By John H. Fisher II
January 26, 2017
We can learn some valuable lessons about compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) from settlements that are announced by the U.S. Department of Health and Human Services, Office for Civil Rights (OCR). These settlements give us guidance of issues OCR considered important as well as their interpretation of various HIPAA requirements. This is a summary of a few more recent settlements announced by OCR.
The Importance of Implementing Safeguards for electronic Protected Health Information (ePHI)
MAPFRE Life Insurance Company of Puerto Rico (MAPFRE) agreed to pay $2.2 million and implement a corrective action plan in a case arising from a stolen “pen drive” containing complete names, dates of birth, and Social Security numbers of 2,209 individuals. The pen drive containing the ePHI was stolen from the MAPFRE tech department. MAPFRE filed a breach report with OCR stating it was able to identify the breached ePHI by reconstituting the data in the computer on which the USB data storage device was attached.
The company represented in its breach report that it would take certain steps to correct its noncompliance with HIPAA requirements. A subsequent investigation by OCR revealed that MAPFRE had failed to conduct a risk analysis, failed to implement risk management plans, and failed to deploy encryption or an equivalent alternative measure on its laptops and removable storage media in a timely manner. The company also failed to implement or delayed implementing other corrective measures it had previously told OCR would be implemented.
In announcing the settlement, OCR stressed that covered entities are expected to perform assessments to protect and safeguard ePHI. Additionally, the results of those assessments must actually be implemented. Part of the problem MAPFRE has is representing things to OCR that were not implemented. This was almost certainly a factor resulting in OCR taking enforcement action against MAPFRE.
Failing to Provide Breach Notification on Time
An OCR settlement with Presence Health is heralded as the first OCR settlement resulting from a failure to report a breach of unsecured ePHI within the timeframes required under applicable HIPAA regulations. Failing to meet applicable timeframes cost Presence Health $475,000 in settlement with OCR.
The case arose when paper-based operating schedules, which contain PHI of 836 individuals, were found to be missing from the surgery center at one of the provider’s medical centers. The operating schedules were discovered to have been missing on October 22, 2013 but breach notification was not provided to OCR until January 31, 2014. The notification was not provided in time to meet the requirement that a covered entity notify OCR of a breach without unreasonable delay and within 60 days of discovery. The breach disclosure rules applicable to breaches affecting 500 or more individuals were applicable. These rules require notification to prominent media outlets, affected individuals, and OCR.
In its press release covering this settlement, the OCR stressed, “Covered entities need to have a clear policy and procedures in place to respond to the Breach Notification Rule’s timeliness requirements…Individuals need prompt notice of a breach of their unsecured PHI so they can take action that could help mitigate any potential harm caused by the breach.”
It is unclear exactly why the provider failed to meet the regulatory requirements in this case. The settlement is a good example of why it is necessary for covered entities to have clear policies describing the process to be followed when faced with a potential breach situation. This is also an area of OCR audit under the Stage II OCR audit program. Providers should be certain their breach disclosure policies and procedures are in place. There have been changes to the breach disclosure regulations over the years, so policies should be reviewed to be in compliance with current law and properly updated.
Malware Infection and Lack of Firewall Protection Causes Breach
In yet another significant settlement by OCR, the University of Massachusetts-Amherst (UMass) agreed to a monetary penalty of $650,000 resulting from a workstation that was contaminated with a malware program that resulted in impermissible disclosure of electronic health information. This disclosure involved information of about 1,670 individuals and included names, addresses, Social Security numbers, dates of birth, health insurance information, diagnoses and procedure codes. The provider determined the malware was a generic remote access Trojan that infiltrated their system because a proper firewall was not in place.
Central to OCR’s analysis was the provider failed to identify the components located in its Hearing Center as being part of covered components. This resulted in the provider failing to apply and ensure compliance with HIPAA privacy and security rules at that location. HIPAA permits legal entities have some functions covered by HIPAA and some that are not to elect to become a “hybrid entity.” To successfully “hybridize,” the entity must designate in writing the health care components that perform functions covered by HIPAA and assure HIPAA compliance for its covered health care components. It was the failure to properly follow the hybrid entity rules that left the components at the applicable site vulnerable to outside malware attack.
UMass failed to implement technical security measures at the Center to guard against unauthorized access to ePHI transmitted over an electronic communications network by ensuring that firewalls were in place at the applicable location. This settlement emphasizes the need to assure that PHI is properly secured and firewalls are used when needed. It is also instructional regarding the proper application of the rules relating to hybrid status.
The content in the following blog posts is based upon the state of the law at the time of its original publication. As legal developments change quickly, the content in these blog posts may not remain accurate as laws change over time. None of the information contained in these publications is intended as legal advice or opinion relative to specific matters, facts, situations, or issues. You should not act upon the information in these blog posts without discussing your specific situation with legal counsel.
© 2021 Ruder Ware, L.L.S.C. Accurate reproduction with acknowledgment granted. All rights reserved.