HIPAA Enforcement Relaxed, But Not Abandoned

Hodgson Russ LLP

As previously reported here, the Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS) announced in March 2020 that it would exercise discretion in enforcement actions related to HIPAA restrictions that might otherwise limit the good faith provision of telehealth services. But with the pandemic and the implementation of work-from-home policies, health care providers — so called “Covered Entities” — must be more vigilant than ever to employ commercially reasonable efforts to safeguard the protected health information (PHI) of patients.

One recent enforcement action is a case in point. On July 27, 2020, OCR announced a $1,040,000 settlement with Lifespan Health System Affiliated Covered Entity (Lifespan) to settle alleged violations of HIPAA’s Privacy and Security Rules. The settlement followed Lifespan’s self-disclosure to OCR of the theft of an employee’s laptop from a locked car. The laptop contained the PHI of 20,431 patients across various affiliated provider facilities. The exposed PHI included patients’ names, medical record numbers, demographic information, and medication information. OCR’s investigation determined that there was systemic noncompliance with the HIPAA Rules including a failure to encrypt PHI on laptops after Lifespan determined it was reasonable and appropriate to do so. The investigation also found other controls lacking, including the absence of device and media controls, and the failure to have business associate agreements in place among healthcare provider affiliates. OCR Director, Roger Severino, touted the settlement stating, “[l]aptops, cellphones, and other mobile devices are stolen every day, that’s the hard reality. Covered entities can best protect their patients’ data by encrypting mobile devices to thwart identity thieves.” In addition to the monetary settlement, Lifespan agreed to a corrective action plan that includes two years of monitoring. The resolution agreement and corrective action plan may be found at: https://www.hhs.gov/sites/default/files/lifespan-ra-cap-signed.pdf.

HIPAA’s standards for the lawful use and disclosure of PHI can be onerous. Covered Entities must conduct annual audits to assess gaps in security, remediate those gaps in security, draft and revise policies and procedures to comply with HIPAA, train personnel, vet and manage vendors with access to PHI, and create processes to respond to and report breaches, among other things. And, under the best of circumstances, these requirements can lead to problems, exposing Covered Entities to regulatory fines. Some of the more common enforcement actions arise out of failing to properly safeguard PHI, failing to enter into the appropriate business associate agreements and/or disclosing PHI in a way that is not allowable under the law.

The Lifespan settlement is an important reminder that Covered Entities need to be proactive about protecting PHI in order to avoid and/or mitigate the consequences of a breach. Regular assessments of your security procedures is not only prudent, it’s the law.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Hodgson Russ LLP | Attorney Advertising

Written by:

Hodgson Russ LLP
Contact
more
less

Hodgson Russ LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.