Law360, New York (September 26, 2013, 5:53 PM ET) --
The U.S.Department of Health and Human Services' Office for Civil Rights (OCR) is stepping up their enforcement efforts and cracking down on entities who violate the Health Insurance Portability and Accountability Act of 1996. Earlier this year, Idaho State University was fined $400,000 for the breach of unsecured protected health information (PHI) regarding 17,500 individuals who were patients at a university clinic.
In July, managed care company WellPoint Inc. agreed to pay the HHS $1.7 million to settle potential violations of the HIPAA privacy and security rules. The most recent settlement involves Affinity Health Plan Inc., a not-for-profit managed care plan serving the New York metropolitan area. Affinity agreed to pay over $1.2 million as part of the settlement with the OCR for a security breach involving leased copiers, even though it was not clear that any PHI was actually misused or retained as a result of the breach.
Affinity notified the OCR of a potential breach on April 15, 2010, after discovering that copiers it had leased and then returned still contained electronic PHI (ePHI). Often overlooked, advanced copiers, such as those used by Affinity, can contain hard drives where digital images of the documents being copied are stored before they are printed. Depending on the size of the hard drives and the volume of documents being scanned, these hard drives can store thousands of images. Unless the hard drive is wiped, the images remain on the copier until the drive is full, and new data overwrites the old.
At the end of Affinity’s lease, the copiers were returned and then leased again to a different company. At least one recipient of the leased equipment — CBS Evening News —discovered ePHI on the copiers. CBS Evening News reported this to Affinity, who in turn reported the incident to the OCR.
Presumably, CBS Evening News recognized the sensitive nature of the information and did not retain or further disclose the information. However, the risk of compromise was relatively high — Affinity had returned multiple photocopiers to its leasing agents that together contained information on as many as 344,579 individuals.
After an investigation, the OCR concluded that Affinity impermissibly disclosed the ePHI of these individuals when it returned the photocopiers to the leasing agents without erasing data contained on the copier hard drives. However, this finding alone does not explain the high settlement amount.
What does explain the substantial penalty is a circumstance that regularly appears in reports of high-dollar settlements under HIPAA: Affinity did not base its policies and procedures on a thorough risk assessment, as required by the security rule, and therefore, Affinity failed to implement policies and procedures for safeguarding ePHI when returning the photocopiers to its leasing agents.
Affinity should have accounted and planned for the storage of ePHI on photocopier hard drives in its analysis of risks and vulnerabilities. OCR Director Leon Rodriguez noted, “HIPAA covered entities are required to undertake a careful risk analysis to understand the threats and vulnerabilities to individuals’ data, and have appropriate safeguards in place to protect this information.”
In addition to the settlement payment, the OCR instituted a corrective action plan (CAP) requiring Affinity to use its “best efforts” to retrieve all of the hard drives that were contained on the copiers in the possession of the leasing agent and safeguard all ePHI contained therein from impermissible disclosure.
If Affinity is unable to obtain the hard drives, Affinity must document its best efforts to do so and provide the OCR with the reason(s) Affinity was unsuccessful. Affinity must also now meet its obligation under the security rule to conduct a comprehensive risk analysis of the risks and vulnerabilities associated with its possession of ePHI and develop a plan to mitigate such risks and vulnerabilities. However, under the CAP, Affinity’s plan will be subject to the OCR’s review and approval.
It is hard to deny the similarities between the Affinity settlement and other major settlements with the OCR in the recent past. It is not, as some might believe, because each involve an unauthorized disclosure of PHI. That is certainly true, but breaches happen all the time.
Instead, the common thread is that the OCR has imposed penalties because policies did not exist, risk assessments were not performed, or policies were not followed. Accordingly, this settlement provides several important instructions for companies that handle ePHI.
First and foremost, include in your risk assessments all equipment and locations where PHI may be stored. All electronic devices with memory have the potential to store PHI, including most printers, copies, scanners and fax machines. A major goal of conducting risk assessments is to identify new and potential threats to PHI.
When copiers and fax machines were first introduced into the business environment, memory was expensive, and most devices used just enough to print one document at a time. However, as technology advanced, and the price of memory dropped, hard drives in copiers became more and more common.
If your last risk assessment was performed in the '90s, you might have missed this particular vulnerability. That is why it is important to conduct regular risk assessments, preferably with security professionals who are knowledgeable on a wide range security topics and technology.
