OCR Ends 2017 With a Bang: What Can Regulated Entities Learn From a $2.3M “Big, Juicy, Egregious” Br OCR Ends 2017 With a Bang: What Can Regulated Entities Learn From a $2.3M “Big, Juicy, Egregious” Br

OCR Ends 2017 With a Bang: What Can Regulated Entities Learn From a $2.3M “Big, Juicy, Egregious” Breach?

All was quiet on the HIPAA enforcement front in the latter half of 2017. Until very recently, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) had not publicized a resolution agreement (RA) or civil money penalty since last May. Presumably, in the interim, the agency has been focused on completing the desk audit portion of its Phase 2 Audit Program and preparing for the upcoming covered entity (CE) and business associate (BA) field audits. But OCR may have laid low for another reason. At a joint OCR/NIST health information security conference in September 2017,[1] OCR Director Roger Severino announced a primary enforcement priority: to find a “big, juicy, egregious” breach to use as both an example and an educational tool for CEs and BAs.

OCR’s most recent settlement resolved just such a breach, and it offers important lessons for the regulated community. At the forefront: carefully cultivate and tend to your information security management process, and be proactive when it comes to patient trust.

What Happened?

On Dec. 28, 2017,[2] OCR announced a $2.3 million settlement with cancer care provider 21st Century Oncology, Inc. (21CO) to resolve alleged violations of the HIPAA Privacy Rule and Security Rule affecting more than 2 million individuals’ protected health information (PHI). 21CO is headquartered in Florida and operates and manages 179 treatment centers in the United States and Latin America.

OCR reports that on two separate occasions in November and December 2015, the FBI notified 21CO that an unauthorized third party had illegally obtained patient information. To drive this point home, the FBI showed 21CO patient files purchased by an FBI informant. According to OCR, 21CO’s internal investigation revealed that the attacker “may have accessed 21CO’s network SQL database as early as Oct. 3, 2015, through the remote desktop protocol from an exchange server within 21CO’s network.” The attacker’s impermissible access to patient names, social security numbers, physician names, diagnoses, and treatment and insurance information affected 2,213,597 patients.

After the unauthorized access was identified, the FBI requested 21CO delay publicly announcing the breach and issuing the notifications required by HIPAA.[3] When the requested delay ended on March 4, 2016, the company began notifying affected individuals as required by the Breach Notification Rule. While OCR's announcement does not address the content of 21CO’s breach notification letters to individuals,[4] a sample letter submitted to the California attorney general states:

21st Century Oncology is committed to maintaining the privacy and security of our patients’ personal information. Regrettably, we are writing to inform you of an incident involving some of that information.

On November 13, 2015, the Federal Bureau of Investigation (FBI) advised us that patient information was illegally obtained by an unauthorized third party who may have gained access to a 21st Century database. We immediately hired a leading forensics firm to support our investigation, assess our systems and bolster security. The forensics firm determined that, on October 3, 2015, the intruder may have accessed the database, which contained information that may have included your name, Social Security number, physician’s name, diagnosis and treatment information, and insurance information. We have no evidence that your medical record was accessed.

The FBI asked that we delay notification or public announcement of the incident until now so as not to interfere with its investigation. Now that law enforcement’s request for delay has ended, we are notifying patients as quickly as possible. We continue to work closely with the FBI on its investigation of the intrusion into our system. In addition to security measures already in place, we have also taken steps to enhance internal security protocols to help prevent a similar incident in the future.

We have no indication that your information has been misused in any way; however, out of an abundance of caution, we are offering you a free one-year membership of Experian’s® ProtectMyID® Alert. This product helps detect possible misuse of your personal information and provides you with identity protection services focused on immediate identification and resolution of identity theft. ProtectMyID Alert is completely free to you, and enrolling in this program will not hurt your credit score. For more information on identity theft prevention and ProtectMyID Alert, including instructions on how to activate your complimentary one-year membership, please see the additional information provided in this letter. We also recommend that you regularly review the explanation of benefits that you receive from your health insurer. If you see services that you did not receive, please contact your insurer immediately.

We deeply regret any concern this may cause you, and we want to emphasize that your care will not be affected by this incident. Should you have any questions, please call [toll free number/time].

