On August 14, 2013, the Department of Health and Human Services (“HHS”) announced that it reached a settlement with a not-for-profit New York health plan (“Health Plan”) stemming from alleged violations of the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy and Security Rules. The settlement comes after an HHS Office for Civil Rights (“OCR”) investigation into the disclosure of electronic protected health information (“ePHI”), which the Health Plan reported under the breach notification provisions of the Health Information Technology for Economic and Clinical Health (“HITECH”) Act.
The OCR’s investigation revealed that the Health Plan failed to properly erase photocopier hard drives containing ePHI for as many as 344,579 individuals. The Health Plan first learned of the possible breach after being contacted by a representative of the CBS Evening News. As part of an investigative report, CBS had purchased a photocopier previously leased by the Health Plan that contained confidential medical information on the hard drive. In particular, the OCR concluded that the Health Plan: (1) impermissibly disclosed ePHI when it failed to properly erase the hard drives; (2) failed to assess and identify potential security risks and vulnerabilities of ePHI stored in photocopier hard drives; and (3) failed to implement its policies for the disposal of ePHI on photocopier hard drives before returning the devices to the leasing company.
Accordingly, HHS and the Health Plan entered into a Resolution Agreement under which the Health Plan agreed to pay $1,215,780 and implement corrective measures, which require the Health Plan to:
- Use best efforts to retrieve all photocopier hard drives that contain ePHI that remain in the possession of the leasing company and safeguard all ePHI contained on the hard drives from impermissible disclosure;
- Conduct a comprehensive risk analysis of ePHI security risks and vulnerabilities that includes all electronic equipment and systems controlled, owned or leased by the Health Plan;
- Develop a plan to address and mitigate any security risks and vulnerabilities found in the comprehensive risk analysis and, if necessary, revise current policies and procedures;
- Submit the plan and any revised policies and procedures to OCR for review; and
- Implement the plan and train staff on any revised policies and procedures.
In the press release announcing this settlement, OCR Director Leon Rodriguez noted that “[t]his settlement illustrates an important reminder about equipment designed to retain electronic information: Make sure that all personal information is wiped from hardware before it’s recycled, thrown away, or sent back to a leasing agent.”
Practical Takeaways
In light of this development, covered entities of all types should take the necessary steps to ensure that their HIPAA compliance programs are effective, including:
- Conducting comprehensive risk analyses to identify and evaluate security vulnerabilities for all electronic devices that store ePHI;
- Implementing policies and procedures that include proper disposal of ePHI on electronic devices before they are recycled, disposed of or returned to leasing companies;
- Frequently reviewing and revising privacy and security polices to ensure that ePHI is safeguarded on all electronic devices;
- Periodically updating privacy and security training for workforce members and ensuring that policies and procedures are communicated throughout the organization; and
- Developing and consistently enforcing internal sanctions for workforce members who violate privacy and security policies and procedures.
More information on this enforcement action, including the Resolution Agreement and the HHS press release, is available here.
If you need additional information about HIPAA and HITECH, please contact Mark Swearingen at 317-977-1458 or mswearingen@wp.hallrender.com or your regular Hall Render attorney.
Special thanks to Corbin Santo, Law Clerk, for his assistance with the preparation on this article.
Hall Render’s HIPAA Impact Series has provided in-depth analysis of HIPAA issues and developments since the passage of HITECH. View our HIPAA Impact Series and sign up to receive updates by visiting www.hallrender.com/impact.
