“Small” Breaches Lead to Hefty Penalties from OCR

by Leonardo M. Tamburello

Previously, we have discussed statements made by the U.S. Department of Health and Human Services Office of Civil Rights (OCR) that in 2014, it would bring increased compliance and enforcement actions.  Making good on that promise, on April 22, 2014, OCR announced two separate settlements totaling over $1.9 million resulting from potential violations of the HIPAA Privacy and Security Rules.

In both instances, OCR’s investigation was triggered by a breach report based on a stolen laptop that contained unencrypted electronic person health information (ePHI). These breach reports led to formal investigations which eventually revealed deeper HIPAA compliance issues.  Consequently, both breaching parties entered into costly settlements and agreed to significant corrective action plans overseen by OCR.

Lost Unencrypted Laptop Results in $1.75 million Settlement

After filing a breach report that an unencrypted laptop was stolen from one of its facilities, OCR initiated a compliance review that revealed that in “multiple risk analyses,” the Covered Entity had previously recognized the lack of encryption on its desktops, laptops, medical equipment, tablets and other devices containing ePHI as a “critical risk.”  Although it undertook efforts to begin encryption, OCR found them to be “incomplete and inconsistent.”  OCR’s review also revealed other “insufficient security management processes in place to safeguard patient information.”  

As a result of OCR’s investigation, the Covered Entity agreed to a $1.75 million settlement of all potential HIPAA violations and to implement a remedial corrective action plan.

Stolen Unencrypted Laptop Results in $225,000 Settlement

In February 2012, OCR was notified by a health plan that an unencrypted laptop containing the ePHI of 148 individuals was stolen from a workforce member’s car.   The subsequent OCR investigation revealed that the plan failed to comply with multiple requirements of the HIPAA Privacy and Security Rules beginning from the compliance due date of the Security Rule in April 2005 through June 2012.

As a result of these allegations, the plan agreed to a $225,000 monetary settlement and to provide HHS with an updated risk analysis and corresponding risk management plan that includes specific security measures to reduce the risks to and vulnerabilities of its ePHI.  Although the health plan encrypted its devices after the theft, but was still required to retrain its workforce and document its ongoing compliance efforts.

 Analysis

 These breaches had ramifications far beyond the specific incident that prompted OCR’s investigation.  In each case, the investigation revealed systemic, institutional-level failures to comply with HIPAA’s Security Rule.  Both cases illustrate the value of encrypting all devices related to the use, storage or transmission of ePHI.   These effortsshould be planned, implemented and verified as part of a Covered Entity’s security risk assessment and risk management processes. 

Looking Forward

Precisely what these settlements mean to other Covered Entitles may be soon known.  On February 21, 2014, a laptop computer was stolen from the car of an employee of a hospital-based health plan in Pennsylvania.  The laptop contained the names, addresses, dates of birth, insurance information, appointment dates and physician names of 733 patients.  Media reports do not mention any encryption, though the laptop was apparently password-protected.  A few weeks later, on March 15 or 16, one of the same Covered Entity’s offices was broken into and another laptop taken.  This one contained PHI including patients’ names, phone numbers, birth dates, and partial Social Security numbers.  

 Using the recent settlements as a guide, this Covered Entity is likely facing a far-reaching OCR investigation along with additional compliance mandates and a multimillion dollar settlement and/or Civil Monetary Penalty.