Security Rule Recidivism – OCR Fines HIPAA Covered Entity After Repeat Noncompliance
On July 18, 2016, the U.S. Department of Health & Human Services, Office for Civil Rights (OCR) announced
it had reached a $2,700,000 settlement with Oregon Health & Science University (OHSU), a covered entity (CE), to resolve potential violations of the HIPAA Security Rule. OCR reported that its investigation revealed "widespread and diverse" compliance problems at OHSU, a public academic health center and research university consisting of two hospitals and numerous clinics.
OCR opened its investigation after receiving multiple breach reports from the CE, including two reports involving unencrypted laptops and a large breach involving an unencrypted thumb drive. Specifically, OHSU reported the following breaches:
In 2009, the theft of an unencrypted laptop from a physician's car, containing the electronic protected health information (ePHI) of approximately 1,000 patients.
In 2012, the theft of an unencrypted thumb drive from an employee's home, containing the ePHI of approximately 14,000 premature infants.
In 2013, the theft of an unencrypted laptop, containing 4,022 surgical patients' ePHI, from a surgeon's Hawaii vacation home.
In 2013, the storage of 3,044 patients' ePHI on an internet-based cloud storage service, Google Drive, with which the OSHU did not have a business associate agreement (BAA).
In 2016, the theft of a hard drive containing ePHI from a research student's car.
OCR's investigation revealed evidence of "widespread vulnerabilities" in the OHSU's HIPAA compliance program. Notably, OCR reported that OHSU had performed at least six (6) Security Rule risk analyses, but they were not enterprise-wide in scope—that is, the risk analyses did not address all of the ePHI maintained or transmitted within the organization. Further, OCR noted that OHSU had not timely implemented measures to reduce the risks and vulnerabilities to ePHI, which it had specifically identified in its limited-scope risk analyses, to reasonable and appropriate levels. OCR also found that OHSU "lacked policies and procedures to prevent, detect, contain, and correct security violations and failed to implement a mechanism to encrypt and decrypt ePHI or an equivalent alternative measure for ePHI maintained on its workstations, despite having identified this lack of encryption as a risk."
OCR and OSHU entered into a resolution agreement (RA) that requires the payment of a $2,700,000 resolution amount, and a comprehensive corrective action plan (CAP) that mandates three years of monitoring by OCR. This settlement resolves potential HIPAA violations that OCR uncovered particularly as a result of its investigation into the theft of the unencrypted laptop containing ePHI in 2013, as well as the disclosure of over 3,000 individuals’ ePHI to GoogleDrive without a BAA in place.
OCR's investigation indicated the following conduct occurred:
From January 5, 2011 to July 3, 2013, OHSU: (1) impermissibly disclosed over 3,000 individual’s ePHI when it provided the ePHI to a third-party internet-based provider without obtaining a BAA or other satisfactory assurance that the provider would safeguard the ePHI; (2) failed to obtain a BAA from an internet-based service provider storing ePHI on its behalf as a business associate (BA); and (3) failed to implement policies and procedures to prevent, detect, contain, and correct security violations.
From July 12, 2010 through the present, OHSU failed to implement a mechanism to encrypt and decrypt ePHI or an equivalent alternative measure for all ePHI maintained in OHSU’s enterprise.
From May 29, 2013 to July 3, 2013, OHSU failed to implement policies and procedures to address security incidents.
OCR Director Jocelyn Samuels commented: "From well-publicized large scale breaches and findings in their own risk analyses, OHSU had every opportunity to address security management processes that were insufficient. Furthermore, OHSU should have addressed the lack of a business associate agreement before allowing a vendor to store ePHI …. This settlement underscores the importance of leadership engagement and why it is so critical for the C-suite to take HIPAA compliance seriously.”
Lessons Learned from the OHSU RA/CAP
A. Perform an Enterprise-Wide Security Rule Risk Analysis
Phase II compliance audits are underway – just last week, OCR notified 167 covered entities selected for desk audits
and gave them just 10 business days to submit requested documents. The Security Rule risk analysis is among the requirements for which OCR will audit these CEs.
A risk analysis is an enterprise-wide
“accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability” of ePHI.
