Since October 2016, the Department of Health and Human Services, Office for Civil Rights (OCR) announced four settlement agreements to resolve allegations of Health Insurance Portability and Accountability Act (HIPAA) violations. These settlements are consistent with OCR’s recent pattern of increased HIPAA enforcement activity, steep penalty assessments and low tolerance for failure to fully implement and comply with requirements of the HIPAA Privacy, Security and Breach Notification Rules.
Most recently, on January 18, 2017 OCR announced a $2.2 million settlement agreement underscoring the need for covered entities to implement safeguards for electronic protected health information (ePHI). Here, MAPFRE Life Insurance Company of Puerto Rico (MAPFRE) filed a breach report with OCR indicating that a USB data storage device containing ePHI of 2,209 individuals was stolen from its IT department. During OCR’s subsequent investigation, it found MAPFRE failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI, and MAPFRE had not implemented security measures, such as encryption, sufficient to reduce risks and vulnerabilities to a reasonable level. This settlement agreement serves as a reminder to covered entities and business associates that—as required by the HIPAA Security Rule—they must conduct enterprise-wide risk analyses of ePHI security, develop a risk management plan addressing and mitigate any security vulnerabilities identified.
On January 10, 2017, OCR issued a press release announcing its first HIPAA settlement agreement for the untimely reporting of a breach of unsecured protected health information (PHI). Presence Health, a non-profit health care system in Illinois, sustained a data breach on October 22, 2013 when it could not locate its paper-based operating room schedules containing the PHI of 836 individuals. During the course of its investigation, OCR discovered that Presence Health failed to provide notification of the breach within the timeframes outlined in the HIPAA Breach Notification Rule. In this case, Presence Health should have provided notification of the breach to affected individuals, prominent media outlets and OCR without unreasonable delay and no later than 60 calendar days after its discovery of the breach. However, Presence Health provided notifications to individuals and the media 104 calendar days following discovery of the breach and notified OCR 101 calendar days after discovering the breach. Presence Health’s failure to notify the 836 affected individuals each constituted a separate violation of the Breach Notification Rule, 45 C.F.R. 164.404(b). Under the terms of the settlement agreement, Presence Health agreed to pay $475,000. Importantly, this settlement signals OCR’s intention to enforce breach notification deadlines, and covered entities and business associates must be mindful of reporting timelines or risk potential violations.
On November 22, 2016, OCR announced a resolution agreement with the University of Massachusetts Amherst (UMass), emphasizing the necessity for an entity to correctly designate all of its health care components when electing “hybrid entity” status under HIPAA. Here, an impermissible disclosure of 1,670 individuals’ ePHI occurred when a workstation in UMass’s Center for Language, Speech, and Hearing (the “Center”) was infected with malware in 2013. During OCR’s investigation, it learned that UMass incorrectly determined that the Center was not a health care covered component within its hybrid entity designation and, consequently, had not implemented HIPAA-compliant policies and procedures at the Center. OCR entered into a settlement agreement requiring UMass to pay $650,000. OCR noted in the settlement agreement that, when determining the settlement amount, it took into consideration the fact that the University operated at a financial loss in 2015 and that the Center provides unique services to an underserved population. This settlement emphasizes the importance of a hybrid entity conducting a full evaluation of all of its operations in order to properly identify which of its functions and departments are health care components subject to HIPAA regulation.
Lastly, on October 17, 2016, St. Joseph Health (SJH) entered into a settlement agreement with OCR requiring it to pay a $2,140,500 penalty . In this matter, SJH purchased a server with a file sharing application that defaulted to give file access to anyone with an Internet connection. Upon implementation of this server and the file sharing application, SJH did not examine or modify the default settings. As a result, the public had unrestricted access to PDF files containing the ePHI of 31,800 individuals, including patient names, health statuses, diagnoses and demographic information. This settlement emphasizes the need for an entity to thoroughly understand all of its technology equipment and security settings. Entities must not only conduct a comprehensive risk analysis but must also evaluate and address potential security risks when implementing enterprise changes impacting ePHI.