BY MARY M. BEARDEN AND ALLISON SHELTON, Brown & Fortunato, P.C.
Compliance with the Health Insurance Portability and Accountability Act (HIPAA) is often overlooked by health care providers. They tend to implement cursory compliance efforts; they will post Notice of Privacy Practices and name a Privacy and Security Official, but they will neglect other requirements of the law, such as the requirement for an ongoing, system-wide risk assessment. Some providers will even enter into contracts without a Business Associate Agreement (BAA) in order to close a deal. This March, two entities learned that such choices can have costly consequences.
On March 16, 2016, the Office for Civil Rights (OCR), the federal agency charged with the enforcement of HIPAA, entered into a $1.55 million settlement with North Memorial Medical Care of Minnesota (NMMC) for alleged HIPAA breaches. The underlying activity involved NMMC’s business associate, Accretive Health, Inc. (AHI), a financial management solutions company based out of Chicago, Illinois.
A breach report was made to OCR after an unencrypted laptop containing the protected health information (PHI) of 9,497 people was stolen from the car of an AHI employee. OCR conducted an investigation and determined that NMMC failed to comply with two major tenets of HIPAA: (1) NMMC did not enter into a BAA with AHI; and (2) NMMC failed to develop and implement a comprehensive risk analysis plan that addressed all aspects of the health center’s IT infrastructure (e.g., all software, workstations, portable electronic media, and security protocols). Under the terms of the settlement, NMMC must pay $1.55 million and implement a robust risk analysis and risk management plan across the organization.
On March 17, 2016, OCR entered into a settlement with Feinstein Institute for Medical Research (FIMR), a research institution that is affiliated with a large health system called Northwell Health, Inc. In the fall of 2012, FIMR reported that a laptop containing the PHI of approximately 13,000 patients who were enrolled in a research study was stolen from an employee’s car. The PHI consisted of patient names, addresses, social security numbers, diagnoses, laboratory results, and health conditions. Upon investigation, OCR discovered that FIMR had a limited security management protocol and lacked some basic policies and procedures to address safeguarding PHI; restricting PHI access; and removing PHI from the facility. FIMR settled OCR’s claims for $3.9 million. Following the settlement, OCR issued a statement emphasizing that all HIPAA-covered entities, including research institutions, are held to the same standards of compliance.
These settlements provide a few major takeaways for health care providers. First, the settlement with NMMC demonstrates that OCR will hold health care providers responsible for the conduct of their business associates. Therefore, it is important for a health care provider to have BAAs in place with all business associates. A BAA will alert business associates to their obligations under HIPAA. Furthermore, a health care provider should utilize the BAA to ensure that a business associate has HIPAAcompliant business operations and that the business associate will provide HIPAA insurance coverage or will indemnify the health care provider in the event a breach occurs as a result of the business associate’s acts or omissions.
Secondly, the settlements emphasize the importance of organization-wide risk analysis and management plans. Such plans help health care providers identify and address vulnerabilities in the entity; prevent breaches of PHI; and detect and respond to security incidents. Risk analysis and management plans cannot guarantee that a breach will never occur. Furthermore, development and implementation of such plans can be burdensome on health care providers. Nevertheless, in the event of a breach, a health care provider will have to prove to OCR that the provider’s operations comply with HIPAA and that the health care provider continually assesses and responds to risks to electronic PHI held by the provider or the provider’s business associate.
Third, health care providers must identify, track, and actively safeguard all portable devices and media that store electronic PHI. Theft and loss of portable devices and media are some of the leading causes of breaches. Ideally, all portable devices and media containing electronic PHI should be encrypted. In the event encryption is not reasonable or appropriate, the health care provider should implement robust policies and procedures to track and limit the movement of unencrypted electronic PHI.
And lastly, workforce education is essential to helping secure PHI. A health care provider is legally obligated to train an individual on HIPAA policies and procedures relevant to the person’s job functions when the person joins the provider’s workforce and when changes in the law or the provider’s policies and procedures affect the person’s job functions. Moreover, Texas law specifies that health care providers must train a new employee within 90 days of the person’s employment. The commitment of all employees to an organization’s HIPAA compliance program is essential to preventing breaches of PHI.
In light of these two recent and costly OCR settlements, providers should reevaluate their HIPAA policies and procedures and ensure that they have in place ongoing, system-wide risk assessment plans.