HIPAA Enforcement At All-Time High So Far in 2016

by Leonardo M. Tamburello

Still with four months to go, 2016 has been a record-setting year for HIPAA enforcement by the U.S. Department of Health and Human Services Office for Civil Rights (OCR). Before September even begins, OCR has already levied over $20 million in fines resulting from its investigation of suspected HIPAA violations. This amount more than triples the $6.2 million in HIPAA penalties which it assessed for all of 2015. These enforcement actions included both first-ever settlement of possible HIPAA violations by a Business Associate and the largest single fine of $5.5 million for suspected HIPAA violations.

In addition, OCR has recently begun an initiative to more widely investigate the root causes of breaches affecting fewer than 500 individuals. While Regional Offices will still retain discretion to prioritize which smaller breaches to investigate, each office will increase its efforts to identify and obtain corrective action to address entity and systemic noncompliance related to these breaches.   The factors that OCR’s Regional Offices will consider in this manner include:

  • The type and size of the breach, including the amount nature, and sensitivity of the PHI involved
  • Whether the breach involved theft or improper disposal of unencrypted PHI;
  • Breaches that involve unwanted intrusions to IT systems (for example, by hacking);
  • A particular covered entity or business associate’s breach history;
  • Lack of breach reports affecting fewer than 500 individuals when comparing a specific covered entity or business associate to like-situated covered entities and business associates.

This flurry of enforcement activity has occurred against the backdrop of “Phase 2” desk and onsite audits of approximately 200 – 250 covered entities and their business associates which will examine compliance with specific requirements of the Privacy, Security, or Breach Notification Rules. In particular, these audits will focus on Notice of Privacy Practices’ contents, individual’s rights to access protected health information, risk analysis, risk management, and timeliness and content of breach notification. There will also be a limited number of comprehensive on-site audits. All audits are expected to be completed by December 31, 2016.

Even if not selected for an audit, the covered entities and business associates would be well-advised to review the Audit Protocol available through the HHS website, ensuring their internal list of business associates is current, and reviewing, and if necessary, updating their risk analysis and risk management in light of recent developments, particularly the proliferation of ransomware attacks targeting the health industry.

OCR Issues HIPAA Guidance on Ransomware Threat to Health Care Industry

by Leonardo M. Tamburello

U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) has published a HIPAA Fact Sheet, outlining the multi-faceted threat which ransomware poses to the health care sector and providing insights into how this threat may affect HIPAA compliance.  In this publication, OCR states that a ransomware attack, even on encrypted devices, may result in a reportable breach of electronic Protected Health Information (“ePHI”).  In light of this, covered entities and business associates should consider revisions to their risk assessment plans specifically directed at countering ransomware attacks.

Ransomware is an increasingly rampant type of malware that encrypts data with a complex “key” known only to the hacker, making data and possibly entire information systems such EHRs or scheduling programs, inaccessible to authorized users. Once ransomware has taken hold, hackers demand a payment before providing the key required to decrypt the affected files.  Ransomware frequently infects devices and systems when unsuspecting users click on malicious website links or open infected emails attachments.

OCR’s guidance states that ransomware infections of a computer system are a “security incident” under HIPAA. As a result, once ransomware is detected, the covered entity or business associate must initiate its HIPAA-mandated security incident and response and reporting procedures.  In addition, they should also assess whether or not a “breach” has occurred.  As defined by HIPAA regulations, a breach occurs with “the acquisition, access, use, or disclosure of PHI in a manner not permitted under the [rules governing PHI] which compromises the security or privacy of the PHI.” Whether ransomware infections meet this definition is a fact-sensitive question.

According to OCR’s recent guidance, ransomware represents an unauthorized user’s attempt to encrypt the data, which amounts to an “acquisition,” and therefore impermissible disclosure, under HIPAA. At this point, a risk assessment is required to determine whether there is a “low probability” that a breach has occurred, taking into account the following factors:  (1) the nature and extent of ePHI involved; (2) the unauthorized person who used ePHI or to whom the disclosure was made; (3) whether the ePHI was actually acquired or viewed; and (4) the extent to which the risk to ePHI has been mitigated.  If a “low probability” of compromise cannot be demonstrated, then a breach has occurred and HIPAA’s Breach Notification Rule is triggered.

