On February 6, 2024, the HHS Office for Civil Rights (“OCR”) announced a settlement with Montefiore Medical Center (“MMC”) for alleged HIPAA Security Rule violations and MMC agreed to pay $4.75 million and enter into a two-year corrective action plan (“CAP”) with OCR. MMC admitted no wrongdoing. 

What You Need to Know:

• Employees who act with improper motives will not absolve employers from HIPAA responsibility.
• HIPAA Security Rule and Privacy Rule compliance remains imperative for HIPAA-covered entities.
• Depending upon the results of the investigation, Corrective Action Plans will be comprehensive and the settlements can be expensive. 

In July 2015 MMC notified HHS regarding a breach of its electronic protected health information (“ePHI”) that affected 12,517 patients from the MMC electronic medical record system. MMC became aware of this breach when the NYC Police Department informed MMC of the theft of a specific patient’s ePHI. MMC’s investigation discovered that an MMC employee stole ePHI from MMC and sold the ePHI to an identity theft ring over a six-month period in 2013. 

HHS’s MMC investigation found evidence that MMC’s HIPAA compliance efforts had potential violations, including the failure to:

• conduct an accurate and thorough risk analysis of the confidentiality, integrity, and availability of all ePHI held by MMC;
• implement procedures to regularly review information system activity; and
• implement hardware, software, and/or procedural mechanisms to record activity in all information systems that contain ePHI.

As part of the CAP, MMC agreed to:

• conduct a risk analysis and assessment of its ePHI;
• develop and implement a risk management plan to address and mitigate issues identified through the risk analysis; 
• implement audit controls to examine activities in all of its information systems that contain ePHI; 
• review and revise its policies and procedures to ensure full compliance with the HIPAA Security Rule; 
• distribute the updated policies and procedures to all MMC workforce members who have access to PHI; 
• ensure these policies address 10 different HIPAA Privacy and Security Rule requirements; and
• provide training for all workforce members who have access to MMC PHI.

A copy of the OCR and MMC settlement agreement can be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/montiefore/index.html

This multi-million dollar MMC settlement is a reminder of the importance of having robust HIPAA Security Rule and Privacy Rule protections in place for all covered entities and business associates. A rogue employee caused substantial potential harm to thousands of MMC patients, and the multi-year OCR investigation was likely a significant institutional distraction. This type of MMC settlement was ‘predicted’ in the Saul Ewing 2024 health law group predictions article: https://www.saul.com/insights/alert/2024-health-care-predictions which stated: “Do not be surprised if several large covered entities and business associates experience a significant Security Rule issue in 2024 that garner unwanted attention, increased security in information security lapses, costly investigations, and expensive settlements and remediation plans.”

HHS OCR continues its active enforcement of HIPAA breaches and expensive settlements and CAPs are inevitable outcomes. It is imperative to be proactive in your organization’s HIPAA compliance efforts.