And the Money Keeps Rolling in … Recent HIPAA Settlements and the Focus on Encryption
Note: This is the first article in a 2-part series on HIPAA and data security and encryption. The June edition of the Health Law Advisory will include an article by James E. O’Connor of the Technology and Intellectual Property Practice Group.
Four recent settlement agreements between health care organizations and the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) continue to prove that the OCR will not offer forgiveness when an organization experiences a HIPAA breach due to a lost or stolen unencrypted device. The OCR has stated “our message to these organizations is simple: encryption is your best defense against these incidents.” Each of the following settlements offer valuable lessons and serve as a useful reminder that organizations must continue to address the security of electronic protected health information (“ePHI”).
Concentra Health Services
Concentra filed a breach report with the OCR following the theft of an unencrypted laptop from one of Concentra’s physical therapy centers in Missouri. The OCR initiated an investigation and found that Concentra had previously conducted a risk assessment and identified lack of encryption as a risk to the security of ePHI. Over a four-year period, Concentra encrypted some of its devices; however, the organization’s efforts were not consistent and many devices remained unencrypted up to and following the breach. As a result, Concentra agreed to a $1,725,220 monetary settlement and entered into a Corrective Action Plan (“CAP”) with the OCR whereby Concentra agreed to implement multiple compliance steps including performing updated risk analyses and reporting to OCR.
QCA Health Plan, Inc.
QCA’s breach involved the theft of an unencrypted laptop containing ePHI from an employee’s car. Following report of the breach to the OCR, the OCR found that from the compliance date of the HIPAA Security Rule in 2005 until 2012, QCA had failed to comply with multiple provisions of the Security Rule, including failure to assess the potential risks and vulnerabilities to ePHI. QCA entered into a $250,000 settlement and CAP with obligations to retrain QCA’s workforce and provide an updated risk analysis and mitigation plan to the OCR.
New York Presbyterian Hospital (“NYP”) and Columbia University (“CU”)
These two settlements totaling $4.8 Million represent the largest HIPAA enforcement action to date. The two hospitals, as separate covered entities, operated a shared network that linked the hospitals’ information systems. A CU physician attempted to deactivate a personally-owned server on the network containing NYP ePHI. Due to a lack of technical safeguards, the deactivation lead to ePHI of 6,800 individuals being accessible through Internet search engines. The organizations learned of the breach following a complaint by an individual who discovered a deceased partner’s PHI on the Internet. The organizations submitted a joint breach report to the OCR. The OCR investigated and found that neither organization had conducted an accurate and thorough risk assessment to identify all systems that could access ePHI. In addition, neither organization had an adequate risk management plan to address potential threats to the security of ePHI. NYP agreed to a $3,300,000 settlement and CU agreed to a $1,500,000 settlement. Both organizations are subject to CAPs, which require each organization to undertake a risk assessment, develop a risk management plan, revise policies and procedures, train staff, and provide progress reports to the OCR.
These recent settlements and the requirements of the CAPs demonstrate that failure to adequately implement or address data security, including encryption, can be very costly to a health care organization. Data security must be a core focus of any health care organization’s efforts to manage its information systems. Due to numerous factors and resource constraints, many organizations struggle to fully understand and address data security. The second article in this series will address some ongoing steps that organizations can take to address these issues.