Due to the size of the breach, 21CO notified OCR at the same time it began notifying individuals.[5] The company also filed a Form 8-K with the United States Securities and Exchange Commission, which informs shareholders of significant corporate events, and issued a press release. OCR's investigation indicated 21CO violated the Privacy Rule by impermissibly disclosing more than 2.2 million patients' PHI[6], and violated the Security Rule by:
 
1.      Failing to engage in risk analysis. As part of its Administrative Safeguards for electronic PHI, a CE or BA must implement a security management process consisting of policies and procedures to prevent, detect, contain, and correct security violations.[7] There are four parts to the security management process: risk analysis, risk management, a sanctions policy, and information system activity review.[8] Risk analysis is an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic PHI held by the CE or BA.[9]

2.      Failing to engage in risk management. The second component of the security management process builds upon the first. Risk management requires the CE or BA to implement security measures sufficient to reduce risks and vulnerabilities identified in the risk analysis to a reasonable and appropriate level.[10] The overall goals of risk management are to ensure the confidentiality, integrity, and availability of electronic PHI; protect against reasonably identified threats or hazards to security or integrity; protect against reasonably anticipated uses or disclosures that would violate the Privacy Rule; and ensure workforce compliance with the Security Rule.[11]

3.      Failing to conduct information system activity review. The third aspect of the security management process requires CEs and BAs to implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.[12]

4.      Lacking appropriate business associate agreements (BAA). Covered entities, like all other businesses, often engage vendors to perform services on their behalf. If these services require the vendor to create, receive, maintain, or transmit PHI, the vendor is a business associate of the CE.[13] A CE may permit a BA to create, receive, maintain, or transmit electronic PHI on the CE’s behalf only if the CE obtains “satisfactory assurances” that the BA will appropriately safeguard the information.[14] These assurances must be documented in a written contract or other arrangement that meets Security Rule requirements, such as a BAA.[15] The lack of appropriate BAAs also violates the Privacy Rule.[16]

In addition to agreeing to pay a substantial resolution amount, 21CO entered into a comprehensive, two-year corrective action plan (CAP) that requires the company to take serious steps to achieve compliance with the HIPAA Rules. 21CO must:
1.      Complete an enterprise-wide Security Rule risk analysis and implement a risk management plan.
2.      Revise policies and procedures and submit them to OCR for approval. The revised policies and procedures must address:
a.      Information system activity review, as described above.
b.      Access establishment and modification. As part of its Security Rule Administrative Safeguards,[17] a CE or BA must also engage in information access management by implementing policies and procedures for authorizing access to ePHI consistent with the Privacy Rule.[18] This includes appropriately establishing and managing access to PHI. Specifically, the CE or BA must implement policies and procedures that are consistent with its access authorization policies and establish, document, review, and modify a user’s right of access to a workstation, transaction, program, or process.[19] 21CO’s policies must include protocols for managing access to ePHI by affiliated physicians, their practices, and their employees.
c.       Access termination. Another important aspect of the Security Rule's Administrative Safeguards is workforce security. A CE or BA must implement policies and procedures to ensure all members of its workforce have appropriate access to ePHI and to prevent those workforce members who do not have access from obtaining access to ePHI.[20] This includes termination procedures. Specifically, the CE or BA must implement procedures for terminating access to ePHI when its arrangement with the workforce member ends or as it has otherwise determined is appropriate.[21] 21CO's policies must include protocols for terminating access to PHI by affiliated physicians, their practices, and their employees.
3.      Finalize and adopt the revised, approved policies and procedures and distribute them to all workforce members to whom they apply. The HIPAA Rules broadly define “workforce” to include a CE’s or BA’s “employees, volunteers, trainees, and other persons whose performance of work for the CE or BA is under the entity’s direct control,” whether or not they are paid by the CE or BA.[22]
4.      Provide OCR with an accounting of 21CO’s business associates (including a description of services provided and the BA’s handling of PHI and the date services began), and a copy of all business associate agreements. Neither OCR’s announcement, nor the RA itself, addresses violations by or attributable to 21CO’s BAs. However, OCR has focused extensively on business associate arrangements in 2016 and 2017, as discussed below.
5.      Implement an OCR-approved plan for internal monitoring of 21CO’s compliance with the CAP.
6.      Engage a “qualified, objective, independent third-party assessor," also approved by OCR, to review 21CO’s compliance with the CAP. The assessor must submit to OCR a written plan for investigating, assessing, and making compliance determinations. This includes unannounced site visits to assess workforce compliance, quarterly progress meetings with 21CO’s key management, and follow-up on incidents of noncompliance.
7.      Require all workforce members with access to ePHI to internally report all violations of the company's policies and procedures to the company's designated compliance representative, in a manner vetted by OCR.
 
Commenting on the resolution, OCR Director Severino emphasizes: "People need to trust that their private health information will remain exactly that: private. It is not just my hope that covered entities will learn from this example and proactively find and address their security risks, it is what the law requires."

Big, Juicy, and Egregious?

The 21CO breach is arguably the one OCR sought to make an object lesson in compliance. It certainly is big, affecting more than 2.2 million individuals. While OCR did not provide any guidance on what it might consider juicy or egregious, the company's backstory—and OCR's resolution and enforcement history—help illuminate these aspects of the breach.

