Six-Figure January HIPAA Enforcement Activities Highlight Importance of Maintaining Privacy Protections
The U.S. Department of Health & Human Services’ (“HHS”) Office for Civil Rights (“OCR”) and the Federal Trade Commission (“FTC”) were each involved in the resolution of high profile privacy matters in January 2016. The two different matters forecast the anticipated ongoing HIPAA enforcement efforts by governmental authorities in 2016 and the need for providers, payors and vendors in the health care industry to implement and maintain comprehensive and effective privacy and security compliance programs.
OCR CMP Case
On January 13, 2016, an HHS Administrative Law Judge (“ALJ”) affirmed OCR’s imposition of a $239,800 civil monetary penalty (“CMP”) against Lincare, Inc. (“Lincare”) relating to violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). The Lincare case is only the second time that the OCR has sought CMPs to penalize a health care provider for a HIPAA violation. According to OCR’s press release, the CMPs were affirmed by an ALJ upon appeal in both cases.
The Lincare decision was triggered by a marital dispute. A woman who was a Lincare manager moved out of her home and left several patient records that included Protected Health Information (“PHI”) behind in the marital home and car. The woman’s husband was not authorized to access these patient records. The husband voluntarily reported his possession of the PHI to both Lincare and OCR in 2008. OCR and Lincare agreed that taking PHI out of the office was necessary given Lincare’s at-home medical equipment supply business. However, Lincare had no written policies describing the safeguards for employees to use when PHI was removed from the Lincare offices.
In upholding the OCR’s initial determination, the ALJ made the following notable rulings:
- While Lincare argued that it was a victim of a theft for which it should not be held accountable, the ALJ ruled that, even if this were the case, Lincare was obligated under HIPAA to take reasonable steps to protect its PHI from theft. The ALJ ruled that Lincare failed to take these steps; and
- Lincare’s policies and procedures were “inadequate” to protect PHI that was removed from Lincare’s offices. Further, even after Lincare’s discovery of the incident with the office manager, Lincare failed to create new or revise its existing HIPAA policies with respect to PHI removed from the office.
The OCR’s notice of proposed determination and the ALJ’s January 13, 2016 opinion are available here.
The FTC obtained a settlement on January 5, 2016, relating to charges that Henry Schein Solutions, Inc., (“Schein”), a provider of office management software for dental practices, misrepresented the level of encryption its software provides. According to the press release issued by the FTC, Schein knowingly used a less rigorous data masking system than Advanced Encryption Standard (“AES”) -- the industry standard to meet HIPAA obligations. The FTC noted that Schein marketed the software as providing “industry-standard encryption of sensitive patient information.”
As part of the settlement, Schein will pay $250,000 to the FTC and is prohibited from misleading customers concerning the extent of Schein’s data encryption. Further, as part of the settlement, Schein is required to notify all of its customers who purchased its software that the product does not provide industry-standard encryption.
The FTC press release is available here.
HIPAA compliance is an important issue for all participants – covered entities and business associates – in the health care delivery system. Regular review and updates of policies and procedures and rigorous training is essential to ensuring compliant conduct. The federal government has placed a premium on enforcing HIPAA compliance, and many states are becoming more active in data privacy matters as well.
Saul Ewing has substantial experience assisting covered entities and business associates with creating and maintaining HIPAA compliance programs. Attorneys in the Firm regularly create and review HIPAA policies and procedures, provide HIPAA training, counsel clients on HIPAA compliance, assist in conducting risk assessments and preparing risk management programs, and advise on HIPAA breaches and reporting responsibilities. For more information on these matters, please contact the authors or the attorney at the firm with whom you are regularly in contact.