There have been a number of developments in recent months regarding privacy and security under the Health Insurance Portability and Accountability Act (HIPAA). Additionally, recent ransomware attacks should serve as a reminder to all health plan sponsors of the importance of implementing procedures to ensure the security of protected health information (PHI).
The Department of Health and Human Services (HHS) has notified subscribers to its HIPAA Privacy Listservs of a warning issued by the United States Computer Emergency Readiness Team regarding a coordinated, global ransomware attack.
Failure to terminate a former employee’s login credentials led to a $5.5 million settlement. The failure led to the breach of PHI for more than 115,000 people. The covered entity failed to implement the controls required by its policies and failed to audit and enforce compliance with its policies.
The Office of Civil Rights (OCR) within HHS cited a covered entity’s continued use of unencrypted portable devices as an aggravating factor when it assessed a $3.2 million civil monetary penalty. Encryption is one of OCR’s top priorities for mobile devices and storage media.
A $2.5 million settlement resulted from a laptop being stolen from a parked vehicle outside of an employee’s home. The laptop contained the electronic PHI (ePHI) of 1,391 people. The investigation by OCR showed that the employee’s employer had an insufficient risk analysis and risk management process. Additionally, policies and procedures were in draft form and had not been implemented.
A health system is paying $2.4 million to settle charges it violated the HIPAA Privacy Rule by issuing a press release with the name and other PHI about a patient without the patient’s authorization. OCR has warned that a covered entity is not excused from HIPAA’s privacy requirements because it believes an individual’s identity is already publicly known.
HHS has announced a $2.2 million settlement related to a stolen pen drive containing ePHI. No safeguards were in place for the data storage device.
OCR announced a $650,000 settlement after a covered entity’s systems were infected with malware. The covered entity also must comply with numerous requirements under a corrective action plan.
OCR announced a penalty of $475,000—the first HIPAA settlement for lack of a timely breach notification.
OCR has announced a $400,000 settlement with a HIPAA covered entity related to the breach of PHI of 3,200 people. OCR’s investigation began after the covered entity filed a breach notification report indicating that a hacker had accessed its system. Failure to perform a risk analysis or adopt a risk management plan led to the penalty.
OCR has also announced a settlement of $31,000 for failure to have a business associate agreement in place.
HHS has announced increased penalties for HIPAA violations that reflect a 10.02 percent increase. Inflation adjustments will be issued each year from now on.
HHS has provided guidance on cloud computing and the HIPAA privacy and security rules. A cloud service provider is a business associate under HIPAA even if the cloud service provider processes or stores only encrypted ePHI and lacks an encryption key for the data. Even such a no-view cloud-based system requires monitoring to ensure compliance with HIPAA. Employers should review their systems to ensure business associate agreements and other protections are in place with cloud-based providers.
2016 was the biggest year yet by far for monetary settlements under the HIPAA privacy and security rules and recent enforcement actions have not slowed down under the new administration. HHS announced 12 settlements in 2016, averaging almost $2 million each. Three more settlements were announced in the first three months of 2017, along with a $3.2 million penalty in another case. Since OCR began enforcing HIPAA, it has collected over $70 million in a total of 50 cases.
Enforcement actions like these should make it clear that the security management process should be a top priority for covered entities. Risk analysis and risk management are baseline expectations. Periodic updates are also essential.