The covered entities involved in the two most recent HIPAA settlements could not be more different:

• A small federally qualified health center (with approximately 43 employees and serving approximately 3,100 patients per year) that reported the electronic protected health information (ePHI) of 1,263 patients was affected when it was sent to an unknown email account in 2011; and
• A large non-profit health system (that includes three academic teaching hospitals, a hospital, and a behavioral health organization) that reported the ePHI of 20,431 patients was affected when a laptop was stolen from an employee’s car in 2017.

Despite their different sizes, breach details, and applicable breach reporting rules, the Office for Civil Rights (OCR) identified “systemic noncompliance” with the HIPAA Rules for both of the covered entities.  The settlements, summarized below, demonstrate that a breach investigation can take years to resolve, can expand beyond the initial reported breach to include a comprehensive evaluation of HIPAA compliance, and can result in substantial payments and years-long corrective action plan requirements.

Health Center Pays $25,000 Settlement and Agrees to Two-Year Corrective Action Plan for Email Breach Affecting PHI of 1,263 Patients  

• In 2011, a health center reported a breach affecting the PHI of 1,263 patients. The breach occurred when an email was sent to an unknown email account.  At the time of the breach, the HITECH Breach Notification Interim Final Rule defined a breach to include an impermissible disclosure of PHI that “poses a significant risk of financial, reputational, or other harm to the individual” (74 Fed. Reg. 42767) and required reporting to the affected individuals, to OCR, and to the media (for breaches affecting over 500 individuals).

OCR’s compliance review identified “longstanding, systemic noncompliance with the HIPAA Security Rule,” including:

• The health center had not implemented HIPAA Security Rule policies and procedures as required under 45 CFR § 164.316;
• The health center failed to provide HIPAA Security awareness and training for its workforce members until 2016 as required under 45 CFR § 164.308(a)(5); and
• The health center failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI as required by 45 CFR § 164.308(a)(1)(ii)(A).

Nearly nine years after the initial breach report, the health center agreed to pay $25,000 and entered into a two-year corrective action plan, which requires the health center to:

• Conduct risk analyses and develop risk management plans: The health center is required to conduct an accurate, thorough, enterprise-wide analysis of security risks and vulnerabilities; create a complete inventory of all electronic data systems, off-site data storage facilities, and applications that contain or store ePHI; and develop a risk management plan to address and mitigate any security risks and vulnerabilities identified in its risk analysis.  The health center must conduct a risk analysis and develop a risk management plan annually during the corrective action plan.
• Review and revise its HIPAA Privacy, Security and Breach Notification Rule policies and procedures: The health center is required to create or revise its policies and procedures in response to any findings in its risk analysis.
• Adopt, distribute and regularly update its HIPAA Privacy, Security and Breach Notification Rule policies and procedures: After finalizing its policies and procedures, the health center is required to distribute them to all of its workforce members, including new workforce members within 14 days, and to business associates and vendors.  The health center must document that the workforce members and business associates have read, understand, and shall abide by the policies and procedures.  The health center must not provide access to PHI unless and until the documentation is obtained.
• Develop and provide training: The health center is required to train all workforce members, including training new workforce members within 14 days and in all cases before providing access to PHI.  Workforce members must certify they have received training.  The health center must maintain all training materials and certifications.

This is the second HIPAA settlement with a federally qualified health center.  OCR noted that it took into account the health center’s role in providing “a variety of discounted medical services to the underserved” in reaching the agreement.  The resolution agreement, signed in March 2020, was not announced until July 2020.  More information can be found here.

Health System Pays $1,040,000 Settlement and Agrees to Two-Year Corrective Action Plan in Response to Theft of Laptop Affecting PHI of 20,431 Patients

In 2017, the parent company and business associate of a non-profit health system filed a breach report after the theft of an unencrypted laptop.  The employee’s work emails, cached in a file on the laptop’s hard drive, contained the ePHI (names, medical record numbers, demographic information, including partial address information, and the name of one or more medications that were prescribed or administered) of 20,431 individuals.

OCR’s investigation identified “systemic noncompliance with the HIPPA Rules,” including:

• The health system did not implement policies and procedures to encrypt all devices used for work purposes (45 CFR 164.312(a)(2)(iv)) after finding it was reasonable and appropriate to encrypt such devices;
• The health system did not implement policies and procedure to track or inventory all devices with access to the network or which contain ePHI (45 CFR 164.310(d)(1)); and
• The health system failed to have business associate agreements (BAAs) in place with the parent company and provider affiliates (45 CFR 164.502(e)).

The health system agreed to pay $1,040,000 and entered into a two-year corrective action plan, which required the health system to:

• Provide device and equipment encryption and network access control reports to HHS, as well as mobile device management status reports and testing;
• Review and revise policies and procedures on device and media controls;
• Distribute and train workforce members on device and media policies and procedures; and
• Revise its policies and procedures related to business associates to include designating an individual to ensure execution of a BAA prior to disclosure of PHI, developing a process to identify business associates, creating a template BAA and maintaining documentation of the BAA.

More information can be found here.

Next Steps for HIPAA Compliance:

Whether a covered entity is a small health center or a large health system, OCR investigates every breach affecting 500 or more individuals.  As demonstrated by the most recent settlements, these investigations can reach beyond the initial breach and uncover systemic noncompliance with the HIPAA Privacy, Security and Breach Notification Rules.  The investigation process can be lengthy, expensive, and conclude with a settlement that includes payment and years of oversight and monitoring by OCR under a corrective action plan.  Covered entities, including health centers, should devote the resources necessary to ensure HIPAA compliance in order to avoid or limit the costs of non-compliance.

Looking to learn more about HIPAA?  Join us for our HIPAA for Health Centers workshop series.  If you have questions regarding HIPAA compliance, please contact Dianne Pledgie at DPledgie@feldesman.com.