It has been a busy last few weeks at the U.S. Department of Health and Human Services Office for Civil Rights (OCR). OCR has announced four new enforcement actions, the most recent of which is rooted in a healthcare provider's failure to properly identify and report a breach of protected health information (PHI), and the others in healthcare providers' failure to conduct thorough, enterprise-wide HIPAA security risk analyses.
Interestingly, the actions involve a varied group of healthcare providers, from a state health services agency to a multi-hospital system—only two of which decided to enter into settlement agreements with OCR. Despite the differences in the healthcare providers and their approaches to reaching a resolution, the enforcement actions provide several key takeaways for other covered entities and business associates.
Background on the Enforcement Actions
November 27, 2019 Settlement Agreement: Importance of Promptly Identifying and Reporting Breaches of PHI
On November 27, 2019, OCR announced a settlement with a hospital system (the "Hospital System") comprising 12 acute care hospitals and more than 300 care sites in Virginia and North Carolina. The settlement includes a penalty of $2.175 million and a two-year corrective action plan (CAP).
In April 2017, OCR received a complaint alleging that the Hospital System had sent a bill to an individual containing another individual's PHI (specifically, name, account number, and dates of services). While the Hospital System had reported the incident, OCR investigated and determined that the Hospital System had grossly underreported the number of affected individuals. According to OCR, the Hospital System had incorrectly concluded that no PHI was involved in the incident because the information disclosed did not include patient diagnosis, treatment information, or other medical information, and, thus, there was no reportable breach. Even after OCR directed the Hospital System to report these incidents as breaches, the Hospital System refused. When it did eventually follow OCR guidance, the number of impacted individuals rose from eight to 577.
Following its investigation, OCR concluded that the Hospital System failed to notify OCR of a breach of unsecured PHI in accordance with the HIPAA Breach Notification Rule and failed to enter into a business associate agreement with its parent company, which served as its business associate. For these violations, as stated above, the Hospital System owes over $2 million in fines, and OCR will review its compliance with the extensive CAP for 2 years.
November 7, 2019 Civil Monetary Penalty (CMP): Importance of Enterprise-wide Security Risk Assessments and Implementation of Access and Audit Controls
On November 7, 2019, OCR imposed a CMP of $1.6 million against a Texas state agency (the "Agency") for violations of the HIPAA Privacy and Security Rules related to a breach of over 6,000 individuals' PHI. The Agency provides services and benefits in Texas through programs such as Medicaid for families and children, long-term care for people who are older or who have disabilities, behavioral health services, and services for other people with special health needs.
Unlike the vast majority of OCR's enforcement actions that resolve through settlement, the Agency waived its right to a hearing and did not contest the findings set forth in the OCR's Notice of Proposed Determination, agreeing to pay the full CMP assessed by OCR.
The HIPAA violations at issue arose from the Agency's report of a breach of unsecured PHI to OCR in June 2015. The Agency learned about the breach from an unauthorized user who was able to access PHI without credentials because of a software flaw after an internal application was moved from a private, secure server to a public server. Names, addresses, Social Security and Medicaid numbers, and treatment and diagnosis information of over 6,000 people were accessible to unauthorized persons.
Following receipt of the Agency's breach report, OCR initiated an investigation that revealed that, in addition to the impermissible disclosure, the Agency had only performed "risk analysis activities" on individual applications and servers and had never performed an "agency-wide" security risk assessment. Moreover, OCR determined that the Agency had never implemented access and audit controls on systems as required under the HIPAA Security Rule.
November 5, 2019 Settlement Agreement: Importance of Implementing a Risk Treatment Plan Following a Risk Assessment and Encryption
On November 5, 2019, OCR announced that it entered into a resolution agreement with a New York–based health system (the "Health System"). The Health System agreed to pay OCR a $3 million CMP and committed to a two-year CAP to settle potential violations of HIPAA.
According to the resolution agreement, the Health System reported a breach of unsecured PHI in May 2013 following the loss of an unencrypted flash drive containing patients' PHI. The Health System reported another breach of unsecured PHI in July 2017 when an unencrypted personal laptop of one of its resident surgeons containing PHI was stolen from one of its facilities. OCR initiated an investigation into the Health System following the second breach, noting that it had previously investigated and provided technical assistance to the Health System in 2010 regarding a similar breach.
Following its latest investigation, OCR determined that the Health System failed to conduct a thorough risk assessment as required by the HIPAA Security Rule, implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level, implement device and media controls, and implement sufficient mechanisms to encrypt PHI when it was reasonable and appropriate to do so. Despite the technical assistance and the Health System's own identification of the lack of device encryption as a high risk to PHI, the Health System continued the use of unencrypted mobile devices. In the press release regarding the resolution agreement, the OCR Director stated, "When covered entities are warned of their deficiencies, but fail to fix the problem, they will be held fully responsible for their neglect." Thus, even conducting a thorough risk analysis is not sufficient – the findings must be implemented through an appropriate risk management process.
October 23, 2019 CMP: Importance of HIPAA Security Risk Assessment and Minimum Necessary Requirements
OCR imposed a $2.15 million CMP against a Florida nonprofit academic medical system, which operates six major hospitals, a network of urgent care centers, and multiple primary care and specialty care centers (the "Medical System"). As in the November 7 enforcement action, the Medical System did not contest the findings set forth in the OCR's Notice of Proposed Determination and agreed to pay the full CMP assessed by OCR.