Why might OCR consider the breach “juicy?” First, and not unexpectedly considering the number of individuals affected, the breach spawned significant litigation, including multiple class action lawsuits and a Multidistrict Litigation (MDL).The first putative class action was filed March 17, 2016, and within months 17 such actions were pending in California and Florida federal courts.[23] On the defendants’ motion, the Judicial Panel on Multidistrict Litigation ultimately centralized these cases for coordinated or consolidated pretrial proceedings in the Middle District of California as MDL No. 2737, In re: 21st Century Oncology Customer Data Security Breach Litigation.[24]

Second, and although OCR’s announcement does not address this, the plaintiffs’ complaints indicate the 2015 breach was not 21CO’s first. For example, in Corbel et al. v. 21st Century Oncology of California et al., filed April 25, 2016 in California, the plaintiffs allege that in 2013, the FBI notified 21CO that an employee was being indicted for improperly accessing patient records. [25] The Corbel plaintiffs attached to their complaint a July 10, 2013 letter from 21CO’s affiliate, 21st Century Oncology of Maryland, to the Maryland attorney general which states:
 
[O]n May 15, 2013 we learned from federal law enforcement officials that an employee of 21st Century Oncology Services, Inc. … ha[d] been criminally charged for having improperly accessed the personal health information of several … patients, including two (2) patients from Maryland.

Based on the felony indictment against the former employee, we believe that the personal health information was improperly accessed between October 11, 2011 and August 8, 2012. Also based on the indictment, we have reason to believe that the individual obtained the name, social security number, and date of birth of these patients, and shared this information with a third party, who used it and/or intended to use it in order to file fraudulent tax returns with the Internal Revenue Service.

The employee in question is no longer employed by 21st Century Oncology Services, Inc. In addition, we are cooperating fully in the ongoing federal investigation of this matter, and we are also conducting our own internal investigation to determine how the employee was able to access the patients' personal information.[26]


Third, as the Corbel lawsuit and others emphasize, the 2015 breach was more than simply “not the first.” It was also apparently not the first that the entity failed to detect on its own.[27] The Corbel complaint alleges:

42. Now, as stated in its March 2016 [breach] notifications, 21st Century Oncology has again learned of a breach of confidentiality of the personal and medication information in its possession from the FBI.

43. As with the 2013 data breach, 21st Century Oncology was apparently oblivious of the data breach until it learned of the breach from the FBI. Like the 2013 data breach, 21st Century Oncology has also been unable to determine, on its own, how and when the data breach occurred. Even after hiring what it calls 'a leading forensics firm' to support its investigation, its notifications only identify a date on which the database containing personal and medical information may  have been accessed by the unauthorized party.[28]

Fourth, the plaintiffs highlighted the alleged similarities between the 2011/2012 and 2015 breaches and questioned why the company had not employed security measures after the first breach sufficient to prevent the second:

44. The two data breaches, and 21st Century Oncology's responses to the two data breaches, show that 21st Century Oncology has not had systems in place to adequately monitor and protect against unauthorized access to patient information. 21st Century Oncology failed to properly encrypt the personal and medical information in its possession for electronic storage, as would have been reasonable and appropriate in light of its known and admitted risk of cyber intrusions,[29] ensuring only authorized access and usage to [sic] the information. 21st Century Oncology's security systems also apparently lack sufficient user identification and audit controls, leaving 21st Century Oncology unable to identify the who, what, when, where, and how of unauthorized access to patient information ….[30]

If a prior breach, FBI involvement, and significant resulting litigation are not enough to make this breach “juicy,” consider the company’s generally beleaguered state. 21CO suffered serious financial setbacks when it resolved three sets of False Claims Act (FCA) violations: one in December 2015 for $19.75 million,[31] a second in March 2016 for $34.7 million[32] (after which 21CO publicized the breach that formed the basis for its settlement with OCR), and a third in December 2017 for $26 million (which also resolves alleged Stark Law (physician self-referral) violations).[33] As part of the December 2017 settlement, the company also entered into a new five-year Corporate Integrity Agreement with the HHS Office of Inspector General.

On May 25, 2017, 21CO filed for Chapter 11 bankruptcy protection in the United States Bankruptcy Court for the Southern District of New York. The bankruptcy court’s December 11, 2017 order approving the OCR settlement also resolves the Florida class action lawsuits transferred to the MDL and allows these plaintiffs to seek reimbursement from 21CO’s cyber insurer.[34]

All things considered, 21CO’s 2015 data breach can fairly be called juicy. But was the breach egregious? The factors that make it big and juicy can certainly be said to make it so. But perhaps a more compelling argument comes from OCR’s recent compliance and enforcement history regarding the security management process for electronic PHI.

As described above, the security management process is one of the Administrative Safeguards CEs and BAs must implement to protect the electronic PHI they create, receive, maintain, and transmit. The security management process consists of risk analysis, risk management, a sanctions policy, and information system activity review.

