Two recent settlements by the U.S. Department of Health and Human Services Office for Civil Rights (OCR) related to potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) have resulted in significant fines for several providers. These settlements demonstrate the fervor with which the Federal Government is pursuing HIPAA violations.
In one case a Massachusetts teaching hospital agreed to pay an $850,000 settlement related to the hospital’s failure to adopt and implement appropriate HIPAA safeguards. The investigation by OCR was prompted by the theft of a laptop containing the protected health information (PHI) of 599 individuals. The laptop, which accompanied a portable CT scanner, was taken from an unlocked room in 2011. In addition to the financial aspect of the settlement, the hospital will be responsible for establishing a comprehensive corrective action plan to correct deficiencies in its HIPAA compliance program.
During its investigation of the breach, OCR determined that the hospital failed to safeguard PHI in a broad variety of ways, including physical security, and a lack of thorough policies and procedures intended to account for the vulnerabilities and risk associated with the ePHI. While the stolen laptop is considered a significant breach, in that it affected more than 500 individuals, the information contained within the laptop’s hard drive was limited to names, birthdays, and the imaging produced by the CT scanner. Notably, the laptop did not contain more sensitive data such as patient social security numbers or financial information.
The significance of OCR’s $850,000 settlement is indicative of its concern with the hospital’s overall failure to afford protection to its ePHI and its widespread non-compliance. Comparatively, OCR announced a settlement with another entity earlier this year for $750,000—$100,000 less than the current settlement—after an unencrypted laptop was stolen containing the PHI of 55,000 individuals—more than ninety times the affected individuals associated with the current settlement.
Additionally, OCR announced a HIPAA settlement with an insurance conglomerate earlier this week in the amount of $3.5 Million. After receiving a number of breach notifications an OCR investigation ensued, ultimately finding that the company (i) failed to implement appropriate administrative, physical, and technical safeguard to protect the privacy of its beneficiaries’ PHI, (ii) impermissibly disclosed its beneficiaries’ PHI to an outside vendor with which it did not have an appropriate business associate agreement, (iii) used or disclosed more PHI than necessary to carry out mailings, (iv) failed to conduct an accurate and thorough risk analysis and (v) failed to implement security measures sufficient to reduce the risks and vulnerabilities to its ePHI to a reasonable and appropriate level. The insurance company, like the hospital, will be responsible for establishing and implementing an ample corrective action plan that will effectively protect the PHI of its beneficiaries.
Covered entities and business associates alike must ensure that they are in proper compliance with HIPAA privacy and security rules. OCR, through these recent settlements, has again demonstrated its propensity to impose significant fines on entities that fail to implement appropriate safeguards, irrespective of the number of affected individuals and the content of the specific PHI disclosed. Covered entities and business associates are well advised to have robust compliance plans in place, which are adhered to by providers and staff alike. Frier Levitt has experience in preparing comprehensive HIPAA policies and procedures for a variety of entities that are both compliant and business focused. Contact Frier Levitt to ensure that your practice has conducted a proper risk analysis and subsequently implemented the requisite safeguards to protect against HIPAA breaches and violations.
