BY MARY M. BEARDEN AND ALLISON SHELTON, Brown & Fortunato, P.C.
The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996 to protect the personal health information of patients. With advancements in technology, data sharing, and the way people interact with their health care providers, HIPAA has expanded over the years to encompass the many ways a person’s protected health information (PHI) can be shared and compromised. The Office for Civil Rights (OCR) is the agency within the Department of Health and Human Services (HHS) that is charged with oversight and enforcement of HIPAA. Two recent enforcement actions by the OCR emphasize the importance of identifying risks and implementing and maintaining policies and procedures to protect patients’ electronic PHI (ePHI).
The most recent settlement was announced on September 2, 2015, with Cancer Care Group, P.C. (CCG), a large radiation oncology practice in Indianapolis, Indiana. CCG agreed to pay the government $750,000 and to adopt a comprehensive corrective action plan (CAP) after a selfreported breach uncovered the group’s gross non-compliance with the HIPAA Security Rule. The HIPAA Security Rule requires covered entities and business associates to implement various standards, practices, policies, and procedures that protect and secure a patient’s ePHI. In 2012, CCG reported to the OCR that an employee’s laptop bag had been stolen and that it contained unencrypted storage media with the names, addresses, birthdates, and social security numbers of approximately 55,000 CCG patients. A subsequent investigation by the OCR into the group’s practices and policies revealed that CCG had not conducted the appropriate risk analysis when the breach occurred. Furthermore, prior to the breach, CCG did not have policies and procedures in place to address storage and removal of ePHI from the premises. According to the OCR, these failures on the part of CCG directly contributed to the reported breach.
The second settlement occurred earlier this year with St. Elizabeth’s Medical Center in Brighton, Massachusetts. The OCR received a complaint that alleged that individuals who worked for and on behalf of St. Elizabeth’s utilized an online document sharing tool to store documents that contained ePHI (similar to Google Drive or other Cloud based application) without conducting a risk analysis of the use of such an application. The OCR criticized St. Elizabeth’s for failing to timely identify the risks associated with internetbased data sharing applications and respond accordingly. In a separate incident, St. Elizabeth’s self-reported an employee’s stolen laptop and external storage media, which also contained patients’ ePHI. St. Elizabeth’s agreed to pay $218,400 and to adopt a comprehensive CAP. OCR Director, Jocelyn Samuels, cautioned that organizations must be mindful of HIPAA’s requirements when utilizing internet-based data storage and sharing applications and that employees should be aware of all policies and procedures related to such practices.
The OCR made it clear that each organization’s failure to analyze, identify, and respond to the risks associated with their actions contributed to their reported breaches. To help ensure that such analyses and responses are part of the organizations’ procedures going forward, the CAPs require the organizations (i) to conduct broad sweeping risk analyses of data storage and access systems; (ii) to develop and implement risk management plans; and (iii) to regularly review and revise its policies and procedures. These mechanisms are targeted at preventing breaches as well as identifying risks of a breach and instituting policies and procedures to respond to those situations. The goal of the CAPs is to enable the organizations to continue an effective and robust HIPAA compliance program after the mandatory period of the CAP.
The conveniences of electronic data sharing are undeniable. Doctors on opposite sides of the globe can provide consults instantaneously and update the same patient chart at the same time. Individuals can carry thousands of documents on a device no bigger than their thumb. Patients no longer have to visit their physician in person to receive a check-up, diagnosis, and treatment plan (even medication can be delivered to a patient’s door). However, the OCR cautions that measures must be taken to ensure the continued protection of patient data. The HIPAA Security Rule cannot be discarded in the name of convenience and technological advancement.
Simple protections such as encrypting data storage devices and implementing mandatory password changes every quarter should be standard for any organization that uses ePHI. The CAPs, which are available online, provide organizations with some guidance on developing a comprehensive HIPAA compliance program. For example, conducting periodic “enterprise-wide” risk analyses of an organization’s data access and storage processes and developing risk management plans will help identify and respond to gaps in processes. Furthermore, health care providers should review their policies and procedures regularly to ensure that such policies and procedures remain current with the organization’s practices and the law. Lastly, employees, agents, and other individuals who work for a health care provider should be familiar with the health care provider’s policies and procedures. These individuals should be trained and held accountable for compliance with the organization’s HIPAA practices and policies and procedures.