Data security issues captured headlines in 2014. A number of large corporations had well-publicized breaches of consumer information. With the attention on data security, many health care providers have sought to stay out of the limelight by developing a robust compliance program to protect patient data and be in compliance with the Health Insurance Portability and Protection Act. A breach of HIPAA can lead to private lawsuits, reputational harms, and civil and criminal actions by the Office for Civil Rights (OCR) and Department of Justice (DOJ). Recent civil actions taken by the OCR highlight the importance of understanding and complying with the evolving HIPAA rules and regulations. Enforcement actions were not confined to certain types or sizes of providers nor were they limited to “egregious” cases.
Changing regulatory regime
HIPAA has undergone a number of iterations since its passage in 1996. For example, the act’s scope was expanded in 2009 by the HITECH Act, which provided for new breach notification requirements and extended the application of HIPAA to business associates. A business associate is an entity engaged by a covered entity to carry out tasks involving the creation, receipt, maintenance or transmission of protected health information (PHI). In January 2013, the Department of Health and Human Services (HHS) published the final rule to interpret and implement the provisions of the HITECH Act. Covered entities and business associates had until September 2013 or, for certain agreements in place prior to the final rule, September 2014 to comply with most of the provisions of the final rule. Providers and business associates should ensure that their compliance programs incorporate the requirements of the HHS final rule.
A key to understanding the risk of liability and developing an appropriate compliance program is to determine which entities are subject to HIPAA and what information is protected. Information is PHI if it contains health information and directly or indirectly identifies an individual or its contents can be used to make a reasonable assumption as to the individual’s identity. Not all disclosures are breaches of HIPAA; disclosures of PHI are allowed without patient authorization for purposes such as treatment, payment, and health care operations. Disclosures of PHI not specifically exempted are presumed to be a breach unless the covered entity or business associate can demonstrate through a risk assessment that there is a low probability that the PHI was compromised. As will be discussed, providers have run afoul of these requirements by not updating their compliance programs or by taking insufficient measures to protect PHI.
Recent HIPAA settlements
With limited exceptions, the number of complaints received by the OCR and corrective action taken has grown steadily since the agency began enforcing HIPAA in 2003. As of November 2014, the OCR had received a total of over 105,000 complaints. Recent data indicates that the rate of complaints is increasing. Although data from 2014 is not yet available, the number of complaints increased by 16% in 2012 and 24% in 2013. OCR data suggests that business associates are involved in a significant number of these incidents. Business associates were involved in 323 of 1124 breaches affecting more than 500 patients (29%) as of August 2014. Recent actions by the OCR provide some indication of the types of violations that the agency is most aggressively pursuing.
The largest settlement to date occurred in May 2014 between the OCR and New York-Presbyterian Hospital (NYP) and Columbia University. The settlement for $4.8 million was based on a September 2010 failure by NYP and Columbia to safeguard shared electronic PHI (ePHI), which resulted in the ePHI of 6,800 individuals being accessible via internet search engine. Based on the incident, the OCR investigated NYP and Columbia and found that the entities had not made efforts to ensure that the server containing the data was secure, had not developed adequate risk management plans, and NYP had failed to implement and comply with appropriate policies and procedures for access to databases containing ePHI. As part of the settlement, both NYP and Columbia entered into corrective action plans requiring that the entities undertake risk analyses, develop risk management plans, revise policies and procedures, train staff, and provide the OCR with progress reports. The settlement is particularly notable as the OCR’s press release did not provide any indication of willful behavior or failure to cooperate on the part of either NYP or Columbia. Prior to the May 2014 settlement, the largest fine levied by the OCR had been on Cignet Health for $4.3 million for violating patients’ right in denying them access to their medical records and failing to cooperate with the OCR in its investigation. The NYP and Columbia settlement suggests that the OCR may seek high penalties even in the absence of any intent to violate HIPAA or inhibit an OCR investigation.
A number of 2014 settlements are instructive to providers about the importance of encrypting laptops and thumb drives containing ePHI. Concentra Health Services settled an OCR investigation for $1,725,220 involving a 2011 incident where an unencrypted laptop was stolen from one of its physical therapy centers. The OCR’s investigation found that Concentra had failed to encrypt or document why encryption was not reasonable and appropriate for devices containing ePHI and had not sufficiently implemented policies and procedures to detect, contain and correct security violations. QCA Health Plan settled with the OCR for $250,000 for a 2012 incident involving the theft of an unencrypted laptop containing ePHI from a workforce member’s car. The OCR’s investigation found that QCA failed to comply with multiple HIPAA requirements from April 2005 to June 2012.
Similarly, the theft of a thumb drive containing ePHI from a staff member’s car led to a $150,000 settlement by Adult & Pediatric Dermatology (APDerm) in December 2013. The settlement was also the first to involve a finding that an entity had failed to implement the requirement under the HITECH Act to have policies and procedures in place to address breach notification. Device theft settlements are a reminder for providers to have policies and procedures in place to train staff on how to handle ePHI and report potential breaches as well as the importance of encrypting devices to mitigate the risk of third-party access when a device is waylaid.
There have also been recent settlements reminding providers of the importance of securing paper records. In June 2014, Parkview Health Systems settled an OCR investigation for $800,000 for leaving 71 boxes of medical records unattended on the driveway of a retiring physician’s home. The OCR found Parkway had not appropriately and reasonably protected patients’ PHI. As part of the settlement, Parkview entered into a corrective action plan to revise its policies and procedures, train staff, and provide implementation reports to the OCR.
Criminal liability is a risk where the individual has knowingly obtained or disclosed PHI in violation of HIPAA, used false pretenses to obtain or disclose PHI, or has the intent to sell, transfer or use PHI for commercial advantage, personal gain or malicious harm. Since it began enforcing HIPAA, the OCR has referred 540 cases to the DOJ for possible criminal persecution. One recent action involved an Arkansas nurse who accessed a patient’s data and shared it with her husband. The husband then called the patient and allegedly threatened to use the information against the patient in an ongoing legal action. The nurse pled guilty to wrongfully disclosing the information and faces a maximum penalty under HIPAA of 10 years in prison and up to a $250,000 fine.
In sum, recent OCR actions have placed providers on notice of the financial and reputational risks associated with HIPAA violations. Given the increasing focus on corporate data security, it seems likely that the OCR will continue to aggressively pursue complaints. HIPAA violations also carry a risk of liability under state privacy laws and, for individuals who knowingly or willfully use or disclose PHI, potential criminal liability. Additionally, ostensible compliance with HIPAA may not always be sufficient to insulate an entity from liability. A medical billing company, PaymentsMD, recently settled with the Federal Trade Commission for unlawfully collecting patient data. The FTC alleged that PaymentsMD used deceptive practices to seek patient permission to collect PHI from providers and insurers. The complaint alleged that PaymentsMD requested permission to collect PHI through small webpage windows displaying extensive text that could all be agreed to by clicking a single box. Thus, providers are advised to proactively review and update their HIPAA compliance programs rather than waiting for a knock on the door from a regulator.
This article is for informational purposes only and not for the purpose of providing legal advice. You should contact your attorney to obtain advice with respect to any particular issue or problem. The opinions expressed at or through this article are the opinions of the individual authors and may not reflect the opinions of the firm or any individual attorney.