Second, address processes in your written policies and procedures for appropriately deleting or safeguarding such ePHI based on your risk assessment. If the device stores data, then pursuant to HHS guidance, it should be wiped before being sold or discarded. The process may be as simple as running a wiping utility on the device itself, or it may require a computer technician to pull the hard drive out of the machine manually.
Third, make sure you implement policies and procedures that govern the receipt and removal of hardware and electronic media on all electronic devices that contain ePHI. Most covered entities have already realized the importance of wiping desktop computers and laptops, but as this settlement should help demonstrate, printers and copiers are just as important.
Finally, organizations may also be best served by encrypting any ePHI that can be impermissibly accessed on electronic devices. While the HIPAA breach notification rule requires the notification of a breach of PHI, it is important to note that this requirement applies only to the breach of “unsecured” PHI.
Pursuant to HHS guidance, encryption is one way to ensure that any breach of ePHI would remain secure and, therefore, not be subject to notification requirements.
Don’t wait until the last minute to tackle these issues. In addition to reviewing your written policies and conducting a risk assessment, your business associate agreements may need to be modified, along with your notice of privacy practices if you are a covered entity.
If you are a business associate under HIPAA, for example, a lawyer who receives or creates PHI in representing covered entities, you should become informed about your newly enhanced obligations and risks under the final rule.
If you are interested in learning more about the Affinity breach, the HHS resolution agreement and corrective action plan can be found on the OCR website here. For more information on safeguarding sensitive data stored in the hard drives of digital copiers, see this page. TheNational Institute of Standards and Technology has also issued guidance on media sanitation, available here.
--By Marcia L. Augsburger, M. Scott Koller and Tiffani V. Williams, DLA Piper
The opinions expressed are those of the author(s) and do not necessarily reflect the views of the firm, its clients, or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice
HEALTH PLAN PAYS FOR FAILING TO ERASE DATA ON LEASED EQUIPMENT: TWO TAKEAWAYS FOR COMPANIES HANDLING ELECTRONIC PHI
The Office for Civil Rights (OCR) has announced a settlement between the US Department of Health and Human Services and Affinity Health Plan, Inc. to address potential violations of the Health Insurance Portability and Accountability Act of 1996.
Affinity, a not-for-profit managed care plan serving the New York metropolitan area, paid more than US$1.2 million as part of the settlement, even though it was not clear that any protected health information (PHI) was actually misused or retained as a result of the breach.
In addition to the settlement payment, Affinity will be required to comply with a corrective action plan instituted by OCR.
What can companies that handle PHI learn from this outcome? Find out more.
The Department of Health and Human Services Office for Civil Rights has announced that WellPoint, Inc. has agreed to pay $1.7 million to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
If you are a covered entity or business associate under HIPAA, this settlement underscores the importance for HIPAA covered entities and business associates of examining all aspects of privacy and security compliance programs before a breach occurs. If you don’t, OCR will.
This afternoon, HHS released the attached omnibus final rule modifying the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules as required the Health Information Technology Economic and Clinical Health (HITECH) Act and the Genetic Information Nondiscrimination Act (GINA).
Notably, the final rule makes business associates of covered entities directly liable for certain HIPAA Privacy and Security rule requirements; expands individuals’ right to receive electronic copies of their health information; incorporates an increased tiered and civil money penalty structure as provided by the HITECH Act; changes to the “harm” definition included in the HIPAA Breach Notification interim final rule; and modifies the HIPAA Privacy Rule as required by GINA.
Link: HIPAA Final Rule
Covered Entities and HIPAA practitioners should be aware that the Office of Civil Rights (OCR) has issued guidance about methods and approaches to achieve de-identification in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule. The full text is available here:
On June 7, 2012, at the annual Safeguarding Health Information: Building Assurance through HIPAA Security Conference hosted in Washington, D.C. by the Department of Health and Human Services Office for Civil Rights (“OCR”) and the National Institute of Standards and Technology (“NIST”), OCR Director Leon Rodriguez said that, given HIPAA’s 15-year history and the substantial technical assistance OCR and NIST have provided covered entities, tolerance for HIPAA non-compliance is “much, much lower” than it has been in the past.