The security management process has been a focus of OCR attention and compliance/ enforcement action. In fact, OCR emphasizes that “[r]isk analysis, ongoing risk management, and routine information systems reviews are the cornerstones of an effective HIPAA security compliance program.”[35] So important is the security management process that it has been at the root of:
 
  • A civil money penalty. OCR and a regulated entity can resolve issues of noncompliance informally by obtaining voluntary compliance, or through corrective action and/or a resolution agreement. If the matter is not resolved informally, OCR can impose a civil money penalty (CMP) that is proportionate to the entity’s level of culpability associated with the HIPAA violation.  For example, an entity whose willful neglect of HIPAA requirements leads to a breach will suffer a greater penalty than an entity whose noncompliance was not willful. Additional factors affecting the amount of the CMP include: the nature of the violation, including the number of persons affected and the duration of the violation; the nature and extent of the resulting harm; the entity’s compliance history; and the entity’s financial condition.[36]
OCR has imposed only three HIPAA civil money penalties. The third, announced in February 2017, relates to insufficient risk management. OCR imposed a $3.2 million CMP against Children’s Medical Center of Dallas resulting from loss of an unencrypted, non-password protective BlackBerry containing 3,800 individuals’ electronic PHI, and theft of an unencrypted laptop from the entity’s premises containing 2,462 individuals’ ePHI. OCR’s investigation revealed the entity’s failure to implement risk management plans despite external recommendations to do so, and failure to timely deploy encryption or an equivalent alternative measure on all laptops, work stations, mobile devices, and removable storage media. Despite knowing of the risks associated with unencrypted portable electronic devices since 2007, the CE issued unencrypted BlackBerrys and allowed workforce members to use unencrypted laptops and other mobile devices until 2013.

Commenting on the penalty, former OCR Acting Director Robinsue Frohboese admonished: “Ensuring adequate security precautions to protect health information, including identifying any security risks and immediately correcting them, is essential. Although OCR prefers to settle cases and assist entities in implementing corrective action plans, a lack of risk management not only costs individuals the security of their data, but it can also cost covered entities a sizeable fine.”
 
  • The largest settlement with a single covered entity. In August 2016, OCR announced that Advocate Health Care Network in Illinois agreed to pay $5.55 million to settle multiple potential violations stemming from three separate incidents, which collectively impacted approximately 4 million individuals’ electronic PHI: theft of 4 desktop computers from an administrative office, unauthorized access to a business associate’s network, and theft of an unencrypted laptop from a workforce member’s vehicle. The size of the settlement resulted, in part, from the systemic nature and long duration of the indicated noncompliance (in some cases, dating back to the Security Rule’s inception), and the number of individuals affected. Commenting on the settlement, former OCR Director Jocelyn Samuels emphasized: “We hope this settlement sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals’ PHI is secure. This includes implementing physical, technical, and administrative security measures sufficient to reduce the risks to ePHI in all physical locations and on all portable devices to a reasonable and appropriate level.”
  • The first settlement with a business associate. In June 2016, OCR announced that Catholic Health Care Services of the Archdiocese of Philadelphia agreed to pay $650,000 to settle potential Security Rule violations affecting 412 individuals’ electronic PHI. CHCS provided management an information technology services as a business associate to six skilled nursing facilities. The violations stemmed from theft of an unencrypted, non-password protected iPhone. The PHI on the device was extensive and included social security numbers, information regarding diagnosis and treatment, medical procedures, and medication information. Former Director Samuels stated: “Business associates must implement the protections of the HIPAA Security Rule for the electronic protected health information they create, receive, maintain, or transmit from covered entities. This includes an enterprise-wide risk analysis and corresponding risk management plan, which are the cornerstones of the HIPAA Security Rule.”
  • The first settlement with a state agency. In June 2012, OCR announced a $1.7 million settlement with the Alaska Department of Health and Social Services after a portable electronic storage device “possibly” containing ePHI was stolen from an employee’s vehicle. OCR’s investigation indicated, among other things, that the CE had not completed a risk analysis or implemented sufficient risk management measures. Former OCR Director Leon Rodriguez commented: “Covered entities must perform a full and comprehensive risk assessment and have in place meaningful access controls to safeguard hardware and portable devices. This is OCR’s first HIPAA enforcement action against a state agency and we expect organizations to comply with their obligations under these rules regardless of whether they are public or private entities.”
  • Recent OCR attention: Before things went quiet in the second half of 2017, we saw some robust OCR attention to the security management process, including:
    • MAPFRE Life Insurance Company of Puerto Rico (January 2017; $2.2M resolution amount). A USB storage device containing more than 2,000 individuals’ ePHI was stolen from the entity’s IT department overnight. OCR determined that, contrary to the entity’s prior representations, it had not conducted a risk analysis or implemented a risk management plan. Specifically, the CE had failed to deploy encryption on laptops and electronic storage media until September 2014, and failed to implement or delayed implementing other corrective measures it informed OCR it would undertake. Former OCR Director Jocelyn Samuels commented: “Covered entities must not only make [risk] assessments to safeguard ePHI, they must act on those assessments as well. OCR works tirelessly and collaboratively with covered entities to set clear expectations and consequences.”
    • CardioNet (April 2017; $2.5M resolution amount). A workforce member’s laptop, containing almost 1,400 individuals’ ePHI, was stolen from a parked vehicle outside the workforce member’s home. OCR’s investigation revealed an insufficient risk analysis and risk management plan in place at the time of the theft. Further, the CE’s Security Rule policies and procedures were in draft form and had not been implemented, and the organization was unable to produce final policies and procedures for implementing ePHI safeguards, including those for mobile devices. OCR Director Severino remarked: “Mobile devices in the health care sector remain particularly vulnerable to theft and loss. Failure to implement mobile device security by Covered Entities and Business Associates puts individuals’ sensitive health information at risk. This disregard for security can result in a serious breach, which affects each individual whose information is left unprotected.”
    • Metro Community Provider Network (April 2017; $400K resolution amount). A phishing incident exposed 3,200 individuals’ ePHI. The CE took corrective action, but did not conduct a risk analysis until a month after the attack, and OCR deemed the risk analysis insufficient. Before the attack, the CE had not conducted a risk analysis or implemented a risk management plan. OCR Director Severino admonished: “Patients seeking health care trust that their providers will safeguard and protect their health information. Compliance with the HIPAA Security Rule helps [CEs] meet this important obligation to their patient communities.”
In 21CO's case, the fact that absent or ineffective security management allowed malicious outsiders to access more than 2.2 million 21CO patients’ electronic PHI certainly contributes to the egregiousness of the breach.