If encrypted data is involved, the question of whether or not a breach has occurred becomes more complicated and depends, in part, of the technical aspects of the particular encryption used. Because the Breach Notification Rule only applies to  “unsecured PHI,” meaning PHI “that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary,”  properly encrypted PHI, even if stolen, usually does not constitute a “breach.”  However, additional analysis is still required to ensure that the encryption solution, as implemented, is effective.  For example, a full disk encryption solution may render the data on a computer system’s hard drive unreadable, unusable and indecipherable to unauthorized persons while the computer system is powered down. However, once the system is operational, many full disk encryption solutions will transparently decrypt and encrypt files accessed by the user.  Thus, an authenticated user who accidentally infects the system with ransomware may cause breach of ePHI.  Thus, despite having encryption protection in place, sophisticated ransomware can result in a breach of ePHI which is reportable under HIPAA

HIPAA already requires covered entities and business associates to implement security measures to prepare for, respond to, and recover from ransomware and other malware attacks. Some of these required security measures include: implementing a security management process, which includes conducting a risk analysis to identify threats and vulnerabilities to ePHI and implementing security measures to mitigate or remediate those identified risks; implementing procedures to guard against and detect malicious software; training users on malicious software protection so they can assist in detecting malicious software and know how to report such detections; and implementing access controls to limit access to ePHI to only those persons or software programs requiring access.

With respect to recovery from a ransomware infection, covered entities should maintain offline backups of data and conduct periodic test restorations to verify the integrity of backed-up data. HIPAA requires covered entities to have a data backup plan as well as security incident procedures.

An interagency U.S. Government report reveals that there have been 4,000 daily ransomware attacks since early 2016, a remarkable 300% increase from this period last year. With health information systems containing vital information for daily operation as well as highly personal information of their patients, the health care sector has been a growing target of ransomware.  The OCR’s new guidance recognizes this threat, and clarifies the implications that it carries for covered entities and business associates.

SCOTUS Broadens False Claims Act Liability Based On “Implied False Certification” Theory

by Leonardo M. Tamburello

In a June 2016 decision, the United States Supreme has held, under the False Claims Act (FCA), that (1) the so-called “implied false certification theory” may create liability when the defendant fails to disclose noncompliance with a legal requirement when submitting payment claims that make definitive representations about the services provided; and (2) liability is not contingent upon the requirements being an express condition of payment.

Yarushka Rivera, received counseling at a mental health facility. Rivera suffered an adverse reaction to medication resulting in her death. After Rivera’s death, her parents learned that most employees at the facility were not licensed to provide mental health counseling. They later discovered that only one of the five professionals treating their daughter was licensed. Respondents filed a qai tam suit alleging violations under the FCA, based on an implied false certification theory of liability; that is, they claimed that the facility submitted false claims by submitting reimbursement requests without disclosing regulatory violations regarding the staff credentialing and licensing violations.

Implied False Certification Theory

The implied false certification theory suggests that a defendant implicitly verifies all payment requirements are satisfied when submitting a claim. However, if the claim fails to disclose violations of material legal provision then a misrepresentation has been made rendering the claim false or fraudulent under the FCA. Disputes among the Court of Appeals concerning the validity of this theory prompted the Supreme Court to grant review. In its decision, the Supreme Court held the implied certification theory may create liability when two conditions are met: first, the claim does not just demand payment but makes definitive representations about the products or services provided; and second, failure to disclose noncompliance with material statutory, regulatory, or contractual provisions makes those representation deceptive half-truths.

Liability Under the FCA

The FCA imposes civil liability on “any person who…knowingly presents, or causes to be presented, a false or fraudulent claim for payment or approval.” Defendants argued that liability should only be imposed when the violations of statutory, regulatory, or contractual requirements are an express condition of payment. The Supreme Court rejected this contention, stating liability is not contingent upon the violated legal provision being an express condition of payment. In so holding, the Court noted that the FCA does not impose such a restriction.