In his remarks, Director Rodriguez indicated that the final omnibus rule modifying the HIPAA Privacy, Security and Enforcement Rules is “very close.” Director Rodriguez reiterated that the modifications will include extending HIPAA liability to business associates, but emphasized that business associates should not wait for the final rule to be enacted to focus on compliance. This is particularly true, according to Director Rodriguez, in light of the ability of state Attorneys General to enforce the Health Information Technology for Economic and Clinical Health Act (the “HITECH” Act), as evidenced by Minnesota Attorney General Lori Swanson’s recent lawsuitagainst Accretive Health, a business associate that suffered a security breach compromising patient data. Director Rodriguez stated that he would not be surprised if other state Attorneys General began enforcing the HITECH Act in the business associate context.
By Amy Crafts
Following a two year investigation by the Massachusetts Attorney General’s Office (“AGO”), a local Massachusetts hospital has agreed to pay $775,000 to resolve allegations that it failed to protect the personal and confidential health information of more than 800,000 consumers. The investigation and settlement resulted from a data breach disclosed by South Shore Hospital in 2010, where the information disclosed included individuals’ names, Social Security numbers, financial account numbers and medical diagnoses.
In February 2010, South Shore Hospital retained a third-party service provider to erase 473 unencrypted back-up tapes that contained the personal information and protected health information of over 800,000 individuals. While the third-party service provider was retained before the Regulations were implemented, the AGO noted that South Shore Hospital did not notify the third-party service provider that the tapes contained such sensitive information, and also did not verify that the third-party service provider had adequate safeguards in place to protect the sensitive information.
In June 2010, South Shore Hospital learned that only one of the boxes was accounted for, and that two of the boxes were missing. There have been no reports of unauthorized use of the personal information or protected health information to date. An investigation conducted by South Shore Hospital indicated that the back-up tapes were likely disposed of in a secure commercial landfill and were therefore unrecoverable.
Full Story via Proskauer Privacy Blog
The Health Insurance Portability and Privacy Act of 1996 (HIPAA) is 15 years old this year – still acting a bit like an uncertain, wide-eyed teenager responding to new developments. Although more mature, clarified by regulations, and supplemented by the HITECH Act, at its core HIPAA has remained relatively unchanged since its enactment. Societal changes implicating HIPAA, however, have been significant. Over the past five years alone, we saw the rise of Facebook, the domination of Google, and the introduction of powerful personal electronic devices such as Apple’s iPhone and iPad. In addition, technologies such as cloud computing, wireless communication, and telemedicine have reached a level of reliability and affordability that has allowed healthcare providers to expand their reach and services. With every emerging technology, the specter of HIPAA compliance remains a key concern, while its application becomes more murky.
Read the full article here: HIPAA and Emerging Technologies Article
At the annual meeting of the Office of the National Coordinator for Health IT yesterday, Leon Rodriguez, the director of the HHS Office for Civil Rights (OCR), said he "fully expects" the government will institute a permanent HIPAA compliance audit program after the current pilot program wraps up in 2012,GovInfoSecurity reports. The agency will conduct 150 audits over the next 11 months. Rodriguez said the audits are intended to help entities improve compliance with HIPAA. During his presentation, he also addressed the call by Sen. Al Franken (D-MN) for the OCR to "hurry up" and release its final rules for HIPAA modifications. "We indeed are hurrying up," Rodriguez said.
Hospitals are facing increased scrutiny over the privacy of patient medical records. An investigation by HHS’s Office of Civil Rights concluded that a Southern California hospital failed to reasonably restrict access to patient information to only those employees with a valid reason to view the information. A link to the OCR's decision is here. As part of the settlement with Department of Health and Human Services, the hospital must implement new privacy and security policies approved by OCR, to conduct regular trainings for all employees with access to protected health information, to sanction offending employees, and to designate an independent monitor who will assess the hospital’s compliance over the next 3 years.
Interestingly enough, this settlement comes on the heals of a dramatic increase in enforcement activity by the HHS. The most recent enforcement action is the third major settlement to be announced this year. In fact, the first monetary penalty imposed by the HHS for violations of the HIPAA Privacy took place on February 22, 2011 when HHS fined Cignet $4.3 million for failing to provide 41 patients with access to their medical records. That same month, Massachusetts General Hospital paid the HHS $1 million in connection with the loss of 192 billing records for HIV/AIDs patients. The HHS confirmed the renewed focus on HIPAA violations in a statement by OCR’s Director Georgina Verdugo stating, "We hope the healthcare industry will take a close look at this agreement and recognize that OCR is serious about HIPAA enforcement."
As a result, covered entities should take this opportunity to take a close look at their HIPAA compliance programs in light of the HHS’s increased enforcement efforts.