According to the Notice of Proposed Determination, OCR determined that the Medical System violated HIPAA on multiple occasions between 2013 and 2016, arising from a breach of unsecured PHI involving lost paper records, a separate breach of unsecured PHI involving a Medical System employee selling patients' PHI over a five-year period, and media reports disclosing the PHI of a well-known NFL player.
OCR concluded that the Medical System failed to provide timely and accurate notification of a breach of unsecured PHI, conduct enterprise-wide risk assessments, manage identified risks to a reasonable and appropriate level, regularly review information system activity records, and restrict authorization of its workforce members' access to PHI to the minimum necessary to accomplish their job duties.
These recent enforcement actions provide several important reminders to covered entities and business associates with respect to HIPAA.
First, organizations should identify their PHI and timely report any breach involving PHI. The Hospital System in the November 27 enforcement action should have recognized that its billing statements contained PHI, even without the inclusion of diagnosis, treatment, or other specific health information, and even more so when it was told by OCR to treat such information as PHI that had been compromised. In addition, the Medical System in the October 23 enforcement action failed to report the loss of three boxes of patient records in December 2012 until June 2016. The OCR Director stated in the press release on the November 27 enforcement action, "When health care providers blatantly fail to report breaches as required by law, they should expect vigorous enforcement by OCR."
Second, organizations must conduct thorough, enterprise-wide security risk assessments. According to OCR, while the Medical System involved in the October 23 enforcement action provided risk analyses conducted on its behalf by third parties from 2014 to 2017, OCR alleged that such risk analyses were deficient in scope and substance. With respect to the scope of the risk analyses, OCR claimed the Medical System continually failed to conduct sufficient, enterprise-wide risk assessments that included all PHI created, received, maintained, or transmitted by the Medical System, only examined the main campus of the Medical System, and based its review son a limited review of policies and procedures and staff interviews.
OCR also determined that the risk assessments were substantively deficient in several ways. As an example, the Medical System did not identify the totality of threats and vulnerabilities existing in the organization's systems. In addition, OCR pointedly noted that some sections of the risk analyses were left blank and some "erroneously identified several provisions of the Security Rule as 'not applicable'" (when they were) to the Medical System. In addition, the Health System involved in the November 5 enforcement action also failed to properly conduct an enterprise-wide and thorough risk assessment, as did the Agency in the November 7 enforcement action.
Third, organizations must have a defined risk management process for the remediation of risks and vulnerabilities identified during a risk assessment. OCR found that the Medical System and the Health System involved in the October 23 and November 5 enforcement actions, respectively, failed to implement security measures sufficient to reduce the identified risks and vulnerabilities to a reasonable and appropriate level to comply with the HPAA Security Rule. While the risk analyses did recommend remediation efforts, the healthcare providers did not provide evidence or documentation of a response to those recommendations. With regard to the Health System, for example, it continued to use unencrypted mobile devices despite OCR's previous investigation and technical assistance. Organizations should ensure that risks are prioritized in their HIPAA risk assessments and then have a process for tracking implementation of recommended items to address those risks.
Fourth, organizations must implement all appropriate measures (including access controls and auditing procedures) even if it is difficult. Organizations often have difficulty implementing access controls and auditing and monitoring under the HIPAA Security Rule. The Medical System in the October 23 enforcement action is no different. Among other things, the Medical System failed to implement policies to ensure that only individuals who needed access to PHI for their job function had access. As examples of the failure of access controls, OCR cited as evidence an employee who was able to access the PHI of patients over a five-year period without a role-based need. In addition, a nurse impermissibly accessed the PHI of a patient after she no longer had a job-related reason to do so. In these instances, the PHI of the patients was sold and shared. The Medical System's failures to restrict access to PHI to the minimum necessary and to restrict access to classes of employees who need the PHI to fulfill their job duties were found to be aggravating factors supporting the reasonableness of the CMP.
Additionally, the Medical System failed to comply with the implementation specification regarding information systems activity review, which requires organizations to implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. Despite procedures that were allegedly in place that directed review of these logs, the Medical System admitted to several occurrences of unauthorized access to PHI within its systems that went unnoticed. And the Agency involved in the November 7 enforcement action simply failed to implement access and audit controls at all (or to appropriately document them). Therefore, it could not determine how many unauthorized persons accessed individuals' PHI. A proper risk analysis will evaluate the sufficiency of all of the security controls in light of the risks to the PHI, including access and audit controls. This must happen, or organizations are subjecting themselves to CMPs and CAPs.
As iterated by OCR in previous enforcement actions, not only are risk assessments required under the HIPAA Security Rule; those assessments should be made in a thorough and considerate manner and conducted in such a way as to ensure understanding of enterprise-wide risk and data. Pro forma risk analyses will not withstand scrutiny from OCR. Correctly conducting a risk assessment, including accurately identifying PHI used and disclosed by the entity and identifying the risks to that PHI, can lead to protection from arguments that safeguards in place at the time of an incident or otherwise were inadequate. Identifying the risks is not enough, however. Once identified and prioritized, organizations must reduce identified risks and vulnerabilities to a reasonable and appropriate level through a risk management process. Should you need any help with your HIPAA compliance program, including a thorough and protective risk analysis under the HIPAA Security Rule, please contact one of this alert's authors.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.