Instead, liability is determined by the extent of the material misrepresentation. The FCA defines material as having influence or capable of influencing the payment or receipt of money or property. However, misrepresentation is not material simply because the government compels compliance with statutory, regulatory, or contractual provisions as condition of payment. Nor is materiality found if noncompliance is trivial or insubstantial. Thus, when evaluating the materiality of a misrepresentation for possible FCA violation under the implied false certification theory, that an express condition of payment is relevant but not dispositive.

The Supreme Court’s ruling on the implied false certification theory now broadens healthcare providers’ liability because plaintiffs can now bring more expansive claims under the FCA. But liability is only actionable when the misrepresentation of a legal provision is material to the government’s decision to provide payment. While a healthcare provider’s liability is broadened, the bar to sustain such claims is slightly raised by demanding nature of the materiality standard articulated by the Court.

Questions Regarding “Minimum Necessary,” Physical Controls, and Encryption Follow Insurer’s “Ongoing Search” for Six Hard Drives Containing PHI of 950,000 Individuals

by Leonardo M. Tamburello

A major health insurer announced an “ongoing comprehensive internal search” for six hard drives containing the PHI including the name, address, date of birth, social security number, member ID number and “health information,” of approximately 950,000 individuals who received laboratory services from 2009 through 2015. According to the announcement, the hard drives were used in an internal data project which analyzed laboratory results with the goal of improving health outcomes.

This incident raises two potential topics of interest under HIPAA. First, whether a data set containing fewer identifiers, or de-identified data could have been used for this project.  If de-identified information were used, the loss of the hard drives would be less damaging and possibly not a “breach” under HIPAA.  The post-breach risk assessment should attempt to answer this question and make policy recommendations that require a critical assessment of whether and to what extent PHI beyond the “minimum necessary” is required for future similar projects.

If it was necessary to use the complete data set of PHI contained on the lost hard drives, additional security precautions, such as enhanced physical security tracking measures and encryption, should have been considered and implemented.  Physical security tracking that restricted or linked the physical movement of the hard drives to a particular location or individual could be enhanced with a requirement that the location and custody of media containing PHI be periodically verified, especially if the PHI of nearly a million individuals is potentially in play.  Although there seems to have been some process along these lines in place in light of the “ongoing comprehensive internal search,” there is no indication of the last date on which the location of the hard drives can be verified.

In addition, the decision to apparently not encrypt the hard drives should also be examined.  Encryption remains an addressable implementation standard under HIPAA, it must therefore be implemented if, after a risk assessment, the entity has determined that the specification is a reasonable and appropriate safeguard in its risk management of the confidentiality, integrity and availability of ePHI. See, 45 CFR § 164.312(a)(2)(iv) and -(e)(2)(ii).  If the entity decides that encryption, as addressable implementation specification is not reasonable and appropriate, it must document that determination and implement an equivalent alternative measure, presuming that the alternative is reasonable and appropriate. If the standard can otherwise be met, the covered entity may choose to not implement the implementation specification or any equivalent alternative measure and document the rationale for this decision.

With the relative ease and speed of modern encryption applications that are available across a variety of platforms, from smart phones and tablets, to flash drives and individual hard drives, to back-up media, not encrypting data, whether it is in use, in motion, or at rest, is becoming increasingly difficult to defend from a technical standpoint.

The unexplained disappearance of devices or storage media containing unencrypted PHI through inadvertence, malicious theft, or other physical loss remains a vexing problem for covered entities.  Two relatively simple strategies to avoid the serious harm that could result for such an occurrence are eliminating the use of PHI when possible, and implementing robust tracking and encryption protocols for those instances when PHI is truly necessary.