So, too, does 21CO’s deficiencies in information system activity review and access management. These have also been areas of significant OCR attention, both in education and investigation. In February 2017, Memorial Healthcare System paid the second-highest resolution amount in OCR history—$5.5 million—after reporting that workforce members impermissibly accessed more than 115,000 individuals’ electronic PHI and disclosed it to affiliated physician office staff. A former employee’s login credentials had been used to access ePHI on a daily basis, affecting 80,000 individuals. The hospital’s resolution agreement with OCR notes that some of these instances resulted in federal charges related to selling PHI and filing fraudulent tax returns.

OCR’s investigation indicated that for an 18-month period, the CE failed to implement an appropriate information system activity review and failed to implement policies and procedures to establish, document, review, and modify workforce members’ access rights. Former Acting OCR Director Frohboese emphasized: “Access to ePHI must be provided only to authorized users, including affiliated physician office staff. Further, organizations must implement audit controls and review audit logs regularly. As this case shows, a lack of access controls and regular review of audit logs helps hackers or malevolent insiders to cover their electronic tracks, making it difficult for covered entities and business associates to not only recover from breaches, but to prevent them before they happen.”

For these reasons, it is not difficult to view the 21CO breach as just the type OCR was seeking to make an example.

Lessons for Regulated Entities.

The 21CO settlement highlights recurring themes in OCR compliance resolution, and regulated entities would do well to analyze them thoroughly and apply the resulting lessons to their own compliance programs.

When digesting these tips, it is important to understand that while the HIPAA Rules describe what a CE or BA must do to safeguard PHI, they do not mandate a particular path to compliance. Nor does the agency expect Teflon™-coated impenetrability. Rather, a regulated entity is expected to act “reasonably and appropriately” to implement security measures sufficient to protect PHI, considering the enumerated factors specific to the entity and its PHI. Regulated entities share common compliance standards and specifications, but implementation may look quite different.

In light of the 21CO settlement, CEs and BAs should strive to:

1.      Be proactive. Waiting for an incident or complaint to jump-start significant compliance efforts will not serve your constituents or your business. If you fear any aspect of your compliance program is absent or stale, now is the time to pull out OCR’s audit program protocol, talk with (or find!) your favorite advisor, and get an immediate handle on your status, your gaps, and the necessary mitigations.

2.      Ensure a firm foundation. OCR is clear: the security management process is the cornerstone of effective Security Rule compliance. With settlement after settlement underscoring the foundational aspect of information security management, and OCR selecting risk analysis and risk management as areas of review for the Phase 2 audits, CEs and BAs that lag behind in that area can reasonably expect tougher lessons in the event of a compliance audit or incident-driven investigation. Take a hard look at your entity’s risk analysis, risk management, sanctions policy, and information system activity review: how do they measure up against OCR’s audit program protocol? Has your entity acted reasonably and appropriately to implement security management tools considering its size and capabilities, cost, and identified risks to PHI?

