Two Multi-Million Dollar HIPAA Settlements Emphasize Importance of a Comprehensive Security Program
The U.S. Department of Health and Human Services, Office for Civil Rights (“OCR”) announced two settlements of more than $2 million each with respect to alleged violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). The settlements involve Oregon Health and Science University (“OHSU”) and the University of Mississippi Medical Center (“UMMC”). Both settlements arose subsequent to HIPAA breach reports involving lost or stolen mobile and storage devices. The settlements emphasize the continued importance of an enterprise-wide HIPAA security program with appropriate institutional oversight.
OCR’s investigation of OHSU arose after OHSU submitted multiple breach reports, including two reports involving unencrypted laptops and another involving a stolen unencrypted thumb drive. According to the press release issued by OCR announcing the OHSU settlement, OCR’s investigation revealed “widespread vulnerabilities within OHSU’s HIPAA compliance,” including that the electronic protected health information (“PHI”) of more than 3,000 individuals was being stored by a third party vendor without a business associate agreement. Although OHSU had conducted numerous risk analyses, OCR determined the analyses to be insufficient because they “did not cover all [electronic] PHI in OHSU’s enterprise.”
As a condition of the settlement, OHSU is required to pay OCR $2.7 million and enter into a three (3) year corrective action plan (“CAP”) with OCR. According to the CAP, OHSU must:
- Conduct a thorough assessment of any risks and vulnerabilities to the confidentiality, integrity and availability of electronic PHI held at all OHSU facilities;
- Develop a risk management plan to reduce the risks and vulnerabilities identified in the assessment. OHSU must submit the risk assessment and risk management plan to OCR for approval;
- Submit an annual report to OCR with respect to OHSU’s encryption status, including: (i) implementation of a mobile device management solution to ensure all OHSU mobile devices that access electronic PHI are encrypted or that reasonable controls have been implemented to protect the electronic PHI; (ii) implementation of a solution to enforce encryption of electronic PHI on devices (e.g., laptops and desktops) or other reasonable controls to protect the electronic PHI on these devices; and (iii) development of policies prohibiting the transfer of data containing electronic PHI to unencrypted removable storage devices;
- Separate from the encryption reports, submit annual reports to OCR with respect to OHSU’s compliance with the entirety of the CAP; and
- Conduct privacy and security awareness training.
The OHSU press release, settlement agreement and CAP may be found here.
In March 2013, UMMC submitted a HIPAA breach report to OCR following the theft of a password-protected laptop from UMMC’s medical intensive care unit. OCR’s investigation revealed that UMMC was aware of risks and vulnerabilities to its systems for several years, but “no significant risk management activity occurred until after the breach.” Specifically, OCR’s investigation revealed that electronic PHI was vulnerable to access following the laptop theft because users could access a directory of more than 67,000 files using a generic username and password.
As a part of the settlement, UMMC is required to pay OCR $2.75 million and enter into a three (3) year CAP. The CAP required UMMC to do the following:
- Designate an individual to serve as Internal Monitor to review UMMC’s compliance with the CAP. The Internal Monitor must submit a quarterly report to OCR of the Internal Monitor’s performance;
- Prepare an enterprise-wide risk analysis and risk management plan;
- Update policies and procedures for HIPAA Security Rule compliance and Breach Notification Rule compliance;
- Develop a plan to require a unique name or number to identify and track users of all systems that contain electronic PHI;
- Conduct security awareness training; and
- Submit annual reports with respect to UMMC’s compliance with the CAP.
The UMMC press release, resolution agreement and CAP may be found here.
Takeaways and Important Next Steps
Mobile devices present security challenges for covered entities and business associates. Failure to protect electronic PHI on these devices can have significant adverse consequences. Covered entities and business associates must conduct comprehensive and enterprise-wide risk assessments and implement rigorous security management programs.
OCR HIPAA settlements with covered entities and business associates for 2016 alone now exceed $14.5 million. Covered entities and business associates should review each OCR settlement agreement and take the lessons from these public documents to ensure their own organizations are not susceptible to the same fact scenarios and take appropriate precautions to ensure HIPAA compliance.
Saul Ewing attorneys regularly counsel and assist clients with their HIPAA Privacy Rule, Security Rule and Breach Notification Rule challenges and needs, including assistance in conducting risk assessments and implementing risk management programs. For more information on these matters, please contact the authors or the attorney at the firm with whom you are regularly in contact.