OCR Assess Over $5 Million in HIPAA Penalties, Formally Announces Phase 2 Audits

by Leonardo M. Tamburello

Coming in like the proverbial March lion, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently announced two Resolution Agreements and penalties totaling over $5 million and the launch of its long-awaited 2016 Phase 2 HIPAA Audit Program.

Lack of Encryption and Other Failings, Lead to Substantial HIPAA Fines

Both recently announced resolution agreements arise from familiar facts involving the theft of an unencrypted laptop computer containing electronic protected health information (ePHI) from a vehicle.

On March 17, 2016, OCR announced the $1.55 million settlement of potential HIPAA violations arising from the theft of an unencrypted, password-protected laptop containing the ePHI of 9,497 individuals from a business associate’s locked vehicle in September 2011. Upon investigation it was discovered that no business associate agreement existed between the covered entity and its business associate which was tasked with providing payment and health care operations activities and had access to almost 300,000 patients’ data. It was further determined that the covered entity had not performed a risk assessment as required by the Security Rule to address all potential risks and vulnerabilities to the ePHI which it maintained, accessed, or transmitted across its entire IT infrastructure. In addition to the $1.55 million fine, a two-year corrective action plan and workforce retraining are required under the settlement.

The next day, on March 17, 2016 OCR announced a near-record $3.9 million settlement resolving potential HIPAA violations with a research institute arising from a laptop computer stolen in September 2012 which contained the ePHI of approximately 13,000 patients and research participants. A subsequent investigation discovered that among other deficiencies, the institution had inadequate security practices, lacked policies and procedures regarding access to ePHI, failed to implement safeguards to restrict access to unauthorized users, and lacked policies and procedures to govern the receipt and removal of laptops that contained ePHI into and out of its facilities.

As we have previously noted on this blog, robust encryption is quickly becoming industry standard, and there are few reasons not to implement it for mobile devices such as laptops. Had the laptops been properly encrypted as part of a larger risk assessment and risk management plan, these losses would not have constituted reportable “breaches” for HIPAA purposes.

2016 Phase 2 HIPAA Audit Program Formally Launches

On March 21, 2016, OCR announced the formal beginning to the long-awaited 2016 Phase 2 HIPAA Audit Program (the “Phase 2 Audits”) through which it will review the policies and procedures adopted and employed by covered entities and their business associates to meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules.

As this blog previously reported, the Phase 2 Audits will primarily be “desk audits,” meaning that the will be conducted through information requests sent by OCR via email to selected covered entities and business associates, although a limited number of on-site audits will also be conducted.

The audit process will begin with verification of an entity’s address and contact information followed by a pre-audit questionnaire to gather data about the size, type, and operations of potential auditees; this data will be used with other information to create potential audit subject pools. If no response is received by email, OCR will use publically available information about the entity to create its audit subject pool. Thus, entities that do not respond to OCR emails may still be selected for an audit or be subject to a compliance review. Spam filters should be carefully reviewed to ensure that OCR communications are not inadvertently discarded.

OCR is expected to post updated audit protocols on its website which will reflect the 2013 enactment of the HIPAA Omnibus Rule. These can also be used by organizations to conduct their own internal self-audits as part of ongoing HIPAA compliance activities. More information about the 2016 Phase 2 Audits can be found on OCR’s website, including key information regarding audit selection criteria based on entity size, affiliations, type of entity, and geography and past enforcement history with OCR.

Audit selectees should keep in mind that information disclosed during the audit process may trigger a more thorough compliance review.

CMS Brings Clarity to ACA’s 60-Day Overpayment Rule

by Marissa Koblitz-Kingman and Leonardo M. Tamburello

Part of the antifraud provisions of the Affordable Care Act (ACA) requires any person who receives an “overpayment” of Medicare or Medicaid funds to “report and return” said overpayment to HHS, the State, or another party if appropriate within sixty (60) days of the “date on which the overpayment was identified.” See, 42 U.S.C. § 1320a-7k(d)(1).  A violation of this so-called “Sixty-Day Rule” is a per se violation of the False Claims Act (FCA) which may lead to treble damages, fines of between $5,500 – $11,000 per claim, and possible imprisonment. Id. § 1320a-7k(d).   See, 31 U.S.C. § 3729(a).