3.      Engage in active access management. In addition to security management, CEs and BAs must implement workforce security[37] and information access management[38] as part of their Administrative Safeguards for electronic PHI. To achieve compliance in this area, CEs and BAs must implement policies and procedures to:
a.      Ensure all workforce member have appropriate access to electronic PHI (including ensuring access is terminated when a workforce member separates or no longer needs access);[39]
b.      Authorize access to electronic PHI consistent with the Privacy Rule;[40] and
c.      Perform a periodic technical and nontechnical evaluation of these policies and procedures in response to environmental or operational changes affecting security.[41]
 
The 21CO resolution is not the first to focus on access management. For example, in November 2015, OCR entered into a $3.5 million resolution agreement with Triple-S Management Corporation resulting in part from a former workforce member being able to access a proprietary database containing electronic PHI. OCR’s investigation indicated, among other things, that Triple-S violated the Security Rule by failing to implement procedures sufficient to ensure the workforce member’s access to PHI was terminated after separation from employment.
 
4.      Include the C-suite. Members of your organization’s C-suite are not only leaders who must buy in to the concept of compliance, they are workforce members who must actually comply. In May 2017, OCR entered into a $2.4 million resolution agreement with Memorial Hermann Health System related to alleged Privacy Rule violations by members of leadership. In that case, a patient presented fraudulent identification, and staff alerted authorities, resulting in the patient’s arrest. The entity's use and disclosure of PHI to report a crime was not the problem. The compliance issue arose later, when the CE disclosed PHI without patient authorization in a press release to 15 media outlets, 3 senior leadership meetings with outside entities, and a statement on the entity’s website. The entity also failed to document an important aspect of the security management process: workforce sanctions for violation of Security Rule policies and procedures.

OCR Director Severino emphasized: “Senior management should have known that disclosing a patient’s name on the title of a press release was a clear HIPAA Privacy violation that would induce a swift OCR response.”

Covered entities should be aware that when their senior leadership demonstrates a reckless disregard for HIPAA compliance, OCR is more likely to treat a violation as resulting from the entity’s “willful neglect” of its HIPAA obligations.  Accordingly, OCR may assess a steeper CMP or seek a higher monetary settlement amount.

5.      Tend to business associate relationships. OCR has placed a great deal of emphasis on the business associate relationship. In 2013, the agency issued guidance on business associate agreements, and BAs are now directly liable for violations of the HIPAA Rules. In other words, both CEs and BAs have a vested interest in executing a compliant BAA before the BA creates, receives, maintains, or transmits PHI on the CE’s behalf.

In April 2017, OCR entered a $31,000 resolution with the Center for Children’s Digestive Health, a fairly small provider in Illinois, which underscores this point. OCR initiated a compliance review of the CE after investigating a BA that had stored records containing PHI since 2003. Neither entity could produce a business associate agreement before October 2015. Lest you take too much comfort from the relatively small resolution amount, consider resolutions in 2016 related to the business associate relationship:
a.      First resolution with a BA. Catholic Health Care Services of the Archdiocese of Philadelphia (June 2016): $650K resolution amount. We discuss this settlement in detail above.
b.      Three resolution agreements with CEs related to a BA’s breach or the CE’s failure to identify and appropriately contract with BAs.
1)      North Memorial Health Care  (March 2016): $1.55M resolution amount. An unencrypted, non-password protected laptop stolen from the locked vehicle of the BA’s employee. The CE had failed to enter into a BAA with this business associate, a “major contractor,” and failed to institute an organization-wide risk analysis to address this vulnerability. Former OCR Director Samuels emphasized: “Two major cornerstones of the HIPAA Rules were overlooked by this entity. Organizations must have in place compliant business associate agreements as well as an accurate and thorough risk analysis that addresses their enterprise-wide IT infrastructure.”
2)      Raleigh Orthopaedic Clinic, P.A. (April 2016): $750K resolution amount. The CE released x-ray films and other PHI of 17,300 patients to a business partner after “orally arranging” for services, without executing a BAA. OCR notes the oral arrangement “left this sensitive information without safeguards and vulnerable to misuse or improper disclosure.” Commenting on the settlement, former OCR Director Samuels admonished: “HIPAA’s obligation on covered entities to obtain business associate agreements is more than a mere check-the-box paperwork exercise. It is critical for entities to know to whom they are handing PHI and to obtain assurances that the information will be protected.”
3)      Care New England Health System (September 2016): $400K resolution amount. CNE is a business associate providing centralized corporate support for member health care providers (CEs) under its common ownership. One CE member notified OCR that CNE had lost backup tapes containing 14,000 individuals’ PHI. The CE produced a BAA effective March 2005, but it was not updated until August 2015, as a result of OCR’s investigation (and therefore did not incorporate revisions required by the 2013 Omnibus Final Rule).
 
