$750,000 Settlement Agreement Reiterates Importance of HIPAA Security Rule Compliance
On September 2, 2015, the U.S. Department of Health and Human Services ("HHS") announced that it had entered into a Settlement Agreement with an Indiana-based medical practice for alleged violations of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"). The HHS investigation and settlement was prompted by a HIPAA breach report submitted to HHS by the medical practice. After conducting an investigation of the breach, HHS noted that the medical practice was "in widespread non-compliance" with the HIPAA Security Rule. This Settlement Agreement is a strong (and expensive) reminder for medical practices and all covered entities and business associates that they must be diligent in ensuring compliance with the HIPAA Privacy Rule and the Security Rule.
According to the HHS press release and Settlement Agreement, on August 29, 2012, Cancer Care Group, P.C. ("CCG"), a thirteen-physician radiation oncology practice, reported a breach of unsecured protected health information ("PHI"). The breach was caused by the theft of a CCG employee’s computer and unencrypted backup media from the employee’s car, which contained the electronic PHI ("ePHI") of approximately 55,000 individuals. In the course of its investigation of the breach, HHS learned that CCG had not conducted an enterprise-wide risk analysis nor did CCG have a written policy in place specifically addressing the removal of hardware and media containing ePHI from CCG’s work sites, despite the fact that doing so was a common practice at CCG. According to HHS, "[T]hese two issues, in particular, contributed to the breach."
As a result of the settlement, CCG agreed to pay HHS $750,000 and to enter into a comprehensive Corrective Action Plan ("CAP’). The CAP requires CCG to:
- conduct a comprehensive risk analysis and submit the same to HHS;
- develop, implement and present to HHS for review a risk management plan to mitigate any security vulnerabilities identified in the risk analysis;
- review and revise, as needed, its HIPAA Security Rule policies and procedures;
- review and revise, as needed, its HIPAA Security Rule training program; and
- submit an annual report to HHS with respect to CCG’s compliance with the CAP.
The HHS press release relating to the CCG settlement and the CCG Settlement Agreement and CAP are located here.
Recent HIPAA settlement agreements have demonstrated an increased emphasis by HHS on HIPAA Security Rule compliance. The HIPAA Security Rule specifically governs ePHI and its requirements, which include conducting a risk analysis and implementing a risk management plan. Saul Ewing has previously written about HHS and HIPAA settlement agreements here, here and here.
Health care providers and all covered entities and business associates that are subject to HIPAA should be diligent in all facets of their HIPAA compliance efforts including performing risk assessments, implementing policies and procedures for Privacy Rule, Security Rule and Breach Notification Rule compliance, and training employees on HIPAA compliance.
Saul Ewing attorneys regularly advise clients on all aspects of HIPAA compliance, including assisting clients with performing risk analyses, implementing risk management plans, breach assessment and notification and employee training programs. For more information on these matters, please contact the authors or the attorney at the firm with whom you are regularly in contact.