Since the ACA’s enactment there have been serious questions raised by providers regarding when an “overpayment” is “identified” for purposes of starting the clock under the Sixty-Day Rule. Finally, on February 11, 2016, CMS released a final rule, effective March 14, 2016, (the “Final Rule”) which clarifies that : (1) the 60 day window for refunding overpayments is not triggered until both the fact and amount of an overpayment are known; (2) the standard for knowledge is not “actual knowledge,” but when the provider would have identified the overpayment had it exercised reasonable diligence; and (3) the manner in which the refund must be made.

Prior to this Final Rule, it was unclear when the 60-day period began to run, leaving courts to interpose their own interpretation of the ACA in this regard. As we have previously discussed on this blog, U.S. ex rel. Kane v. Continuum Health Partners, No. 11 Civ. 2325, 2015 WL 4619686 (S.D.N.Y. Aug. 3, 2015), addressed that very issue.  In Kane, three hospitals received payment for Medicaid claims that should never have been submitted.  In September 2010, auditors from the New York State Comptroller’s office raised the potential overpayments and determined that these claims were caused by a third-party’s software glitch. The glitch was fixed in December 2010.  The hospitals’ management asked relator Robert Kane to identify claims potentially implicated by the glitch. On February 4, 2011, Kane wrote an email to management attaching a spreadsheet of approximately 900 claims totaling over $1 million that had potentially been affected by the glitch.  Four days later, Kane was terminated, allegedly in retaliation.

Kane filed an FCA and wrongful termination suit on April 5, 2011, which is exactly 60 days after he provided his spreadsheet. In June 2014, the United States government and New York Attorney General intervened on Kane’s behalf, alleging that by failing to further investigate the potential overpayments identified by Kane and delaying repayment for over two years, the hospitals improperly withheld “overpayments” in violation of the Sixty-Day Rule.

The hospitals moved to dismiss, stating that Kane’s spreadsheet had not identified any overpayment for purposes of the ACA, but was merely preliminary. Further, they claimed that because the overpayments had not been definitively ascertained, the sixty-day clock did not start and that they had no obligation to begin repayment for claims until they determined with certainty that those claims had, in fact, been overpaid, and to what extent.

The District Court rejected this argument, and held that the 60-day period begins to run when a provider is put “on notice of a potential overpayment, rather than the moment when an overpayment is conclusively ascertained.” If left as precedent, this would have dramatically lowered the knowledge requirement to sustain a violation of the Sixty-Day Rule, potentially exposing Medicaid providers and suppliers to a myriad of liability under the FCA for “overpayments” not repaid within sixty days.  CMS’s Final Rule changes this, clarifying that the 60-day period for refunding overpayments is not triggered until both the fact and amount of an overpayment are known. The CMS final rule also stated that the standard for knowledge is not “actual knowledge,” but when the provider would have identified the overpayment had it exercised reasonable diligence.  While providers must act with due alacrity to investigate possible overpayments, they need not fear that mere possibility of an overpayment will lead to liability under the FCA unless it is repaid within sixty days.

Although it remains to be seen how the court will apply the Final Rule under the facts and circumstances of Kane, it seems likely that the defendants will renew their motion to dismiss armed with CMS’s new interpretation set forth in the Final Rule.

Catholic Hospital Not Covered By ERISA’S Religious Exemption

by Paul L. Croce

The U.S. Court of Appeals for the Third Circuit in Kaplan v. St. Peter’s Healthcare System, has ruled that St. Peter’s Healthcare System’s (“St. Peter’s”) pension plan is not entitled to a religious exemption under the Employee Retirement Income Security Act (“ERISA”).

In May 2013, Laurence Kaplan, a former St. Peter’s employee filed a putative class action suit against St. Peter’s alleging, among other things, that St. Peter’s pension plan was significantly underfunded. St. Peter’s moved to dismiss the Complaint arguing that it qualified under Section 4(b)(2) of ERISA for a church plan exemption and was thus not required to comply with the provisions of ERISA which Kaplan claimed it had violated. The District Court disagreed with St. Peter’s who then sought review from the Third Circuit. 