Former OCR Director Samuels emphasized: “This case illustrates the vital importance of reviewing and updating, as necessary, business associate agreements, especially in light of required revisions under the Omnibus Final Rule. The Omnibus Final Rule outlined necessary changes to established business associate agreements and new requirements which include provisions for reporting.  A sample Business Associate Agreement can be found on OCR’s website to assist covered entities in complying with this requirement.”
 
Both CEs and BAs should re-evaluate their vendor relationships (and any BAAs already in place) in light of the Omnibus Final Rule, with a compliance date of Sept. 23, 2013. The Rule clarifies that BAs are directly liable under the Security Rule and many provisions of the Privacy Rule. It also expands the definition of “business associate” to include both subcontractors of BAs, and entities (such as storage facilities) that “maintain” PHI on a CE’s behalf. Therefore, business relationships that did not need a BAA before the Omnibus Final Rule may need one now. Regulated entities should also evaluate existing BAAs to ensure they are compliant with the Omnibus Final Rule. BAAs must now require the BA to comply with the Security Rule, enter into BAAs with subcontractors, and report breaches to the CE.

Conclusion

The year 2017 proved to be another busy and active one for OCR, as it collected more than $19 million in HIPAA settlements and a civil money penalty, while continuing to randomly audit CEs and BAs as part of its Phase 2 Audit Program.  Because there is no sign OCR will waver in its enforcement efforts in the coming years, CEs and BAs should proactively strengthen their HIPAA security management processes to avoid breaches that are “big, juicy, and egregious.”

For more information, contact Kim Metzger, Deepali Doddi or another member of our HIPAA Privacy and Security Practice.

This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances. 
 

[1] Director Severino’s Opening Remarks, 10th Annual NIST/OCR Conference "Safeguarding Health Information: Building Assurance through HIPAA Security, September 5, 2017, Washington D.C.
[2] Although OCR did not issue its press release until December 28, 2017, the agency’s resolution with 21CO was finalized earlier in the month.  21CO had filed for Chapter 11 bankruptcy, and on December 11, 2017, the U.S. Bankruptcy Court for the Southern District of New York issued an order approving its settlement with OCR. 
[3] The HIPAA Breach Notification Rule contemplates delaying  required notices and postings at law enforcement’s request if they would impede a criminal investigation. 45 C.F.R. § 164.412.
[4] The Breach Notification Rule requires notifications to include, in plain language and to the extent possible, a brief description of what happened, a description of the types of unsecured PHI involved in the breach, steps individuals should take to protect themselves from harm, a brief description of what the CE or BA is doing to investigate the breach, mitigate harm, and protect against further breaches, and contact information for questions and additional information. (45 C.F.R. 164.404(c)(1)).
[5] For breaches involving 500 or more individuals’ PHI, the CE must notify HHS contemporaneously with affected individuals. 45 C.F.R. § 164.408(b). When fewer than 500 individuals’ PHI is involved, the entity can report to HHS annually along with other such breaches. 45 C.F.R. § 164.408(c).
[6] 45 C.F.R. § 164.502(a).
[7] 45 C.F.R. § 164.308(a)(1)(i).
[8] 45 C.F.R. § 164.308(a)(1)(ii).
[9] 45 C.F.R. § 164.308(a)(1)(ii)(A).
[10] 45 C.F.R. § 164.308(a)(1)(ii)(B).
[11] 45 C.F.R. § 164.306(a).
[12] 45 C.F.R. § 164.308(a)(1)(ii)(D). The fourth component of the security management process – sanctions policy – requires the CE or BA to apply appropriate sanctions against workforce members who fail to comply with the entity’s security policies and procedures. 45 C.F.R. § 164.308(a)(1)(ii)(C).
[13] 45 C.F.R. § 160.103 (defining “business associate”).
[14] 45 C.F.R. § 164.308(b)(1).
[15] 45 C.F.R. § 164.308(b)(3).
[16] 45 C.F.R. § 164.502(e).
[17] The Security Rule requires covered entities and business associates to implement administrative, physical, and technical safeguards (Safeguards) to (1) ensure the confidentiality, integrity, and availability of all ePHI the CE or BA creates, receives, maintains, or transmits; (2) protect against reasonably anticipated threats or hazards to the security or integrity of ePHI; (3) protect against reasonably anticipated uses and disclosures of ePHI that would violate the Privacy Rule; and (4) ensure its workforce complies with the Security Rule. (45 C.F.R. § 164.306(a)). This means using security measures that allow the CE or BA to reasonably and appropriately implement the standards and specifications described in the Safeguards. (45 C.F.R. § 164.306(b)(1)). In deciding which security measures to use, the CE or BA must take into account its size, complexity, and capabilities; its technical infrastructure, hardware, and software capabilities; cost; and the probability and criticality of potential risks to ePHI. ((45 C.F.R. § 164.306(b)(2)).
[18] 45 C.F.R. § 164.308(a)(4)(i).
[19] 45 C.F.R. § 164.308(a)(4)(ii)(C).
[20] 45 C.F.R. § 164.308(a)(3)(i).
[21] 45 C.F.R. § 164.308(a)(3)(ii)(C).
[22] 45 C.F.R. § 160.103.
[23] In re 21st Century Oncology Cyber Attack Litigation, Brief in Support of Motion to Transfer and Consolidate for Coordinated Pretrial Proceedings Under 28 U.S.C. 1407, p. 2.
[24] Case No. 8:16-md-2737-MSS-AEP (Hon. Mary S. Scriven)
[25] See Corbel et al. v. 21st Century Oncology of California et al., Case No. 3:16-cv-02944-WHA, N.D. Cal.  (Complaint, Dkt. 1-1 ¶ 40) (Corbel Complaint).
[26] Corbel Complaint, ¶ 40 and Exhibit C.
[27] See, e.g., Corbel Complaint ¶ 41 ("This belief [about the dates of access] was apparently based on the government's felony indictment of the former employee, not on any systems 21st Century Oncology had in place to identify the sources of causes of data breaches.").
[28] Corbel Complaint ¶¶ 42-43
[29] In its Form 10-K for fiscal year ended December 31, 2014 (filed with the SEC on March 27, 2015), 21CO stated:
 
