security numbers, diagnosis and treatment information, and medication information.
OCR’s investigation indicated the following conduct occurred since September 23, 2013, the Security Rule compliance date for BAs:
Failure to perform a Security Rule risk analysis, which is an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI; and
Failure to implement a Security Rule risk management plan that identifies appropriate security measures sufficient to reduce the risks and vulnerabilities to ePHI to a reasonable and appropriate level.
OCR also reported that at the time of the breach, the BA did not have policies in place to address the removal of mobile devices from its premises and procedures for responding to security incidents, as required by the Security Rule. As part of the corrective action plan, CHCS is required to conduct an enterprise-wide risk analysis and then formulate a plan that is designed to mitigate the risks identified through the risk analysis to an appropriate level. CCHS is also required to develop and implement Security Rule policies and procedures and train workforce members on them. OCR will monitor CCHS’s compliance with the corrective action plan for two years.
OCR Director Jocelyn Samuels emphasized: “Business associates must implement the protections of the HIPAA Security Rule for the electronic protected health information they create, receive, maintain, or transmit from covered entities…. This includes an enterprise-wide risk analysis and corresponding risk management plan, which are the cornerstones of the HIPAA Security Rule.”
St. Elizabeth’s Medical Center – June 2015 (RA/CAP and $218,000 resolution amount)
OCR investigated a complaint alleging that the CE’s workforce members used an internet-based document sharing application to store documents containing at least 498 individuals’ ePHI, without having analyzed associated risks. In a separate incident, the CE notified OCR of a breach of 595 individuals’ unsecured ePHI stored on a former workforce member’s personal laptop and flash drive. OCR’s investigation indicated the following conduct occurred:
Unauthorized disclosure of at least 1,093 individuals’ ePHI (45 CFR 160.103 and 164.502(a)).
Failure to implement sufficient security measures regarding the transmission and storage of ePHI, to reduce risks and vulnerabilities to a reasonable and appropriate level (45 CFR 164.308(a)(1)(ii)(B)).
Failure to timely identify and respond to a known security incident, mitigate its harmful effects, and document the incident and its outcome (45 CFR 164.308(a)(6)(ii)).
Commenting on the settlement, OCR Director Samuels emphasized: “Organizations must pay particular attention to HIPAA’s requirements when using internet-based document sharing applications …. In order to reduce potential risks and vulnerabilities, all workforce members must follow all policies and procedures, and entities must ensure that incidents are reported and mitigated in a timely manner.”
QCA Health Plan, Inc. – April 2014 (RA/CAP and $250,000 resolution amount)
OCR received a breach notification from QCA reporting the theft of an unencrypted laptop, containing 148 individuals’ ePHI, from a workforce member’s car. According to OCR, while QCA encrypted devices after it discovered the breach, it had failed to comply with “multiple requirements” of the Privacy and Security Rules.
OCR’s investigation indicated the following conduct occurred:
Failure to implement policies and procedures to prevent, detect, contain, and correct security violations, including conducting a Security Rule risk analysis, and implementing security measures sufficient to reduce vulnerabilities of and risks to ePHI to a reasonable and appropriate level. (45 CFR 164.306).
Failure to implement physical safeguards for all workstations that access ePHI to restrict access to authorized users.
Impermissible disclosure of 148 individuals’ ePHI.
Commenting on this enforcement action, former OCR Deputy Director of Health Information Privacy Susan McAndrew emphasized: “Covered entities and business associates must understand that mobile device security is their obligation …. Our message to these organizations is simple: encryption is your best defense against these incidents.”
First Settlement Involving a Breach Affecting <500 Individuals: Hospice of North Idaho – December 2012 (RA/CAP and $50,000 resolution amount)
The underlying facts of HONI’s breach are not remarkable: the CE reported the theft of a laptop containing unencrypted ePHI. Unlike with previous settlements, however, the number of affected individuals – 441 – was relatively small. OCR’s investigation indicated the following conduct occurred:
Failure to conduct a Security Rule risk analysis as part of its security management process. Specifically, the CE did not evaluate the likelihood and impact of potential risks to the confidentiality of ePHI maintained in and transmitted by portable devices, implement appropriate security measures to address these risks, document the chosen security measures and rationale for adopting them, and maintain ongoing reasonable and appropriate security measures.
Failure to adopt or implement security measures sufficient manage risk to the confidentiality of ePHI maintained in and transmitted by portable devices to a reasonable and appropriate level.
Former OCR Director Leon Rodriguez emphasized: “This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information …. Encryption is an easy method for making lost information unusable, unreadable and undecipherable.”
OCR’s Small Breach Initiative
These enforcement actions telegraph not only OCR’s willingness to enforce against CEs and BAs for small breaches, but also important substantive issues such as the lack of data encryption or an alternative, equivalent measure, the lack of mobile device security, unsecured internet applications, and deficient Security Rule risk analyses and risk management plans.
Beginning immediately, OCR intends to “more widely” investigate the root causes of small breaches. While Regional Offices will continue to retain discretion to prioritize its investigation into small breaches, each office will “increase its efforts to identify and obtain corrective action to address entity and systemic noncompliance” resulting in breaches. Among the factors OCR will consider when determining whether to investigate a small breach are:
The size of the breach;
Whether the breach involved theft or improper disposal of unencrypted ePHI;
Whether the breach involved unwanted intrusions into IT systems (e.g., by hacking);
The amount, nature, and sensitivity of the PHI involved; and
Whether other breach reports from the same CE or BA raise similar issues.
OCR also suggested that it may investigate a CE or BA for its possible under-reporting of small breaches, which may be evidenced by the scarcity of small breach reports from a particular organization when compared to the volume of small breach reports OCR receives from other similarly situated organizations.
Given OCR’s new commitment to more rigorously investigate reports of small breaches, the launch of OCR’s Phase 2 Audit Program, and OCR’s continued efforts to hold CEs and BAs accountable for large breaches
, now is an opportune time to proactively shore up your organization’s compliance with the HIPAA Privacy, Security, and Breach Notification Rules.
For more information on health data breaches, contact Kim Metzger
, Deepali Doddi
or a member of Ice Miller's Data Security and Privacy group
This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.