On October 30, 2020, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a $202,400 Resolution Agreement and Corrective Action Plan (CAP) with the City of New Haven, Connecticut (New Haven) to resolve potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. The Resolution Agreement is not an admission of liability by New Haven and the city is not liable for civil monetary penalties.

This OCR settlement is an important reminder that governmental entities that are or have HIPAA-covered entities as part of their operations need to comply with HIPAA requirements. Such entities could include, but are not limited to, government run public health clinics, health departments, and hospitals.

The New Haven Health Department (NHHD) operates a public health clinic providing health care services including diagnosis and treatment for sexually transmitted diseases, tuberculosis testing, and immunizations.

On January 24, 2017, HHS received a breach notification from NHHD reporting that a former employee may have accessed a file on an NHHD computer containing the protected health information (PHI) of nearly 500 individuals. OCR’s investigation revealed that on July 19, 2016, an employee was terminated. On July 27, 2016, the former employee returned to the NHHD, logged into her old computer with her still-active user name and password, and downloaded PHI onto a USB drive. The PHI included patient names, addresses, dates of birth, race/ethnicity, gender, and sexually transmitted disease test results. OCR also found that the former employee had shared her user ID and password with an NHHD intern, who continued to use these login credentials to access PHI on NHHD’s network after the employee was terminated. The OCR investigation concluded that NHHD failed to conduct an accurate and thorough enterprise-wide risk assessment, did not implement employee termination procedures, and did not implement HIPAA Privacy Rule policies and procedures.

In addition to the monetary settlement, New Haven entered into a robust CAP that includes two (2) years of monitoring by HHS. Under the CAP, New Haven has agreed to perform each of the following:

• Conduct and complete a comprehensive enterprise-wide analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI) held by the NHHD;
• Develop a risk management plan to address and mitigate any security risks and vulnerabilities discovered during the risk analysis;
• Review, revise, and submit to HHS for approval, written policies and procedures to ensure compliance with the HIPAA Privacy Rule, steps to terminate workforce access to ePHI when appropriate, and assigning a unique name and/or number for identifying and tracking user identity;
• Adopt and distribute HHS-approved revised policies and procedures to all workforce members who use or disclose ePHI;
• Train all workforce members who have access to ePHI on the revised policies and procedures within ninety (90) days of adopting such policies and procedures; and
• Promptly investigate reports of potential violations of the revised policies and procedures and, if a violation has occurred, notify HHS within thirty (30) days.

This OCR resolution is a reminder that all covered entities “need to know who in their organization can access patient data at all times” as noted by OCR Director Roger Severino. Covered entities – governmental and non-governmental – must have policies and procedures in place to ensure compliance with the HIPAA Privacy and Security Rules.