Recent OCR Settlements Demonstrate that even if Strike One is Corrective Action, Strike Two can be Multi-Million Dollar Penalties

By | Published On: November 19, 2019

When it comes to electronic protected health information (ePHI), the Office for Civil Rights (OCR) is not in the business of providing covered entities with unlimited chances. OCR recently announced two enforcement actions: a $3 million settlement with University of Rochester Medical Center (URMC) and $1.6 million in civil monetary penalties against the Texas Health and Human Services Commission (Texas HHSC).  In both actions, OCR either previously provided technical assistance to the covered entity (URMC) or attempted to resolve the noncompliance through informal means (Texas HHSC).  When those efforts failed, OCR moved forward with the settlement and civil monetary penalty actions.

Lost and Stolen PHI

The University of Rochester Medical Center (URMC) agreed to pay a $3 million settlement and entered into a two-year corrective action plan after OCR investigated two breaches.  In 2013, URMC reported that an unencrypted flash drive was lost.  In 2017, URMC reported that an unencrypted laptop was stolen.

OCR’s investigation found URMC failed to conduct an enterprise-wide risk analysis; failed to implement security measures to reduce the risk and vulnerabilities to the ePHI it maintained; failed to implement policies and procedures governing the receipt and removal of hardware and electronic media that contained ePHI into and out of the facility (as well as within the facility); and failed to encrypt and decrypt ePHI when it was appropriate and reasonable to have done so.

According to the press release, OCR also investigated URMC in 2010 following a breach that involved an unencrypted flash drive that was lost.  OCR provided URMC with technical assistance following the 2010 breach.  At that time URMC identified the lack of encryption as a high risk; however, URMC continued to use unencrypted mobile devices.

PHI on the Internet

OCR recently imposed $1.6 million in civil monetary penalties against the Texas Health and Human Services Commission (HHSC).  In June 2015, the state agency that administered long-term care services for individuals who are aging and for individuals with intellectual and physical disabilities filed a breach report notifying OCR that the ePHI of 6,617 individuals (including names, addresses, social security numbers, and treatment information) was accessible and viewable on the internet after an internal application was moved from a private and secure server to a public server.  HHSC learned of the breach from an unauthorized user who was able to access ePHI without being required to input any user credentials.

OCR’s investigation found that the covered entity failed to conduct an enterprise-wide risk analysis; failed to implement access controls requiring users to provide credentials to access ePHI; and failed to implement audit controls to record and examine activity on its information systems.

Under the HITECH Act, OCR is authorized to impose civil monetary penalties against any covered entity that violates HIPAA.  There are four penalty tiers (no knowledge of violation, reasonable cause, willful neglect and corrected within 30 days, willful neglect and uncorrected within 30 days).  After attempting to resolve HHSC’s noncompliance through informal means without success, OCR determined the penalty tier for each violation was reasonable cause, meaning HHSC knew or should have known about the violation had they applied a reasonable amount of due diligence. OCR balanced HHSC’s response to the breach (prompt removal of the application from the public server, lack of evidence of harm to affected individuals, continued access to health care) against HHSC’s failure to come into compliance with HIPAA (amount of time HHSC remained out of compliance, failure to complete agency-wide security risk analysis described in HHSC’s response to OCR).  OCR found HHSC liable for the following civil monetary penalties:

  • Impermissible disclosures: $100,000
  • Access controls: $500,000 ($100,000 per calendar year)
  • Audit controls: $500,000 ($100,000 per calendar year)
  • Risk analysis: $500,000 ($100,000 per calendar year)

Next Steps for HIPAA Compliance Programs

Consider incorporating the lessons learned from these recent enforcement actions into your health center’s compliance work plan by:

  • Ensuring your health center regularly conducts a security risk analysis. If changes are planned to systems that maintain ePHI, ensure a security risk analysis is conducted before making changes.
  • Responding to your health center’s identified risks, including encrypting PHI when it is reasonable to do so, implementing appropriate controls, and implementing appropriate policies and procedures.
  • Responding to technical assistance received from OCR through your compliance work plan. Consider whether the topic should be addressed by training employees, developing additional policies, or through assessment as part of your health center’s security risk analysis.

If you have any questions regarding HIPAA compliance or investigations, please contact Dianne Pledgie or call FTLF at (202) 466-8960.

Ms. Pledgie is a member of the New York and Massachusetts Bars and is not licensed in Washington, DC. Her practice is limited to federal health care matters.