Idaho State University (ISU) was recently the target of an investigation and enforcement action for violations of the privacy and security rules of the Health Insurance Portability and Accountability Act (HIPAA). The Office of Civil Rights of the U.S. Department of Health and Human Services (OCR) entered into a Resolution Agreement with ISU that contains a Corrective Action Plan (CAP), which should act as a cautionary lesson to large multi-faceted organizations that provide both health care services and education.
The $400,000 fine paid by ISU was relatively small compared to others imposed recently by OCR. ISU is a large educational institution that also maintains several outpatient health care services units. The major takeaway from this OCR action is that IT and management personnel with the responsibility for protecting privacy of information generally must allocate HIPAA responsibility to those “covered entities” in addition to their duties to non-covered entities (a so-called “hybrid” organization under HIPAA). In this case, ISU allegedly failed to conduct a risk analysis between 2007 and 2012 with respect to its HIPAA-covered entities (the outpatient medical clinics). In 2012, ISU discovered a firewall had been removed, which would normally block access to personal health information (PHI) for certain of those owned and controlled outpatient health clinics.
For those providers who worry about HIPAA criminal and civil fines and penalties imposed by OCR, such concern is well placed, but covered entities might want to review the terms of the fairly onerous CAP signed by ISU. The CAP is effective for two years and requires ISU to initially describe its “hybrid” entity status to OCR, including identifying those units within ISU that are determined to be covered entities under HIPAA. It also provides that after ISU submits its most recent risk management plan with respect to privacy and security to OCR, OCR can require changes in that plan. ISU agreed upfront to incorporate any recommendations by OCR for changes into its operations and training. OCR also required ISU to submit documentation of its implementation of any suggested IT policies and procedures and to make any changes required by OCR within a 30-day timeframe.
These onerous provisions on continuing operations keeps OCR in an oversight capacity that could be difficult for administrators and IT professionals to manage. In addition to the previously described commitments, ISU also agreed in the CAP to share the technical details of its “gap” analysis with respect to each HIPAA Security Rule provision tested. OCR’s oversight is even more expansive when dealing with employee discipline in the workforce at ISU. Any failure of a workforce member to abide by ISU’s privacy and security policies and procedures must be reported to OCR together with a description of the incident and the discipline imposed on the workforce member. By doing so, OCR is lifting the veil on internal disciplinary actions that are usually not publicized or shared with the government or anyone else outside the organization where the incident occurred.
Other large educational and/or healthcare entities should take notice of OCR’s actions in the ISU case, especially where the lines between divisions or departments are not clear, such as medical and professional schools, continuing care retirement communities and health care systems. Providers will generally agree that meeting HIPAA/HITECH compliance requirements is important, but a CAP with the transparency executed by ISU could be extremely confining for administrators with responsibility for continuing IT operations and meeting HIPAA and HITECH requirements.
Keep in mind that OCR is monitoring complaints and indications of concern about patient privacy generally. If you require assistance in dealing with breaches, investigations of violations of HIPAA and meeting upcoming dates for HIPAA compliance under the Final Rule (discussed in our January 24, 2013 Pepper Hamilton Health Care Law Alert “The Omnibus Final HIPAA Rule Is Here”), please communicate with your contact attorney at Pepper Hamilton.