Saul Ewing Arnstein & Lehr LLP

There were two important HIPAA developments during this past week. ​First, the U.S. Department of Health and Human Services, Office for Civil Rights (“OCR”) announced that Pagosa Spring Medical Center (“PSMC”), a Colorado hospital, agreed to pay $111,400 to settle allegations related to violations of HIPAA arising out of the hospital’s failure to deactivate a former employee’s access to protected health information (“PHI”) and failing to have a business associate agreement (“BAA”) in place with Google.  This is the third HIPAA settlement announced by the OCR in as many weeks.  Second, the OCR issued a Request for Information (“RFI”) on December 12, 2018, seeking public input on how HIPAA could be modified in light of the healthcare delivery’s recent movements to emphasize value-based (as opposed to volume based) health care initiatives.

PSMC Resolution

According to the Resolution Agreement between OCR and PSMC, PSMC is a critical access hospital with 11 inpatient beds, 24-hour emergency care, imaging and other outpatient services.  The OCR’s investigation of PSMC was initiated by a complaint.  The OCR’s investigation revealed that:

  • PSMC failed to de-activate a former employee’s user name and password, resulting in the impermissible disclosure of the PHI of more than 500 individuals to the former employee; and
  • PSMC disclosed PHI of more than 500 individuals to its vendor Google, but PSMC did not have a BAA as required by HIPAA with Google.

In addition to the $111,400 payment, PSMC and the OCR entered into a two-year Corrective Action Plan (“CAP”), which requires PSMC to:

  • Revise its policies and procedures relating to business associates;
  • Revise its policies and procedures relating to uses and disclosures of PHI;
  • Develop a current and comprehensive risk analysis of security vulnerabilities and submit the same to the OCR for review;
  • Prepare a risk management plan based on the findings in the risk analysis;
  • Train its workforce on the new policies and procedures required by the CAP; and
  • Prepare and submit reports to the OCR with respect to its compliance with the CAP.

The PSMC settlement is the third HIPAA announcement reported by the OCR in the last three weeks, and the second involving the failure of a covered entity to have a HIPAA-required BAA in place with a vendor.  Saul Ewing Arnstein & Lehr’s summaries of the prior two HIPAA settlements may be found here and here.  Covered entities and business associates must have effective HIPAA compliance programs in place which include but are not limited to compliant BAA relationships and immediate termination of access to PHI when an employee is no longer working for a covered entity or business associate.


The RFI is part of the Administration’s “Regulatory Sprint to Coordinated Care.”   This RFI seeks public comments on ways to modify the HIPAA regulations to “remove regulatory obstacles and decrease regulatory burdens in order to facilitate efficient care coordination and/or care management and to promote the transformation to value-based health care.”  In the press release announcing the RFI, the OCR stated that, “[I] in recent years, OCR has heard calls to revisit aspects of the [HIPAA] Rules that may limit or discourage information sharing needed for coordinated care or to facilitate the transformation to value-based health care. The RFI requests information on any provisions of the HIPAA Rules that may present obstacles to these goals without meaningfully contributing to the privacy and security of [PHI] and/or patients’ ability to exercise their rights with respect to their PHI.”

The RFI specifically seeks comments with respect to more than fifty (50) “questions” (many of which involve sub-questions) to advance these goals:

  • Encouraging information-sharing for treatment and care coordination;
  • Promoting parental involvement in care;
  • Addressing the opioid crisis and serious mental illness;
  • Accounting for disclosures of PHI as required by the HITECH Act; and
  • Changing the current requirement for certain providers to make a good faith effort to obtain an acknowledgment of receipt of the Notice of Privacy Practices.

Comments must be submitted no later than February 12, 2019.   If HHS is sincere in its interest to consider changes to the HIPAA Privacy Rule, covered entities and business associates should read the RFI and provide responses to the items of most interest or most potential impact to their organization in the RFI.  The RFI may be found here.