HIPAA WEBINAR HANDOUT OCR Enforcement Tools Voluntary corrective action Resolution Agreement and Payment CMPs Referral to DOJ for criminal investigation Resolution Agreements Contract signed by HHS and a covered entity in which the covered entity agrees to perform certain obligations (e.g., staff training) and make reports to HHS Generally for 3 years Generally involves a resolution payment Internal or external monitor appointment and work plan Revision and OCR approval of policies and procedures Detailed training requirements (OCR approved) Extensive reporting duties to OCR OCR may seek to impose CMPs for uncured breach of CAP Enforcement Highlights First Civil Monetary Penalties Case (2011) Cignet Health of Prince George s County, MD - $4.3 million CMP Violated 41 patients rights by denying them access to their medical records when requested ($1.3 million in CMPs) Failed to cooperate with OCR s investigations on a continuing daily basis for over 1 year due to willful neglect ($3 million in CMPs) Mass General Hospital Resolution Agreement $1 Million Resolution Payment and 3-year CAP 1
BCBS Tennessee Employee left documents containing PHI of 192 infectious disease patients, including HIV/AIDS information, on subway CAP likely to be more expensive and burdensome than RA payment Required implementation of policies and procedures regarding physical removal and transportation of PHI off premises, laptop encryption and USB drive encryption $1.5 Million Resolution Payment and 450 Day CAP OCR investigation stemmed from a self-reported HITECH breach Theft of 57 unencrypted computer hard drives containing PHI of over 1 million members from a leased facility BCBST had relocated its staff from this site and surrendered the property except a network data closet, and had turned security services over to the local property manager. The network data closet was secured by biometric and keycard scan security with a magnetic lock and an additional door with a keyed lock BCBST incurred more than $17 million in direct expenses relating to its investigation and remediation of the incident Keeping unencrypted disk drives or other sensitive data behind locked doors isn t enough: encrypt it OCR was not sympathetic to fact this was a result of theft Re-examine physical access contracts University of California at Los Angeles Health System $865,500 Resolution Payment and CAP - UCLAHS Employees repeatedly and without permissible reason looked at the electronic PHI of 2 celebrity patients From 2005-2008, unauthorized employees repeatedly looked at the electronic health records of numerous other UCLAHS patients. OCR investigations indicated: Failure to reasonably restrict access to patient information to only those employees with a valid reason to view the information Failure to train on privacy and security 2
Failure to sanction employees for accessing ephi without proper purpose CE will be held accountable for employees who access PHI to satisfy their own personal curiosity Separate DOJ criminal investigation lead to guilty plea of UCLAHS employee for one count of obtaining PHI for commercial advantage Phoenix Cardiac Surgery, P.C. $100,000 Resolution Payment and CAP Investigation indicated multi-year failures: Posted clinical and surgical appointments for its patients on an Internet-based calendar that was publicly accessible (1000 patients) Daily transmitted ephi from an internet-based email account to workforce members personal Internet-based email accounts Did not have a security officer Did not conduct a security risk assessment Did not train or document training Did not have BAAs with the Internet-based email and calendar services responsible for storing and accessing ephi Small covered entities do not get a pass for failing to comply with security rule Post-HITECH Enforcement Highlights $1.7 million settlement and 3 year CAP - Alaska DHSS Breach report indicated that a portable electronic storage device (USB hard drive) possibly containing ephi was stolen from the vehicle of an Alaska DHSS employee. OCR investigation indicated: Inadequate policies and procedures in place to safeguard ephi No risk analysis Lack of security training for Alaska DHSS workforce members Lack of device and media controls Failure to address device and media encryption 3
State agencies not immune from OCR enforcement action Encrypt and track portable electronic devices containing ephi; have procedures for disposal and re-use of these devices to make sure ephi not improperly disposed of/disclosed The Rise of State AG HIPAA Enforcement Examples HITECH provided State AGs with enforcement authority for HIPAA violations State AGs may bring action under both HIPAA and/or state law. State AGs may seek to injunctive relief and CMP up to a maximum of $25,000 for all identical HIPAA violations per calendar year May file under potentially more expansive or vague state laws. Specific laws may have additional requirements either as to security or as to breach notification content/timing State AG settlements may impose burdensome and costly corrective action requirements, similar to OCR CAPs OCR now offers training to State AGs on how to enforce HIPAA (see http://www.hhshipaasagtraining.com/) CT/VT AGs - Health Net $250,000 settlement and detailed corrective action plan CT AG sued insurance provider Health Net Inc. for HIPAA and state law violations in connection with a missing disk drive that contained unencrypted PHI, social security numbers and bank accounts for nearly half a million Connecticut enrollees. Health Net waited 6 months to send notification. VT AG also sued Health Net ($55,000 settlement and CAP) relating to some 500 VT residents. MA AG - South Shore Hospital ($750,000 settlement and extensive corrective action imposed, including required third party auditing with reports to MA AG). Lost 2 of 3 boxes of un-encrypted backup tapes containing PHI over 800,000 individuals Being shipped to a contractor, Archive Data, to be erased/resold Failure to adequately safeguard patient health information under the HIPAA and state law. 4
Did not inform Archive Data that the tapes contained PHI or put in place a BAA Did not properly train its staff with respect to appropriate health data privacy protocol. None of the data encrypted 5