The latest HIPAA enforcement settlement highlights the usual pitfalls
On September 2, 2015 the Office of Civil Rights (OCR) of Health and Human Services (HHS) announced the latest HIPAA enforcement settlement: $750,000 related to a breach at Cancer Care Group, PC. This HIPAA enforcement settlement had the usual litany of problems. They include a stolen laptop with unencrypted back-up media containing PHI, and the lack of a HIPAA Risk Assessment with policies and procedures to protect devices and storage media.
The latest HIPAA enforcement settlement – part of a trend
There have been HIPAA enforcement settlements each year since 2008. The first one almost seems quaint now, a $100,000 settlement related to stolen laptops and backup media with a hospice/home care agency part of a large corporate health system. The cost of not protecting PHI started to go up dramatically after that, with a $2.25m settlement in 2009 with a pharmacy chain that was disposing of old paper prescriptions in dumpster, followed by a $1m settlement with another pharmacy chain doing the same thing the following year. Then it started to get serious. The largest year for settlements was 2014, with 5 settlements imposing fines of $6.19m, followed closely by 2011 with 3 settlements worth $6.16m
The actions range from one-off situations like hospital executives responding in the media to accusations from a patient about substandard care (and releasing PHI in the process) to the usual suspects in breaches: lost or stolen laptops or storage media – the same issue in the latest settlement
HIPAA enforcement settlement – the last step in an investigation
Each HIPAA enforcement settlement is preceded by an investigation, usually triggered by disclosure of a breach by a covered entity, but sometimes by patient complaints. And investigators will look at everything related to HIPAA compliance, including policies and procedures related to privacy and breach, and the security of ePHI.
Investigations in the past few years have several findings in common:
- Lack of a HIPAA Security Rule risk assessment, and lack of addressing vulnerabilities revealed by the risk assessment when one was done;
- Lack of developing and enforcing policies and procedures related to the security of ePHI, especially when it can be downloaded onto laptops or other digital storage media;
- Lack of training of employees in the HIPAA Privacy and Security Rule requirements, and the policies and procedures for compliance.
HIPAA enforcement settlement penalties seem to be increasing. The smallest of 3 settlements in 2015 was for $125,000 with a pharmacy improperly disposing of paper prescription records. (What’s with pharmacies and throwing out paper prescriptions?) The other two HIPAA enforcement settlements were for $750,000 and $218,400, respectively, with provider organizations. Of course, each penalties in each HIPAA enforcement settlement are determined individually, but the minimum settlement involving provider organizations has been $150,00 in the last few years.
Each HIPPA enforcement settlement is usually accompanied by a Resolution Agreement, a contract requiring the entity to do all the things it is supposed to anyway under the HIPAA Privacy and Security Rules, and to report their activities to the OCR for a period of three years.
HIPAA enforcement settlements to date: the tip of the iceberg
While the most recent HIPAA enforcement settlement is substantial in the amount of the penalty, the 23 settlements announced thus far pale in comparison to the 1,335 breach reports, affecting 500 or more individuals, submitted to the OCR to date.
And the nature of reported breaches is also evolving. Although over 500 of these breach reports are related to theft or other issues with laptops or or storage media, hacking/IT incidents are catching up fast. There were few hacking/IT related breaches reported in the early years of reporting, but there were 31 such incidents reported in 2014 and 46 in the first 9 and one-half months of 2015!
And Business Associates are catching up to covered entities on breach notifications, with 280 breach reports filed by or involving a business associate.
Is there a HIPAA enforcement settlement in your future?
Well, there doesn’t have to be! We can learn from other’s misfortune (or mismanagement, or just plain bad luck, if you prefer).
- Perform a HIPAA Risk Assessment! It need not be too complicated, especially for small organizations.
- Address the vulnerabilities revealed in the risk assessment, using best practices wherever possible.
- Write and enforce policies and procedures related to security of ePHI.
- As much as possible, use technical fixes to reduce your chances of a breach, e.g., if you must just absolutely load or maintain ePHI on laptops or other digital media, encrypt the information!
- Train (and re-train) employees!
- Make sure your Business Associates have their own privacy and security policies and enforce them.
We recently got a question from someone writing a comment on one of our HIPAA and email blogs. A co-worker wrote to describe how a person who mis-addressed an email, sent it, using a secure email application to other company employees, and was fired for a HIPAA violation. The co-worker was right that maybe sending the encrypted email with PHI wasn’t a violation, but sending it to staff members who did not need access to the PHI in the email, was. This showed a lack of appreciation for the nuances of the HIPAA regulations that employees need to be reminded of from time to time.
You can see the entire list of breaches affecting 500 or more employees. Good luck!