HHS has announced two major settlements it has reached with covered entities to resolve alleged violations of the HIPAA Privacy and Security Rules. The terms of each settlement agreement require the covered entity to pay a multimillion dollar penalty to HHS and implement a corrective action plan.
HIPAA Privacy Rule. The HIPAA Privacy Rule establishes standards to protect individuals’ medical records and other protected health information (“PHI”). The rule applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. The Privacy Rule requires covered entities to implement appropriate safeguards to protect the privacy of PHI, and sets limits and conditions on the uses and disclosures of PHI by covered entities without patient authorization.
HIPAA Security Rule. The HIPAA Security Rule applies to health plans, health care clearinghouses, and to any health care provider who transmits PHI in electronic form (“e-PHI”). The Security Rule requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI. Specifically, covered entities must:
- Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit;
- Identify and protect against reasonably anticipated threats to the security or integrity of the information;
- Protect against reasonably anticipated, impermissible uses or disclosures; and
- Ensure compliance by their workforce.
Privacy Rule Violation. HHS initiated its compliance review following media reports that the covered entity had disclosed a patient’s PHI without authorization. Specifically, a patient at one of the covered entity’s clinics was arrested after presenting a fraudulent identification card to office staff. The staff proceeded to report the incident to law enforcement, which is authorized under the Privacy Rule. However, the covered entity subsequently issued a press release that impermissibly disclosed PHI by including the patient’s name in the press release headline. In addition, the covered entity failed to timely document the sanctioning of its employees who impermissibly disclosed the patient’s name to the media.
To resolve these Privacy Rule violations, the covered entity agreed to pay a $2.4 million penalty and implement a corrective action plan that required it to update its policies and procedures on safeguarding PHI, and provide training to its employees on the issue.
Security Rule Violation. This investigation stemmed from the covered entity’s report to HHS that an employee’s unencrypted laptop computer, which contained the PHI of 1,391 individuals, had been stolen from a vehicle parked outside the employee’s home. HHS’s review of the incident revealed that the covered entity had insufficient risk analysis and risk management plans at the time of the theft and had failed to implement policies and procedures regarding encryption and the movement of electronic media within its facilities.
To settle these Security Rule violations, the covered entity agreed to pay a $2.5 million penalty and implement a corrective action plan that requires it to conduct a risk analysis and adopt a risk management plan. The covered entity also agreed to implement secure device and media controls, and certify to HHS that all portable media devices are encrypted.
To prevent costly HIPAA enforcement actions, covered entities are advised to:
- Conduct new risk analyses after all modifications to underlying technology;
- Update policies and procedures to account for changes in technology or practices;
- Regularly provide HIPAA training to employees;
- Conduct HIPAA audits;
- Monitor security breaches; and
- Create and implement a breach response plan.