On January 2, 2013, the Department of Health and Human Services (“HHS”) announced that it had reached a settlement with a hospice provider (“Hospice”) arising from potential violations of the Security Rule under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). HHS learned of the circumstances giving rise to the enforcement action through the notification provided by the Hospice to HHS under the Breach Notification provisions of the Health Information Technology for Economic and Clinical Health Act (“HITECH”). This is the first settlement for a breach affecting less than 500 individuals.
The underlying facts involved the theft of a Hospice laptop computer that contained the electronic protected health information (“ePHI”) of 441 Hospice patients.
The HHS Office for Civil Rights (“OCR”) investigated the reported breach and discovered the Hospice had not conducted a risk analysis to safeguard ePHI. In particular, the Hospice did not: (a) evaluate the likelihood and impact of potential risks to the confidentiality of ePHI maintained in and transmitted using portable devices; (b) implement appropriate security measures to address such potential risks; (c) document the chosen security measures and the rationale for adopting those measures; and (d) maintain reasonable and appropriate security measures. Further, the Hospice did not have in place policies or procedures to address mobile device security as required by the HIPAA Security Rule. The HHS press release noted that, since the June 2010 theft, the Hospice has taken extensive additional steps to improve its HIPAA Privacy and Security compliance program. Nonetheless, OCR and the Hospice entered into a Resolution Agreement whereby the Hospice agreed to pay HHS a $50,000 settlement payment and to perform the following obligations under a Corrective Action Plan:
- For a period of two years from the Effective Date of the Resolution Agreement (the “Reporting Period”), the Hospice must promptly investigate any allegation that a workforce member may have failed to comply with its Privacy and Security policies and procedures. If the Hospice, after review and investigation, determines that a workforce member has failed to comply with its Privacy and Security policies and procedures, the Hospice shall notify HHS in writing within 30 days. The report to HHS of such “Reportable Events” shall include the following:
- A complete description of the event, including the relevant facts, the persons involved and the provision(s) of the Hospice’s Privacy and Security policies and procedures implicated; and
- A description of the actions taken and any further steps the Hospice plans to take to address the matter, to mitigate any harm and to prevent it from recurring, including the application of appropriate sanctions against workforce members who failed to comply with the policies and procedures.
- If no Reportable Events occur within the two-year Reporting Period, the Hospice must inform OCR of the same in writing within 30 days of the conclusion of the Reporting Period.
In the press release announcing this enforcement action, OCR Director Leon Rodriguez was quoted as saying, “This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information. Encryption is an easy method for making lost information unusable, unreadable and undecipherable.”
Practical Takeaways
In light of this development, covered entities of all types should take the necessary steps to ensure that their HIPAA compliance programs are effective, including:
- Conducting a risk assessment to determine where vulnerabilities exist in current practices and systems, paying close attention to portable electronic devices;
- Reviewing policies and procedures affecting privacy and security to ensure that they are thorough and complete;
- Actively monitoring compliance, particularly when there is a material change in processes, personnel or functions;
- Consistently enforcing policies and procedures when conduct occurs that is in violation of them; and
- Considering the use of encryption for all media and devices that store, transmit or maintain protected health information.
More information on this enforcement action, including the Resolution Agreement and the HHS press release, is available here.
Hall Render’s HIPAA Impact Series has provided in-depth analysis of HIPAA issues and developments since the passage of HITECH. Our HIPAA Impact Series may be accessed at www.hallrender.com/impact.
If you would like additional information, please contact Todd Selby at 317.977.1440 or tselby@wp.hallrender.com, Mark Swearingen at 317.977.1458 or mswearingen@wp.hallrender.com, Kendra Conover at 317.977.1456 or kconover@wp.hallrender.com or your regular Hall Render attorney.
