In late 2015, the U.S. Department of Health and Human Services (HHS) announced three settlements in which the agency will collect over $5 million in collective penalties for alleged non-compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). In addition to the monetary penalties, each of the settlements requires compliance with a Corrective Action Plan (CAP), calling for the organizations to invest significant resources toward HIPAA compliance.
In all three cases detailed below, HHS began an investigation after it received notice of breaches of unsecured protected health information (PHI). These investigations can take anywhere from a few months to several years to complete. Each organization that was investigated seems to have had some HIPAA-compliance measures in place. However, HHS concluded in all three cases that the organizations did not perform an adequate and thorough data security risk assessment, as required by the HIPAA Security Rule. The agency implied that the data breaches and other alleged gaps in HIPAA compliance stemmed, in part, from this oversight.
HHS investigated Lahey Clinic Hospital after it reported to HHS in 2011 that it had discovered an unencrypted laptop containing the PHI of approximately 600 individuals was stolen from an unlocked treatment room where it was connected to lab equipment.1 As part of the investigation, HHS alleged several areas of noncompliance with HIPAA, including: the failure to conduct an accurate and thorough data security risk assessment; the failure to implement physical safeguards of the laptop; the failure to properly track computer inventory movement; the failure to have unique user names for logging into the laptop; the failure to implement a mechanism to monitor activity on the laptop, and the unauthorized disclosure of PHI.
HHS investigated Triple-S Management Corporation and its subsidiaries following seven separate instances of unauthorized PHI disclosures since 2010.2 The alleged breaches included former employees accessing PHI after employment termination, using vendors without a business associate agreement (BAA) in place, and mailing PHI to the wrong individuals. HHS alleged that Triple-S did not comply with HIPAA when it: failed to conduct an accurate and thorough data security risk assessment that covered all equipment; failed to implement appropriate data security measures; did not have BAAs in place with vendors; disclosed more PHI than necessary for a particular purpose; failed to terminate access to PHI after an employment termination; and disclosed PHI to unauthorized recipients.
The health affiliates of the University of Washington (UW Medicine) allegedly suffered a breach of PHI in 2013, when an employee downloaded malware through an email attachment.3 The malware allegedly infiltrated UW Medicine’s network and compromised approximately 90,000 patient records. HHS investigated the breach and concluded that UW Medicine had failed to conduct an accurate and thorough data security risk assessment.
Corrective Action Plans
In addition to the monetary penalties, HHS required each organization noted above to comply with a CAP and annual reporting requirements. In all three cases, the CAP requires the organizations to develop a current, comprehensive, and thorough risk analysis of security risks and vulnerabilities within specified deadlines. Triple-S is also required to develop a process for evaluating environmental and operational changes that affect data security. All three organizations then need to submit the risk assessment to HHS for approval. Once their risk assessments are approved, the organizations must send a risk management plan to HHS for approval.
HHS also required Triple-S and Lahey to update their HIPAA-related policies and procedures so that they comply with HIPAA and are adjusted based on the risk management plan. Triple-S is required to annually update the policies and procedures and to submit them to HHS for review and approval for the next three years. The organizations have 30 days to implement the updated policies and procedures following approval by HHS. They are also required to internally distribute and provide employee training on the updated policies and procedures. In addition, Triple-S is required to have its business associates agree to abide by such policies and procedures.
The organizations have ongoing obligations for the length of their CAP–two years for UW Medicine and Lahey, and three years for Triple-S. During this time, they are required to notify HHS of any workforce violations of their HIPAA-related policies and procedures, even when they do not result in a breach of PHI. UW Medicine and Triple-S also must submit annual compliance reports.
With HIPAA audits likely coming in 2016,4 these enforcement actions may provide valuable insight into HHS’s plans for such audits. It is no secret that the 2012 audits identified a frequent lack of compliance with HIPAA’s requirements that entities perform annual data security risk assessments and implement risk management plans to mitigate any identified security risks and vulnerabilities. These recent enforcement actions show that this area continues to be a weakness in organizations’ compliance efforts. Organizations chosen for a random audit should be prepared to provide their risk assessments and management plans to HHS. Now is a good time for organizations to ensure their risk assessments and management plans are current, comprehensive, and thorough.
The settlements also indicate that HHS may take an active role in ensuring an organization’s HIPAA compliance. In these cases, HHS was not satisfied solely with imposing a monetary penalty when an organization allegedly violates HIPAA; it also requires a detailed CAP where it sets an aggressive timeline for an organization to fix the alleged problems with the organization’s HIPAA compliance. The agency also insists that it review and approve an organization’s efforts to remediate the alleged problems. Therefore, a settlement with HHS may lead to two to three years of active involvement in an organization’s internal business operations.
1 See the Resolution Agreement with Lahey at http://www.hhs.gov/sites/default/files/lahey.pdf.
2 See the Resolution Agreement with Triple-S at http://www.hhs.gov/sites/default/files/Triple-S%20-%20OCR%20Resolution%20Agreement%20and%20Corrective%20Action%20Plan%20in%20Final%20%28508%29.pdf.
3 See the Resolution Agreement with UW Medicine at http://www.hhs.gov/sites/default/files/uw-ra-and-cap.pdf.
4 See The WSGR Data Advisor, “No More Crying Wolf—HIPAA Audits Coming in 2016,” November 2015, https://www.wsgr.com/publications/PDFSearch/the-data-advisor/Nov2015/#8.