Welcome to “A Moment of Privacy,” a newsletter brought to you by the Privacy and Data Security Practice Group at Proskauer Rose LLP.
“A Moment of Privacy” addresses one legal development each month in the area of privacy and data security law. We answer the questions our clients are asking, in a way that we hope gives practical information to our readers. If you send us your question, you may find your answer in an upcoming newsletter.
And now for this month’s question:
Q: My company is a HIPAA-covered entity. We heard that another HIPAA-covered entity recently entered into a settlement with the U.S. Department of Health & Human Services (“HHS”) under which it had to pay civil fines to the federal government for violation of the HIPAA privacy and security regulations. What happened in this case, and what can we learn from it?
For this question, we called in one of our HIPAA privacy experts, Sara Krauss, in Proskauer Rose’s Health Care Department.
A: On July 15, 2008, HHS entered into its first Resolution Agreement with a HIPAA-covered entity to settle potential violations of the privacy and security regulations promulgated under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). Pursuant to the Resolution Agreement, a Seattle-based not-for-profit health system, Providence Health & Services and certain of its divisions (“Providence”), paid $100,000 to HHS and entered into a potentially burdensome Corrective Action Plan with HHS. HHS advised that Providence’s cooperation in the investigation helped it avoid a civil monetary penalty. Providence has been released from further civil fines to HHS arising out of the particular breaches at issue in this matter, provided that Providence complies with the terms of the Corrective Action Plan throughout its three year term. The Resolution Agreement did not release Providence from any potential criminal liability.
The circumstances underlying the Resolution Agreement were at least five incidents in 2005 and 2006 in which unencrypted electronic protected health information (“ePHI”) of Providence patients was stored on backup tapes, optical disks and laptops which were taken off-site from Providence by members of its workforce, and then misplaced or stolen, potentially compromising the health information of over 386,000 patients. Providence, in accordance with state notification laws, notified patients of the loss of their information. More than 30 of those patients subsequently complained to HHS, although there is no evidence that any of their personal information was wrongfully used as a result of these incidents. The HHS Office of Civil Rights, responsible for enforcing the privacy regulations under HIPAA, and the HHS Centers for Medicare & Medicaid Services, responsible for enforcing the security regulations under HIPAA, jointly investigated these complaints, focusing on Providence's failure to implement policies and procedures to safeguard the ePHI.
Prior to this Resolution Agreement, HHS had not imposed any fines on any HIPAA-covered entities. In the more than five years that have passed since the compliance deadline for the HIPAA privacy regulations, HHS has received close to 40,000 complaints of violations, the majority of which were not eligible for enforcement. Of those where a violation was identified, HHS resolved the cases by requiring changes in privacy practices and other corrective actions without entering into any formal settlement agreements or imposing any fines.
For more about what Providence is required to do for the next three years under the Corrective Action Plan, see our Privacy Law Blog.
What should my company be doing to avoid a similar enforcement action?
When considered individually, none of the reported security incidents of Providence in 2005 and 2006 was extraordinary. Virtually every day the media includes reports of laptop losses or thefts. Further, the HIPAA privacy and security regulations do not explicitly prohibit off-site access or transport of ePHI, and do not require encryption of ePHI in all circumstances. While security practices are still evolving, at the time of these incidents, it was not uncommon for health care organizations to maintain unencrypted ePHI in storage media, or to permit employees to remotely access ePHI.
When considered collectively, the occurrence at Providence of five similar security incidents over a six month period is more noteworthy and relevant for other health care organizations. Further, the types of remedial measures included in the Corrective Action Plan provide evidence of HHS’ focus in this area, and serves as additional guidance for HIPAA-covered entities. As a starting point, a covered entity should review its current privacy and security policies and procedures to determine if they remain relevant, consistent with the experience of the organization, and current with technological advances. Annual reviews should follow. If a HIPAA-covered entity instituted security policies and procedures in 2003 or 2004, those may no longer be reasonable in 2008, and may no longer be consistent with security procedures at other similar organizations. In addition to keeping abreast of industry standards, companies should follow applicable guidance from HHS. In connection with the particular incidents at Providence, in late 2006, HHS issued guidance on the use of portable media, and offsite access and transport of ePHI.
Any time privacy and security policies and procedures are updated, copies of such revised policies and procedures should be distributed to all applicable employees, and such employees should be retrained in the revised procedures. Next, in the event of a privacy breach or other security incident, a covered entity should immediately investigate the cause of the incident, review its then current policies and procedures to determine what additional measures should be taken to avoid future similar incidents, promptly institute any necessary revisions to policies and procedures, and distribute revised policies and retrain employees as applicable. Periodic monitoring of compliance with existing privacy and security policies and procedures is also advisable. Finally, all privacy and security policies and procedures, and training in such policies and procedures, should be actively documented.
* * *
In light of the Providence settlement, as well as HHS’ announcement earlier this year that it intends to conduct security audits of HIPAA-covered entities, it appears that we are now moving into an era where HHS is taking a more active role in HIPAA enforcement, particularly with respect to security of electronic health information.
Have a question? E-mail Kristen J. Mathews at kmathews@proskauer.com.