The Department of Health and Human Services (HHS) recently announced its fourth settlement in 2012 regarding violations of the HIPAA Security Rule.¹ The settlement, which reflects increased enforcement activity relating to health data, includes a resolution agreement between Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc. (collectively "MEEI") and HHS stemming from the theft of an unencrypted laptop containing electronic personal health information (ePHI) of MEEI patients. In addition to the $1.5 million settlement amount, MEEI agreed to comply with a corrective action plan (CAP). The CAP requires independent monitoring and annual written compliance reports by MEEI. The enforcement action and settlement highlight the ongoing risks of processing health information and the consequences of failed or inadequate security measures.

Alleged Inadequate Risk Management and Security Policies and Procedures

HHS alleged several violations of the Security Rule in MEEI's security management and implementation, particularly with regard to portable media devices such as laptops. Specifically, HHS alleged that MEEI failed to conduct a "thorough" risk assessment of its policies and practices related to the confidentiality of ePHI stored on portable devices. HHS concluded that MEEI failed to adopt or implement proper security measures and policies and procedures meeting the standards required by the Security Rule, including:

• insufficient security measures to protect ePHI on portable devices;
• inadequate security incident response policies and procedures;
• inadequate monitoring and technical restrictions of portable devices accessing its computers;
• unsatisfactory physical security measures to track movement of portable devices containing ePHI into, out of, and within its facilities; and
• nonexistent encryption policies and procedures for ePHI stored on portable devices.

MEEI Corrective Action Plan

As part of the settlement, MEEI agreed to comply with a corrective action plan. The CAP is a detailed plan intended to ensure that MEEI complies with the Security Rule and to improve MEEI's internal awareness of its policies and procedures. The CAP requires MEEI to:

• construct appropriate written policies and procedures;
• train all workforce members with access to ePHI on the policies and procedures;
• implement internal monitoring of workforce compliance with policies and procedures and maintain proper documentation and investigation of instances of noncompliance;
• participate in independent monitoring for three years, including semi-annual reports to HHS; and
• provide an initial implementation report to HHS and annual implementation reports each year for the next three years.

The CAP also includes ten specific, required improvements to MEEI's policies and procedures, including many related specifically to portable devices and media:

1. Administrative, physical, and technical safeguards for all portable devices that contain or access ePHI
2. Documented steps to complete thorough risk assessments related to the use of portable devices to access or store ePHI
3. Security measures to reduce the risks identified in MEEI's risk assessments
4. A security official responsible for compliance with the Security Rule
5. Security incident response, mitigation, and documentation policies
6. Rules regarding the proper access and use of ePHI and the proper physical environment in which to access and use ePHI
7. Procedures to track the movement of hardware and electronic media into, out of, and within MEEI's facilities
8. Encryption of portable devices storing ePHI
9. Instructions and procedures for using and disclosing ePHI with portable devices
10. Sanctions for noncompliance with policies and procedures

Implications for Entities Subject to HIPAA Regulations

The settlement provides a reminder of the costly consequences of noncompliance with the Security Rule and other HIPAA requirements. One of MEEI's employees stored patient information, such as prescriptions and clinical information, on a laptop. That laptop was stolen, and MEEI properly notified HHS, as required by HIPAA. The notification to HHS triggered an investigation, a significant monetary fine, and three years of direct government oversight of compliance remediation.

HIPAA imposes strict security requirements on entities that collect, use, and disclose health information as "covered entities" or as "business associates" providing services for such entities. Security can only be as effective as its weakest safeguard. Excellent security procedures in some areas, such as server infrastructure, can be undermined by lower standards in other areas, including "bring-your-own-device" policies with limited effectiveness. Regular and thorough assessments of security policies and procedures aimed at the identification and remediation of risks, including the use of third parties, represents a practical tool to help improve security. Further, designation of an employee responsible for HIPAA-related compliance also can improve a covered entity's internal awareness and responsiveness to changing workplace realities and foster greater accountability.

Given the potential severity of penalties resulting from investigations, entities subject to these regulations, including self-insured employee health benefit plans, may want to take a fresh look at HIPAA-related compliance policies and procedures.

Wilson Sonsini Goodrich & Rosati attorneys regularly assist clients with all aspects of their privacy and information governance needs, including HIPAA compliance evaluations, security incident responses, and incident avoidance. For additional information, please contact Gerry Stegmaier at gstegmaier@wsgr.com or (202) 973-8809, Wendy Devine at wdevine@wsgr.com or (858) 350-2321, or Wendell Bartnick at wbartnick@wsgr.com or (202) 973-8963.

¹ The Security Rule aims to protect health information in electronic form by requiring the adoption and implementation of physical, technical, and administrative safeguards. 45 C.F.R. Part 160 and Subparts A and C of Part 164.