HIPAA Enforcement Update (February 2017 – April 2017)

In recent months, the Department of Health and Human Services, Office for Civil Rights (OCR) has announced four settlement agreements and one civil monetary penalty to resolve allegations of Health Insurance Portability and Accountability Act (HIPAA) violations. Four of the enforcement actions signal OCR’s focus on the HIPAA Security Rule, particularly the need for organizations to audit and assess risks to electronic protected health information (ePHI) and to implement corrective action when security risks are identified. In addition, OCR again stresses the need for entities subject to HIPAA to enter into a business associate agreement (BAA) with downstream organizations receiving patients’ protected health information (PHI), the importance of adopting comprehensive HIPAA policies and procedures, and maintaining strong processes relating to access controls.

Most recently, on April 24, 2017, OCR announced a $2.5 million settlement agreement with CardioNet, an organization that provides remote mobile monitoring of and rapid response to patients at risk for cardiac arrhythmias. CardioNet filed a data breach report with OCR when a workforce member’s laptop, containing ePHI of 1,391 individuals, was stolen. OCR’s subsequent investigation revealed CardioNet had insufficient risk analysis and risk management processes as required by the HIPAA Security Rule. Furthermore, CardioNet’s data security policies and procedures were still in draft form and had not yet been implemented. When announcing this settlement, OCR noted that mobile devices remain particularly vulnerable for potential data breaches and the settlement signals that an organization’s failure to implement appropriate security safeguards for these devices may incur penalties.

On April 20, 2017, OCR issued a press release indicating that the Center for Children’s Digestive Health (“CCDH”) paid $31,000 to settle potential HIPAA violations for its failure to enter into a BAA with a downstream contractor, FileFax, Inc. (FileFax). In August 2015, OCR initiated an investigation of FileFax, a company that stored records containing PHI for CCDH. OCR found that although CCDH began disclosing PHI to FileFax in 2003, neither CCDH nor FileFax could produce a signed BAA dated prior to October 12, 2015. This settlement highlights the importance of obtaining BAAs with all vendors prior to disclosing PHI and signals that, although business associates are now directly liable for compliance with certain aspects of HIPAA, BAAs remain an important component of HIPAA compliance.

On April 12, 2017, Metro Community Provider Network (MCPN) agreed to a $400,000 settlement with OCR for its lack of security management process to safeguard ePHI. The settlement arises from a breach report MCPN filed with OCR disclosing a phishing incident in which a hacker accessed MCPN employees’ e-mail accounts and obtained the ePHI of 3,200 individuals. OCR’s investigation revealed that prior to the incident, MCPN failed to conduct a risk analysis as required by the HIPAA Security Rule to assess the risks and vulnerabilities with respect to its ePHI. Furthermore, OCR concluded that the risk analysis conducted after the phishing incident and subsequent analyses were insufficient to meet the requirements of the Security Rule. When determining the $400,000 settlement amount, OCR considered MCPN’s status as a federally-qualified health center and balanced the significance of the violation with MCPN’s ability to maintain sufficient financial standing to ensure the provision of its ongoing patient care. OCR has released a significant amount of guidance on Security Rule compliance and risk analysis. In July 2016, OCR released a Fact Sheet on healthcare ransomware attacks.

On February 16, 2017, OCR issued a press release announcing a $5.5 million settlement with Memorial Healthcare System (MHS) in relation to MHS’s inaction allowing unauthorized users to access ePHI of 115,143 individuals through use of login credentials belonging to a former employee of a physician practice affiliated with MHS through an Organized Health Care Arrangement (OHCA). According to the press release, although MHS had workforce access policies and procedures in place, MHS failed to implement procedures with respect to reviewing, modifying and/or terminating users’ right of access. Further, OCR found that MHS failed to regularly review records of information system activity on applications that maintain ePHI by workforce users and users at affiliated physician practices, despite having identified this risk on several risk analyses conducted by MHS from 2007 to 2012. Following announcement of this settlement, Robinsue Fohboese, OCR’s Acting Director, stated that “organizations must implement audit controls and review audit logs regularly. As this case shows, a lack of access controls and regular review of audit logs helps hackers or malevolent insiders to cover their electronic tracks, making it difficult for covered entities and business associates to not only recover from breaches, but to prevent them before they happen.”

Lastly, on February 1, 2017, OCR announced a $3.2 million civil money penalty against Children’s Medical Center of Dallas (Children’s) predicated on Children’s impermissible disclosure of unsecured ePHI and prolonged non-compliance with multiple HIPAA Security Rule standards. Children’s first filed a breach report with OCR in 2010 when a non-password-protected mobile device containing ePHI of approximately 3,800 individuals was compromised. Three years later, in 2013, Children’s filed another breach report when an unencrypted laptop containing the ePHI of approximately 2,462 individuals was stolen from its premises. OCR’s investigation revealed that in 2007 and 2008 Children’s had received external recommendations relating to laptop encryption through security risk assessments and gap analyses that identified the lack of risk management as a high risk issue. Accordingly, OCR concluded that, despite Children’s awareness of the risks involved with maintaining unencrypted ePHI on mobile devices, it continued to allow its workforce to utilize unencrypted devices until after its second data breach incident in 2013. Although OCR prefers to settle cases and assist entities in implementing corrective action plans, circumstances in this case led OCR to pursue full civil monetary penalties against Children’s and issuance of a Final Notice of Determination.

Tammy Woffenden is a partner and Ashley Wheelock is an associate in Locke Lord’s Austin office. Tammy can be reached at twoffenden@lockelord.com, and Ashley can be reached at Ashley.Wheelock@lockelord.com.