HIPAA Update: 2017 OCR Enforcement Activity
So far in 2017, HHS’s Office for Civil Rights (OCR) has announced a handful of significant HIPAA settlements and imposed a civil monetary penalty against covered entities stemming from various investigations following the entities’ HIPAA breach notifications. A summary of events leading to the breach notifications and the associated settlements/civil monetary penalty are as follows:
HIPAA Privacy & Security Rule Violations
On January 11, 2017, OCR announced a $2.2 million settlement with MAPFRE Life Insurance Company (“MAPFRE”) in relation to HIPAA privacy and security violations. The violations were uncovered during an investigation following the covered entity’s breach notification reporting the theft of an unencrypted USB device from the entity’s IT department where it was stored overnight without any safeguards. OCR found that the entity failed to conduct a risk analysis, implement risk management protocols, establish a training program, and encrypt its laptops and removable storage media. MAPFRE also agreed to a three-year Corrective Action Plan (“CAP”) requiring an inventory of all devices, systems and applications that contain or store PHI, correction of its HIPAA deficiencies, and annual status reports to OCR.
On January 18, 2017, OCR announced a $3.2 million civil monetary penalty against Children’s Medical Center in Dallas, Texas (“Children’s”) for noncompliance with the HIPAA Security Rule. Children’s reported a breach in 2010 following the loss of a BlackBerry device at an airport that was neither encrypted nor password protected. Another breach was reported in 2013 due to the theft of an unencrypted laptop computer from a storage area on their premises. The PHI of thousands of individuals was contained on both devices. These events prompted an investigation by OCR which concluded that the covered entity failed to implement adequate risk management plans or encrypt PHI for several years despite recommendations from external consultants (and warnings about the failure to do so). Aggravating factors that led to this magnitude of a penalty include the length of time during which the entity continued to use unencrypted devices, their history of non-compliance, as well as several other instances in which unencrypted devices were lost or stolen. This is only the third civil monetary penalty imposed by OCR under the HIPAA privacy and security rules to-date. OCR prefers settlements which incorporate CAPs as they enable OCR to monitor ongoing compliance.
On April 12, 2017, OCR announced a $400,000 settlement with Metro Community Provider Network (“MCPN”), a federally-qualified health center in Colorado, for alleged violations of the HIPAA Privacy and Security Rules. In a January 2012 breach notification, MCPN reported that a hacker gained access
to MCPN employees’ email accounts and obtained access to electronic PHI of 3,200 individuals through a phishing incident. OCR initiated an investigation in April 2012 which found that despite taking the necessary corrective action related to the phishing incident, MCPN failed to conduct a risk analysis
prior to the breach and therefore had not implemented necessary risk management plans. When MCPN finally conducted a risk analysis, that risk analysis was insufficient to meet the requirements of the Security Rule. MCPN also agreed to a three-year CAP requiring MCPN to conduct a risk analysis,
develop and implement a risk management plan, and review and revise policies and procedures as well training materials, all of which must be approved by OCR.
Untimely Breach Notification
In a January 9, 2017 press release, OCR announced a $475,000 settlement with Presence Health, its first settlement agreement based on allegations of untimely breach notification. Under the HIPAA Breach Notification Rules, a covered entity must notify affected individuals, OCR, and prominent media
outlets without unreasonable delay and within 60 days after discovery if a breach affects more than 500 residents of a single state. Presence Health, a large health care network in Illinois, failed to timely notify affected individuals, OCR, and prominent media outlets when it provided written notification
more than 100 days after the discovery of a breach in which paper-based operating room schedules containing PHI of more than 800 individuals went missing from one of their facilities in October of 2013. During OCR’s investigation, it was also determined that Presence Health had failed to timely
provide notification for breaches affecting fewer than 500 individuals in 2015 and 2016. Presence Health also agreed to a two-year CAP requiring review and revision of breach notification and sanctions policies and procedures as well revision of training materials, all of which must be approved by OCR.
The CAP also requires annual training and re-training on these policies and procedures.
Failure to Terminate Login Credentials
OCR announced on February 14, 2017, a settlement of $5.5 million with South Broward Hospital District d/b/a Memorial Healthcare System (“MHS”) following the report of a breach involving more than 115,000 individuals’ PHI. This is one of the largest reported settlements ever with a HIPAA covered entity. MHS’s breach notification reports indicated that up to 14 employees had impermissibly accessed patient information. Some of these employees and former employees were indicted on federal charges for selling PHI. While MHS had workforce access policies and procedures in place, OCR’s investigation revealed MHS had not implemented HIPAA-required procedures to review, modify, and terminate users’ access to PHI and failed to regularly review information system activities by workforce members on applications containing PHI (despite identifying this risk in its risk analyses). OCR found that a former employee’s login credentials were not terminated and continued to be used without detection on a daily basis over a one-year period to improperly access PHI maintained by the facilities. MHS also agreed to a CAP requiring a system-wide risk analysis and risk management plan, revision of policies and procedures (which must be approved by OCR) regarding review of information system activities and review, modification, and termination of user access to PHI, adoption of an internal CAP compliance monitoring plan, and engagement of an HHS-approved, independent third
party to annually review MHS’s compliance with the CAP for a period of three years.
Lessons from Recent OCR Enforcement Activities
- Health plans as Covered Entities need to make sure their HIPAA compliance is in order. There are several lessons for Covered Entities following recent
- OCR Enforcement activities:
- Completing a risk analysis is vital! This is the starting point for developing a risk
- Develop, document, and enforce tailored and specific policies and procedures for your
- Review and update risk analysis and policies and procedures on a regular basis to ensure
ongoing compliance. Once is not enough!
- Failure to comply can be expensive.
The content herein is provided for educational and informational purposes only and does not contain legal advice. Please contact our office if you have any questions about the HIPAA privacy, security, and breach notification rules and how they may impact your organization.
Dated: April 25, 2017