Two New HIPAA Enforcement Actions Emphasize Risk Analysis, Impose Multi-Year Compliance Monitoring

by Leonardo M. Tamburello

The Office for Civil Rights (OCR) recently announced two new HIPAA enforcement actions totaling over $4.3 million in penalties.  Both of these actions should remind Covered Entitles and their Business Associates of the importance of implementing a multi-layered approach to HIPAA compliance and serve as warning about the recent trend of OCR imposing multi-year HIPAA compliance monitoring programs.

Unsecured, Unencrypted Laptop Stolen Containing CT Images of 599 Individuals Results in $850,000 Fine and Two-Year Compliance Monitoring Program for Hospital

On November 30 2015, OCR announced a Resolution Agreement with a Massachusetts hospital arising from the overnight theft of a laptop in 2011 from an unlocked treatment room. The laptop, which was on a stand that accompanied a portable CT scanner, operated the scanner and produced CT images for viewing and contained the protected health information (PHI) of 599 individuals.  OCR’s subsequent investigation into this event indicated widespread non-compliance with the HIPAA rules, including:

  • Failure to conduct a thorough risk analysis of all of its ePHI;
  • Failure to physically safeguard a workstation that accessed ePHI;
  • Failure to implement and maintain policies and procedures regarding the safeguarding of ePHI maintained on workstations utilized in connection with diagnostic/laboratory equipment;
  • Lack of a unique user name for identifying and tracking user identity with respect to the workstation at issue in this incident;
  • Failure to implement procedures that recorded and examined activity in the workstation at issue in this incident; and
  • Impermissible disclosure of 599 individuals’ PHI.

In addition to the $850,000 settlement, the hospital was required to address its history of noncompliance with the HIPAA Rules by providing OCR with a two-year comprehensive, enterprise-wide risk analysis and corresponding risk management plan, as well as reporting certain events and providing evidence of compliance to OCR.

The OCR press release and Resolution agreement are available at this link.

Multiple HIPAA Violations Result in $3.5 million Resolution Agreement, Three-Year Compliance Monitoring Program

A few days earlier, on November 24, OCR announced a Resolution Agreement with a publicly-traded insurance holding company and its subsidiaries that reported eight separate possible HIPAA breaches from 2010 through 2015. Five of these events affected 500 or more individuals.  The incidents included, but were not limited to: former employees whose intranet access was not properly terminated; vendor mistakes involving use and disclosure of PHI; former business associate employee misconduct; incorrectly stuffed envelopes which had mismatched beneficiary cards enclosed; and the improper use of beneficiary ID numbers on the exterior of mailing envelopes.

Following receipt of the aforementioned reports, the OCR initiated investigations to ascertain the entities’ compliance with HIPAA’s Privacy, Security, and Breach Notification Rules.  This investigation concluded that the entity or its subsidiaries:

  • Impermissibly disclosed beneficiaries’ PHI;
  • Failed to implement appropriate administrative, physical, and technical safeguards to protect PHI;
  • Impermissibly disclosed PHI to outside vendors with which it did not have an appropriate business associate agreement;
  • Failed to adhere to HIPAA’s “minimum necessary” standard in making disclosures to outside vendors;
  • Failed to conduct an accurate and thorough risk analysis which incorporated all IT equipment, applications, and data systems utilizing ePHI;
  • Failed to implement security measures sufficient to reduce the risks and vulnerabilities to its ePHI to a reasonable and appropriate level; and
  • Failed to implement procedures for terminating access to ePHI when the employment of a workforce member ended.

OCR agreed to accept a $3.5 million Resolution Amount in conjunction with the implementation of a three-year Corrective Action Plan which includes annual HIPAA compliance reporting to the Government.

The OCR press release and Resolution agreement are available at this link.  This is the second Resolution Agreement which covered multiple breaches announced by OCR this year, and part of a recent trend in which multi-year Corrective Action Plans were imposed.