(May 29, 2014): On April 22, 2014, the U.S. Department of Health and Human Services Office for Civil Rights (HHS-OCR) announced that it had entered into resolution agreements with two entities for $1,725,220 and $250,000, respectively, to resolve potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. The main take away from these settlements? Covered entities and business associates could best protect themselves against future violations through HIPAA encryption procedures.
I. HIPAA and HITECH Impose Duty to Safeguard Privacy and Security of Patient PHI:
Under the Health Insurance Portability and Accountability Act of 1996[1] (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act[2], covered entities[3] and business associates[4] must safeguard the privacy and security of their patients' Protected Health Information (PHI). PHI includes any information held by a covered entity which concerns health status, provision of health care, or payment for health care that can be linked to an individual.[5]
Additionally, in January 2013, HIPAA was updated via the Final Omnibus Rule. These updates not only greatly enhanced a patient’s privacy rights and protections, but it also strengthened the ability of HHS-OCR to vigorously enforce the HIPAA privacy and security protections. For example, covered entities and business associates must review and modify security measures as needed to ensure the continued provision of "reasonable and appropriate" protection of EPHI.[6] Moreover, the impermissible use or disclosure of PHI (i.e. in violation of the HIPAA Privacy Rule) is now presumed to be a breach unless the covered entity or business associate demonstrates that there is a low probability that the PHI has been comprised.[7]
However, while employees of covered entities and business associates regularly use laptops, tablets or other mobile devices to access, store and transmit electronic PHI (EPHI), many of these entities have not implemented effective requisite safeguards to protect this sensitive information. These devices, many of which remain unencrypted, leave EPHI vulnerable to unauthorized access and disclosure. Under these circumstances, a “breach”[8] has occurred and must be reported. Furthermore, there are significant civil monetary penalties for security breaches. In light of these risks, HIPAA encryption is recommended.
II. Stolen Laptops Without HIPAA Encryption Lead to Settlements:
Unauthorized breaches regularly occur in situations when electronic devices are lost or stolen. In fact, stolen laptops with unencrypted EPHI have resulted in many recent settlement agreements with HHS-OCR. Just last month, two covered entities agreed to collectively pay HHS-OCR almost $2 million to resolve potential violations of the HIPAA Privacy and Security Rules.
Following the first covered entity’s submission of a breach report indicating that a laptop had been stolen from one of its facilities, HHS-OCR initiated a compliance review. HHS-OCR concluded that the covered entity recognized that lack of HIPAA encryption of electronic devices posed a security risk to patient data. However, it “failed to adequately remediate and manage its identified lack of HIPAA encryption or, alternatively, document why HIPAA encryption was not reasonable and appropriate and implement an equivalent alternative measure to encryption, if reasonable and appropriate.”
As to the other covered entity, HHS-OCR found that it “did not implement policies and procedures to prevent, detect, contain, and correct security violations, including conducting an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI it held, and implementing security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with 45 C.F.R. § 164.306 from the compliance date of the Security Rule.”
As part of the resolution agreements with HHS-OCR, both covered entities entered into a corrective action plan where it agreed to provide OCR with an updated risk assessment management plan, updates on the HIPAA encryption status of its devices and equipment, and proof that they had completed security awareness training of their staff.
III. Final Remarks:
A review of both settlement agreements reveals some interesting findings. Notably, both agreements reflect some degree of compliance with the Security Rule prior to the imposition of a monetary settlement. While covered entities and their business associates should review these settlement agreements; it is important to understand that partial compliance with HIPAA and HITECH is NOT SUFFICIENT. If you are found to be in violation of the Rules, civil monetary fines will be levied on you.
Covered entities and business associates should ensure that they are in FULL COMPLIANCE with the requirements of HIPAA. You must take steps to immediately conduct a full Security Rule risk assessment and mitigate any identified risks to patient PHI. Do you need help conducting a risk assessment or instituting a full compliance program? We would be more than happy to assist you. Give us a call today.
Remember: if you and your staff are using laptops to access, store and transmit ePHI, OCR has given you the appropriate guidance to safeguard your patients – and YOU: "[...] encryption is your best defense against these incidents."
Robert Saltaformaggio, Esq., serves as an Associate at Liles Parker, Attorneys & Counselors at Law. Liles Parker attorneys represent health care providers and suppliers around the country in connection with Medicare audits by ZPICs and other CMS program integrity contractors. The firm also represents health care providers in HIPAA Omnibus Rule risk assessments, privacy breach matters, State Medical Board inquiries and regulatory compliance reviews. For a free consultation, call 1 (800) 475-1906.
- [1] Pub.L. 104–191, 110 Stat. 1936.
- [2] Enacted under Title XIII of the American Recovery and Reinvestment Act of 2009 (Pub.L. 111–5
- [3] “Covered entities” generally include health care clearinghouses, employer sponsored health plans, health insurers, and medical service providers that engage in certain transactions. 45 C.F.R. 160.103.
- [4] See 45 CFR Sections 160.102 and 160.103.
- [5] 45 C.F.R. 164.501.
- [6] 45 C.F.R. 164.306(c).
- [7] 45 CFR §§ 164.400-414.
- [8] See 45 CFR §§ 164.402.