The Third Circuit acknowledged that in the last few decades various courts “have assumed that entities that are not themselves churches, but have sufficiently strong ties to churches can establish exempt church plans.” However, the Court did not find those cases to be controlling stating that the current case is part of a “new wave of litigation” which argues that the definition of church plan precludes that result. Lower courts which have addressed this current “new wave of litigation” have been split in their decisions. 

ERISA § 3(33)(A) defines a church plan as “a plan established and maintained . . . for its employees (or their beneficiaries) by a church or a convention of churches.” Section 3(33)(c)(i) further clarifies that a “plan established and maintained” by a church “includes a plan maintained by an organization . . . controlled by or associated with a church or a convention of churches.” 

St. Peter’s argued that the clarification in Section 3(33)(c)(i) annulled the requirement that a church establish a plan in order for it to qualify for an exemption. The Court, however, relying on the plain language of the statute as well as various canons of statutory construction, found that the provision merely expanded the definition of church plan to include plans maintained by other tax exempt organizations. It did not, as St. Peter’s contended, eliminate the requirement that the plan be established by a church or convention or association of churches. Accordingly, the Court found St. Peter’s could not rely upon the church plan exemption to avoid the obligations imposed by ERISA. 

This decision will have a serious impact on religious based healthcare organizations as it imposes significant reporting and funding obligations on those organizations. However, this is unlikely to be the last word on the subject. It is anticipated that St. Peter’s will seek certiorari and the same issue is currently being addressed by the Seventh Circuit in Stapleton v. Advocate Health Care Network where the Court heard argument on September 18, 2015. Should the Seventh Circuit rule contrary to the Third, there is a good possibility the matter may ultimately be decided by the United States Supreme Court.

Stark Undergoes Another Change

by John W. Kaveney and Marissa Koblitz-Kingman

The Stark Act, 42 U.S.C. § 1395nn, prohibits physicians from engaging in a “self-referral” when referring patients elsewhere for certain services. Generally, if a physician (or an immediate family member of such physician) has a financial relationship with an entity, then the physician may not make a referral to the entity for the furnishing of designated health services for which payment otherwise may be made under Medicare. For example, an orthopedist may not refer a patient for imaging to a facility in which the physician or a member of her immediate family has an interest. The entity accepting the prohibited referral may not present or cause to be presented a claim to Medicare or bill to any individual, third party payor, or other entity. If the referral entity collects payments billed in violation of this prohibition, it must refund those amounts on a timely basis, typically within 60 days of identification.

Exceptions to Stark do exist, and on November 16, 2015, the Department of Health and Human Services, Centers for Medicare and Medicaid Services, (CMS) issued a final rule revising and adding further exceptions to offer providers additional flexibility in their efforts to comply with Stark. Some of the major changes include:

1.) CMS created a new exception for assistance to compensate a non-physician practitioner. The exception permits remuneration from a hospital, federally qualified health center, or rural health clinic to a physician to recruit a non-physician practitioner (physician assistants; nurse practitioners; clinical nurse specialists; certified nurse midwives, clinical social workers and clinical psychologists) where substantially all of the services furnished by the non-physician practitioner to the patients of the physician’s patients are for primary care services or mental health care services;

2.) CMS created a new timeshare arrangement exception to cover the use of some premises, equipment, personnel, items, supplies, or services. Compensation for such arrangements must be carefully structured. Percentage compensation and per-unit services fees are prohibited; hourly or half day rates are acceptable. The arrangement cannot be conditioned upon referrals and cannot convey a possessory interest in the office space;

3.) CMS revised the temporary noncompliance with signature requirement. Previously, parties who inadvertently failed to comply with the signature requirement had 90 days to comply with others having 30 days. The revision provides a flat 90 day period to comply with this requirement, regardless of whether the failure to obtain a signature was inadvertent or not;