Our information systems are critical to our business and a failure of those systems could materially harm us.
 
We depend on our ability to store, retrieve, process and manage a significant amount of information, and to provide our treatment centers with efficient and effective accounting and scheduling systems. Our information systems require maintenance and upgrading to meet our needs, which could significantly increase our administrative expenses. We are currently upgrading multiple systems and migrating to other systems within our organization.
Furthermore, any system failure that causes an interruption in service or availability of our systems could adversely affect operations or delay the collection of revenues. Even though we have implemented network security measures, our servers are vulnerable to computer viruses, break-ins and similar disruptions from unauthorized tampering. The occurrence of any of these events could result in interruptions, delays, the loss or corruption of data, or cessations in the availability of systems, all of which could have a material adverse effect on our financial position and results of operations and harm our business reputation.
 
(p. 45). See Corbel Complaint ¶¶ 17-18. It is unfair, however, to cast this statement in and of itself as evidence that 21CO had a "known and admitted risk of cyber intrusions" greater that the risk inherent to any information system that creates, receives, maintains, or transmits electronic data. All information systems are vulnerable to some degree of intrusion, and no system is, or can be expected to be, bulletproof. As described in the Security Rule, OCR expects regulated entities to implement security measures "sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level" (45 C.F.R. § 164.308(a)(1)(ii)(B)) – not ones that completely eliminate all risk to electronic PHI. The Security Rule contemplates a flexible approach to security management that considers such factors as the entity's size, complexity, and capabilities; its technical infrastructure, hardware, and software capabilities; the cost of the security measures; and the probability and criticality of potential risks to ePHI. (45 C.F.R. § 164.306(b)(2)).
 
[30] Corbel Complaint ¶¶ 42-44
[31] United States, State of Florida, ex rel. Mariela Barnes v. Dr. David Spellberg, 21st Century Oncology and Naples Urology Associates, Civil Action No. 2:13-cv-228-FtM-38DNF (M.D. Fla.). One Florida urologist, employed at a division of 21st Century Urology, LLC, also agreed to pay more than $1 million to settle alleged violations of the False Claims Act. A second agreed to pay $3.8 million, and a third agreed to pay $250,000.
[32] United States ex rel. Ting v. 21st Century Oncology and South Florida Radiation Oncology (M.D. Fla.)
[33] United States ex rel. Moore v. 21st Century Oncology LLC, No. 2:16-cv-99 (M.D. Fla.)
[34] In re: 21st Century Oncology Holdings, Inc., et al., Case No. 17-22770 (RDD), Dkt. 825.                                                   
[35] Former OCR Director Leon Rodriguez, commenting on OCR’s May 2013 settlement with Idaho State University, in which the covered entity agreed to pay $400,000 to settle alleged security rule violations. In that case, the disabling of firewall protections at servers maintained by the university compromised the security of 17,000 patients at a university medical clinic.
[36] 45 C.F.R. § 160.408.
[37] 45 C.F.R. § 164.308(a)(1).
[38] 45 C.F.R. § 164.308(a)(4).
[39] 45 C.F.R. § 164.308(a)(3).
[40] 45 C.F.R. § 164.308(a)(4).
[41] 45 C.F.R. § 164.308(a)(8).

View Full Site View Mobile Optimized