On Tuesday, May 21, 2013, the Department of Health and Human Services (“HHS”) announced that it had reached a settlement with a State University (“University”) arising out of alleged violations of the Security Rule under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). The settlement comes after an HHS Office for Civil Rights (“OCR”) investigation into the University’s self-reported breach of unsecured electronic protected health information (“ePHI”) for approximately 17,500 patients at one of its family medicine clinics.
The underlying facts involved the disabling of firewall protections at the University’s servers, resulting in the ePHI being unsecured for at least 10 months. Specifically, HHS’s investigation concluded that from 2007 to 2012, the University failed to analyze the risk to ePHI confidentiality, to implement adequate security measures and to create adequate procedures to regularly review information system activity records to determine use or disclosure of ePHI. Accordingly, HHS and the University entered into a Resolution Agreement under which the University agreed to pay $400,000 to HHS and to perform the following additional obligations:
- Provide HHS with documents designating the University a hybrid entity and identifying all covered health care components, documents detailing the University’s implementation of policies and procedures concerning information system activity review for covered health care component clinics and documents describing the University’s updated compliance gap analysis activity indicating changes in compliance status for each provision of the Security Rule;
- Provide HHS with a risk management plan, including specific security measures aimed at risk and vulnerability reduction to a reasonable and appropriate level for its covered health care components and, upon HHS approval or alteration, prompt implementation of such a plan;
- Investigate possible employee compliance failures regarding the University’s Privacy and Security policies and procedures and report such failures to HHS; and
- Annually report summaries and updates of the University’s risk management plan and security measures, information system activity review measures, compliance gap analysis activity and compliance failures with resulting corrective and preventative action taken.
In the press release announcing this enforcement action, OCR Director Leon Rodriguez was quoted as stating that “risk analysis, ongoing risk management and routine information system reviews are the cornerstones of an effective HIPAA security compliance program,” and that “proper security measures and policies help mitigate potential risk to patient information.”
Practical Takeaways
In light of this development, covered entities of all types should take the necessary steps to ensure that their HIPAA compliance programs are effective. Accordingly, covered entities should:
- Conduct a risk assessment to determine where vulnerabilities exist in current practices and systems;
- Actively monitor operations and systems to ensure that technical safeguards are functioning properly, particularly when there has been a material change in processes, personnel or functions;
- Review policies and procedures affecting privacy and security to ensure they are thorough and complete;
- Train workforce members on the details of HIPAA policies and procedures; and
- Consistently enforce policies and procedures when conduct occurs that is in violation of them.
More information on this enforcement action, including the Resolution Agreement and the HHS press release, is available here.
If you need additional information about HIPAA and HITECH, please contact Mark J. Swearingen at (317) 977-1458 or mswearingen@wp.hallrender.com or your regular Hall Render attorney.
Special thanks to Michael Nossett, Law Clerk, for his assistance with the preparation of this alert.
Hall Render’s HIPAA Impact Series has provided in-depth analysis of HIPAA issues and developments since the passage of HITECH. View our HIPAA Impact Series and sign up to receive updates by visiting www.hallrender.com/impact.
