The U.S. Department of Health and Human Services, Office for Civil Rights (“OCR”) announced two settlements of more than $2 million each with respect to alleged violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). The settlements involve Oregon Health and Science University (“OHSU”) and the University of Mississippi Medical Center (“UMMC”). Both settlements arose subsequent to HIPAA breach reports involving lost or stolen mobile and storage devices. The settlements emphasize the continued importance of an enterprise-wide HIPAA security program with appropriate institutional oversight.
OCR’s investigation of OHSU arose after OHSU submitted multiple breach reports, including two reports involving unencrypted laptops and another involving a stolen unencrypted thumb drive. According to the press release issued by OCR announcing the OHSU settlement, OCR’s investigation revealed “widespread vulnerabilities within OHSU’s HIPAA compliance,” including that the electronic protected health information (“PHI”) of more than 3,000 individuals was being stored by a third party vendor without a business associate agreement. Although OHSU had conducted numerous risk analyses, OCR determined the analyses to be insufficient because they “did not cover all [electronic] PHI in OHSU’s enterprise.”
As a condition of the settlement, OHSU is required to pay OCR $2.7 million and enter into a three (3) year corrective action plan (“CAP”) with OCR. According to the CAP, OHSU must:
The OHSU press release, settlement agreement and CAP may be found here.
In March 2013, UMMC submitted a HIPAA breach report to OCR following the theft of a password-protected laptop from UMMC’s medical intensive care unit. OCR’s investigation revealed that UMMC was aware of risks and vulnerabilities to its systems for several years, but “no significant risk management activity occurred until after the breach.” Specifically, OCR’s investigation revealed that electronic PHI was vulnerable to access following the laptop theft because users could access a directory of more than 67,000 files using a generic username and password.
As a part of the settlement, UMMC is required to pay OCR $2.75 million and enter into a three (3) year CAP. The CAP required UMMC to do the following:
The UMMC press release, resolution agreement and CAP may be found here.
Takeaways and Important Next Steps
Mobile devices present security challenges for covered entities and business associates. Failure to protect electronic PHI on these devices can have significant adverse consequences. Covered entities and business associates must conduct comprehensive and enterprise-wide risk assessments and implement rigorous security management programs.
OCR HIPAA settlements with covered entities and business associates for 2016 alone now exceed $14.5 million. Covered entities and business associates should review each OCR settlement agreement and take the lessons from these public documents to ensure their own organizations are not susceptible to the same fact scenarios and take appropriate precautions to ensure HIPAA compliance.
Saul Ewing attorneys regularly counsel and assist clients with their HIPAA Privacy Rule, Security Rule and Breach Notification Rule challenges and needs, including assistance in conducting risk assessments and implementing risk management programs. For more information on these matters, please contact the authors or the attorney at the firm with whom you are regularly in contact.