4.) CMS created a new, indefinite holdover provision. An expired arrangement under the office space and equipment rental exceptions and the personal service arrangements exception can now be “held over” indefinitely rather than for only six months, provided the arrangement: (a) satisfies all of the requirements [list] at the time of expiration; (b) continues on the same terms and conditions; and (c) continues to satisfy all of the enumerated requirements during the holdover;

5.) CMS clarified the writing requirement, requiring only an arrangement need be set out in writing. Although CMS recommends having one signed written contract that satisfies every requirement of the exception, this requirement may also be satisfied through a collection of documents that relate to one another and to the exact arrangement.

These are only some of the revisions and only the highlights of a very technical set of regulations. It is critical that physicians, hospitals, health care facilities and business associates ensure that they are aware and up-to-date with all of the major changes to Stark. Complying with Stark in practice can be particularly complex and thus must be closely monitored.

Two New HIPAA Enforcement Actions Emphasize Risk Analysis, Impose Multi-Year Compliance Monitoring

by Leonardo M. Tamburello

The Office for Civil Rights (OCR) recently announced two new HIPAA enforcement actions totaling over $4.3 million in penalties.  Both of these actions should remind Covered Entitles and their Business Associates of the importance of implementing a multi-layered approach to HIPAA compliance and serve as warning about the recent trend of OCR imposing multi-year HIPAA compliance monitoring programs.

Unsecured, Unencrypted Laptop Stolen Containing CT Images of 599 Individuals Results in $850,000 Fine and Two-Year Compliance Monitoring Program for Hospital

On November 30 2015, OCR announced a Resolution Agreement with a Massachusetts hospital arising from the overnight theft of a laptop in 2011 from an unlocked treatment room. The laptop, which was on a stand that accompanied a portable CT scanner, operated the scanner and produced CT images for viewing and contained the protected health information (PHI) of 599 individuals.  OCR’s subsequent investigation into this event indicated widespread non-compliance with the HIPAA rules, including:

  • Failure to conduct a thorough risk analysis of all of its ePHI;
  • Failure to physically safeguard a workstation that accessed ePHI;
  • Failure to implement and maintain policies and procedures regarding the safeguarding of ePHI maintained on workstations utilized in connection with diagnostic/laboratory equipment;
  • Lack of a unique user name for identifying and tracking user identity with respect to the workstation at issue in this incident;
  • Failure to implement procedures that recorded and examined activity in the workstation at issue in this incident; and
  • Impermissible disclosure of 599 individuals’ PHI.

In addition to the $850,000 settlement, the hospital was required to address its history of noncompliance with the HIPAA Rules by providing OCR with a two-year comprehensive, enterprise-wide risk analysis and corresponding risk management plan, as well as reporting certain events and providing evidence of compliance to OCR.

The OCR press release and Resolution agreement are available at this link.

Multiple HIPAA Violations Result in $3.5 million Resolution Agreement, Three-Year Compliance Monitoring Program

A few days earlier, on November 24, OCR announced a Resolution Agreement with a publicly-traded insurance holding company and its subsidiaries that reported eight separate possible HIPAA breaches from 2010 through 2015. Five of these events affected 500 or more individuals.  The incidents included, but were not limited to: former employees whose intranet access was not properly terminated; vendor mistakes involving use and disclosure of PHI; former business associate employee misconduct; incorrectly stuffed envelopes which had mismatched beneficiary cards enclosed; and the improper use of beneficiary ID numbers on the exterior of mailing envelopes.

Following receipt of the aforementioned reports, the OCR initiated investigations to ascertain the entities’ compliance with HIPAA’s Privacy, Security, and Breach Notification Rules.  This investigation concluded that the entity or its subsidiaries:

  • Impermissibly disclosed beneficiaries’ PHI;
  • Failed to implement appropriate administrative, physical, and technical safeguards to protect PHI;
  • Impermissibly disclosed PHI to outside vendors with which it did not have an appropriate business associate agreement;
  • Failed to adhere to HIPAA’s “minimum necessary” standard in making disclosures to outside vendors;
  • Failed to conduct an accurate and thorough risk analysis which incorporated all IT equipment, applications, and data systems utilizing ePHI;
  • Failed to implement security measures sufficient to reduce the risks and vulnerabilities to its ePHI to a reasonable and appropriate level; and
  • Failed to implement procedures for terminating access to ePHI when the employment of a workforce member ended.