Risk analysis is a required implementation specification under the Security Rule, meaning that a CE or BA must perform the analysis in order to be compliant with the Security Rule. OCR Director Samuels has called comprehensive risk analysis, in combination with timely risk management practices, “the cornerstone of any good compliance program.”
The Security Rule generally encourages a flexible approach to information security management (including the risk analysis), and a CE or BA may use "any security measures" that allow it to "reasonably and appropriately" implement Security Rule requirements.
Factors to consider when evaluating what is reasonable and appropriate for your organization include:
The entity's size, complexity, and capabilities.
The entity's technical infrastructure, hardware, and software security capabilities.
The cost of the contemplated security measures, and whether the entity will have to divert resources from other mission-critical functions to implement the measures.
The probability and criticality of potential risks to ePHI – how likely is it that the identified threats will occur, and how serious will the consequences be if they do?
OCR has imposed significant enforcement
against covered entities – and, for the first time, against a business associate
– for failing to perform an appropriate Security Rule risk analysis. Underlying issues included failing to encrypt portable electronic media devices, downloading malware, failing to terminate employee access rights, using internet file-sharing applications, and improperly using shared data networks. In each case, OCR entered into a significant monetary settlement with the organization and required a corrective action plan.
B. Do Something About What You Find
The Security Rule requires CEs and BAs to implement a security management process including policies and procedures to “prevent, detect, contain, and correct security violations.”
Risk analysis is the “detection” component, but the process does not stop there. Another required piece of the security management process is risk management: implementing security measures “sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level ….”
OCR does not intend security management to begin and end with the risk analysis. Identifying vulnerabilities and risks is only half the battle. You also must do something about them. The OHSU settlement is not the first in which lack of follow-through on the risk analysis was at issue. For example, in April 2014, OCR announced a $1.7M settlement
with a covered entity involving theft of an unencrypted laptop. Like OHSU, this covered entity had previously performed "multiple" risk analyses, and had identified lack of encryption as a vulnerability. While the CE had taken steps to being encryption, OCR described its efforts as "incomplete and inconsistent over time leaving patient PHI vulnerable throughout the organization."
A strong message to take from both enforcement actions is to avoid letting your Security Rule risk analysis gather dust. The risk analysis should be an active, living document that guides the formulation of a risk management plan and leads to timely corrective action. Only then can it truly be part of a security management process, as the Security Rule intends.
C. Safeguard ePHI Taken Off-Site
Break-ins, loss, and theft are common breach themes for both paper and electronic PHI. CEs and BAs lose a measure of control over PHI once it leaves the entity’s premises. The Security Rule addresses the issue directly: as part of their physical safeguards for ePHI, CEs and BAs must implement policies and procedures for device and media control, including “receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility."
The Privacy Rule more generally requires appropriate administrative, technical, and physical safeguards to protect the privacy of PHI, including safeguarding PHI from unauthorized use or disclosure, whether intentional or unintentional.
OCR enforcement, including imposition of civil money penalties in one case, underscores the importance of analyzing the risks and vulnerabilities attendant to offsite use, implementing policies and procedures to reduce those risks and vulnerabilities to an acceptable level, and appropriately training workforce members. In fact, OCR's first RA/CAP
involved lost or stolen unencrypted portable media, as did its second-ever civil money penalty
CEs and BAs should have clear policies regarding off-site transport of PHI, whether paper or electronic, including who can remove PHI from the premises, for what purpose, in what form, and with what physical and technical safeguards. For example, PHI removed from the premises for legitimate business/patient-care purposes should never be left unattended, particularly in a vehicle. Electronic PHI should not leave the premises unless encrypted. CEs and BAs should ensure their workforce members are trained on these policies and procedures, and understand the consequences that can follow from loss or theft of ePHI.
D. Encrypt Electronic PHI
Encryption is an important concept for both the Breach Notification Rule and the Security Rule. The Breach Notification Rule requires CEs to notify individuals, HHS, and sometimes the media, of breaches of “unsecured protected health information.”
“Unsecured protected health information” is PHI that is not rendered “unusable, unreadable, or indecipherable to unauthorized persons” through methods authorized by HHS.
HHS guidance issued in 2009 stating that ePHI has been rendered unusable, unreadable, or indecipherable if it has been encrypted by use of an “algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key, and the confidential process or key that might enable decryption has not been breached.” The guidance specifies certain encryption processes for ePHI at rest and in motion that NIST has tested and judged to meet appropriate Security Rule standards. Significantly, breaches of secured
ePHI—such as ePHI that has been encrypted pursuant to the HHS guidance—do not need to be reported to OCR, the affected individuals, or the media.
Under the Security Rule, “encryption” is an addressable implementation specification requiring CEs and BAs to implement a mechanism to encrypt ePHI at rest and in motion “whenever deemed appropriate.”
When is it appropriate to encrypt ePHI at rest and in motion? The answer is almost certainly "always." Former OCR Deputy Director of Health Information Privacy Susan McAndrew emphasized: “Covered entities and business associates must understand that mobile device security is their obligation …. Our message to these organizations is simple: encryption is your best defense against these incidents.”
E. Enter Into Business Associate Agreements as Required
Several of the most recent OCR enforcement actions, including the OHSU settlement, highlight the importance of obtaining a business associate’s satisfactory assurances, in the form of a written business associate agreement, that it will appropriately safeguard PHI – and to do this before disclosing PHI to the business associate. It is critical to examine your organization’s relationships with its service providers to determine whether those entities are HIPAA “business associates” with whom you must enter into business associate agreements.
F. Involve Your C-Suite
An organization cannot achieve the necessary top-to-bottom compliance without C-suite buy-in. Not only must top executives be aware, informed, and involved—they must also be accountable, like all other workforce members.
The HIPAA Rules apply with equal force to all levels of the organization and to all workforce members. If a CE or BA is not a natural person, its workforce members act on its behalf to safeguard the confidentiality, integrity, and availability of PHI. The C-suite, like all other workforce members, must comply with the HIPAA Rules when using and disclosing the organization’s PHI. When a violation occurs, the fact that a member of “upper management” was responsible will not shield the CE or BA from liability.
Former OCR Director Leon Rodriguez said: “Senior leadership helps define the culture of an organization and is responsible for knowing and complying with the HIPAA privacy and security requirements to ensure patients’ rights are fully protected.”
OHSU is the latest in a series of OCR RA/CAPs that underscore common compliance problems: the theft or loss of portable media devices, especially those transported off-site; the lack of encryption or a reasonable, equivalent alternative measure; the absence of required business associate agreements, and the lack of an accurate and thorough Security Rule risk analysis and a corresponding risk management plan. With Phase II audits underway, and with health information a prime target for criminals seeking valuable data for financial and medical identity theft, now is the time to ensure your organization is compliant in this vitally important area.
This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.
OCR noted a "significant risk of harm to 1,361 of these individuals due to the sensitive nature of their diagnoses."
45 C.F.R. § 164.502(a).
45 C.F.R. § 164.308(b).
45 C.F.R. § 164.308(a)(1)(i).
45 C.F.R. §§ 164.312(a)(2)(iv) and 164.306(d)(3).
45 C.F.R. § 164.308(a)(6)(i).
45 CFR 164.308(a)(1)(ii)(A)
45 C.F.R. § 164.306(b).
45 C.F.R. § 164.308(a)(1)(i).
45 C.F.R. § 164.308(a)(1)(ii)(B).
45 C.F.R § 164.310(d)(1)
45 C.F.R § 164.530(c)(2)(i)
45 C.F.R. § 164.404(a) (notification to individuals); § 164.406(a) (notification to media); § 164.408(a) (notification to HHS).
45 C.F.R. § 164.402.
Still, a CE or BA should implement its policies and procedures for addressing security incidents, which are required by the Security Rule at 45 § C.F.R. 164.308(a)(6)(i), to properly respond to these unreportable breaches.
45 C.F.R. §§ 164.312(a)(2)(iv) and 164.312(e)(2)(ii)). “Addressable” does not mean “optional.” When a standard includes addressable implementation specifications, the CE or BA must (1) implement the implementation specification of reasonable and appropriate, or (2) document why implementation is not reasonable and appropriate, and implement an equivalent alternative measure if reasonable and appropriate. (See 45 C.F.R. § 164.306(d)(3)).
Generally, a “business associate” is a person or entity that creates, receives, maintains, or transmits PHI to provide certain services to a covered entity or another business associate. (45 C.F.R. § 160.103).