OCR agreed to accept a $3.5 million Resolution Amount in conjunction with the implementation of a three-year Corrective Action Plan which includes annual HIPAA compliance reporting to the Government.

The OCR press release and Resolution agreement are available at this link.  This is the second Resolution Agreement which covered multiple breaches announced by OCR this year, and part of a recent trend in which multi-year Corrective Action Plans were imposed.

Improvements Needed Regarding OCR’s HIPAA Oversight and Breach Follow-Up

by Leonardo M. Tamburello

The Office of Inspector General (OIG) recently issued two reports regarding HIPAA oversight activities performed by the Office for Civil Rights (OCR).  The first of these reports examined OCR’s oversight of covered entities’ compliance with the Privacy Rule.  The second report looked at OCR’s handling of covered entities’ reported HIPAA breaches.   Both reports included recommendations to OCR for improvement in these areas.  OCR agreed with all of OIG’s recommendations, suggesting changes to OCR oversight and enforcement activities in the near future.

Both studies were conducted by reviewing statistical samples of OCR investigations by OCR from September 2009 through March 2014, surveying OCR staff, interviewing OCR officials, reviewing OCR’s investigation policies, and reviewing documentation provided by a statistical sample of Part B providers to determine the extent to which they addressed five selected privacy standards or three selected breach administrative standards, as appropriate.

Regarding Privacy Rule compliance, OIG’s primary findings included that OCR oversight remains “primarily reactive,” in that it investigates possible HIPAA non-compliance primarily in response to complaints, and that OCR has not yet fully implemented requirements under §§ 13411 and 13432 of the HITECH Act that it proactively conduct audits of covered entities to assess their HIPAA compliance efforts.  OIG also determined that in a significant number of cases, OCR failed to fully document corrective action or whether the covered entity had been the subject of a prior HIPAA investigation.  Furthermore, OIG’s review found that OCR’s case-tracking system has limited search functionality and lacks a standard way to enter covered entities’ names in the system.

Concerning HIPAA breaches, OIG also found that although OCR would usually document corrective action for most closed so-called “large” breaches involving 500 or more individuals, almost one-quarter of such cases nonetheless had inadequate documentation of corrective action taken.  OCR also did not record small-breach information in its case-tracking system, and that this failure to document “small” breaches limited OCR’s ability to track and identify covered entities with multiple small breaches.

As a result of these findings, OIG recommended that OCR: (1) fully implement a permanent audit system; (2) enter small-breach information into its case-tracking system; (3) maintain complete documentation of correction action; (4) develop a method in its case-tracking system to search and track covered entities that were previously investigated and/or reported prior breaches; (5) develop a policy requiring staff to check whether covered entities have been previously investigated or reported prior breaches; and (6) continue to expand outreach and education efforts to covered entities.

OCR concurred in all of these recommendations, and further stated that it is moving forward with a permanent audit program, including Phase 2 HIPAA audits in early 2016 which are designed to “test the efficacy of the combination of desk reviews of policies as well as on-site reviews,” and also “target specific common areas of non-compliance,” for both covered entities and business associates.

Now that the Phase 2 HIPAA audits, which have been previously discussed on this blog, are right around the corner, it is critical that covered entities and business associates ensure that their HIPAA compliance programs are in order.  Suggested activities in this regard might include:  performing an updated risk assessment and implementing a risk management plan; conducting an inventory and audit of all business associate agreements; review of any unimplemented “addressable” Security Standards, refresher workforce training, and a careful review of security policies in general.

For full text of the recent reports from OCR, please follow the links below: