HITECH and HIPAA Enforcement Activities

The Department of Health and Human Services Office of Civil Rights (OCR) is putting new emphasis on enforcing patient privacy rights since the passage of the Health Information Technology for Economic and Clinical Health Act, 42 U.S.C. ” 17921-17954 (HITECH) in 2009. The HITECH Act gave the OCR increased capabilities to ferret out breaches of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and it is using them to step up enforcement.

Settlements in 2012

OCR entered into four settlement agreements with health-care entities in 2012, three of which came to the agency's attention through breach notifications. Let us look at them.

Phoenix Cardiac Surgery

The OCR investigated this group of six cardiothoracic surgeons after it received a complaint alleging that ePHI (electronic protected health information) was publicly available on the Internet. The investigation revealed that, over the course of a year and a half, more than 1,000 entries containing ePHI were posted on a publicly accessible Internet-based calendar. In addition, for more than four years, ePHI had been e-mailed to employees via personal, Internet-based e-mail accounts. Besides these specific actions, the OCR found that the covered entity did not provide or document employee training on proper ePHI policies and procedures; did not implement the required administrative and technical security safeguards in that it failed to have an identified Security Official; did not have business associate agreements with the vendors of the Internet-based services; and failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of its ePHI. The group's new policies and procedures will be required to include:

• A risk analysis, including, but not limited to, when ePHI is posted in an Internet-based calendar, transmitted over Internet-based e-mail, accessed remotely or transmitted to or stored on a portable device;
• A risk management plan addressing the risks identified in the analysis;
• Identification of a Security Official;
• Written contracts with business associates;
• Technical safeguards to permit access to electronic information systems only by those granted the authority;
• Encryption or other adequate safeguard for any ePHI transmitted to or from a portable device; and
• Workforce training.

The settlement amount was $100,000. The term of the CAP is a year, and there is no Monitor.

Blue Cross/Blue Shield of Tennessee

The investigation arose from Blue Cross/Blue Shield of Tennessee's (BCBST) Breach Report of the theft of 57 unencrypted hard drives containing the ePHI of more than one million people. The hard drives were taken from a network data closet in a facility that BCBST had recently vacated, but from which the hard drives had not yet been relocated. Although the data closet was secured by the building's security services, by biometric and keycard scan security devices with a magnetic lock and by a second door with a keyed lock, the OCR nevertheless found BCBST to be responsible for the loss and lacking in physical security measures, among other violations.

The settlement amount was $1.5 million. The CAP, which will last 420 days, includes the updating of policies and procedures to include those related to: 1) conducting a risk analysis and implementing a resulting risk management plan specific to portable devices; 2) facility access controls; 3) a security plan to limit access to electronic information systems and facilities and to safeguard equipment from unauthorized physical access, tampering and theft; and 4) physical safeguards governing the storage of electronic storage containing ePHI. The CAP requires monitoring by BCBST's Chief Privacy Officer (not an outside person), who is required to make unannounced site visits to facilities housing portable devices and produce two Monitor Reviews and two Biannual Reports.

MEEI

MEEI filed a Breach Report for the loss of a non-MEEI owned portable device that contained MEEI ePHI. The OCR found that MEEI had violated the Security Rule because it did not properly assess the risks associated with having unencrypted PHI on portable devices or implement appropriate policies and procedures to address the risks. Specifically, MEEI did not adequately implement policies and procedures to:

• Restrict access to ePHI on portable devices to authorized users or software programs;
• Track which portable devices access its network;
• Track movement of portable devices into, out of and within the facility, including non-MEEI owned portable devices; or
• Implement an appropriate alternative measure to encryption.

The settlement amount was $1.5 million and the CAP is for three years, under which MEEI must create new policies and procedures to address the violations noted above, and also to address an appropriate risk analysis and resulting risk management plan; the choice of a Security Official; the response to security incidents; and permissible and impermissible uses of ePHI on any portable device. In addition, a Monitor will make unannounced on-site visits to review MEEI's compliance with the CAP and will issue a report every six months to OCR.

Alaska Medicaid

Following a Breach Report from the Alaska Department of Health and Social Services (DHSS) that a portable electronic device (a USB drive) containing ePHI had been stolen from an employee's car, the OCR found systemic HIPAA violations similar to those described above. These included lack of: 1) risk analysis; 2) sufficient risk management measures; 3) workforce training; 4) tracking receipt and removal of hardware containing ePHI in and out of and within the facility; and 5) properly addressing encryption.

In the first settlement agreement with a state agency, Alaska Medicaid entered a settlement agreement with OCR for $1.7 million, a CAP of three years and monitoring by an independent monitor chosen by DHSS. The Monitor must provide quarterly reports to the OCR based on its reviews of DHSS' compliance with the CAP.

As with the other settlement agreements, the corrective action focuses on the implementation of new policies and procedures that address: tracking; safeguarding; encrypting; reusing or disposing of devices containing ePHI; responding to security incidents; and sanctions for workforce members who violate the new policies and procedures.

Audits in 2012

The first 20 audits of 2012 were conducted on eight health plans, 10 health-care providers and two health-care clearinghouses. The health-care providers included physicians, hospitals, laboratories, dental practices, nursing and custodial care facilities and pharmacies.

The audit protocol contains 165 “key activities” that the auditors can assess, 77 of which are related to the Security Rule, and 88 of which are related to the Privacy and Breach Notification rules. Generally, the majority of transgressions found involved violations of the Security Rule. Issues most commonly identified in the 20 audits included the following:

• With respect to the Privacy Rule: missing business associate contracts; improper use and disclosure of information concerning deceased patients; and failure to verify the identity of the person requesting health information;
• With respect to administrative requirements: lack of written policies and procedures and privacy training; and
• With respect to the Security Rule, which had by far the most violations: failure to conduct or update a risk analysis; granting or modifying user access to ePHI; lack of contingency planning in cases of emergencies in order to access electronic records; media reuse and destruction; authentication of the user attempting to access ePHI and protection of ePHI from unauthorized alteration or destruction; and, with the highest number of violations, monitoring of user activity on devices and systems that contain ePHI.

Conclusion

From the OCR's activity in 2012, we can infer several things. First, Breach Reports involving the PHI of more than 500 individuals can result in investigations that can lead to settlements and/or CMPs. Second, the settlement agreement with Phoenix shows that the OCR will treat small covered entities in the same manner that it treats larger covered entities. Third, the systemic violations of the three larger covered entities discussed here resulted in large settlement amounts of $1.5 to $1.7 million, a trend that could continue for violations by large covered entities. Fourth, the OCR is particularly focused on the proper protection of portable devices, including tracking their movement in and out of facilities, and providing adequate alternative safeguards where encryption is not used. Fifth, the OCR is showing a strong interest in proper workforce training. Sixth, the bulk of violations in the 2012 settlements involve the Security Rule.

And, finally, although there have not yet been any settlements or CMPs based on the new audit program, it is important to remember that the OCR has the power to enforce violations uncovered during an audit, either through a settlement or the assessment of CMPs. All covered entities should therefore be well-prepared for a potential audit.

Barry B. Cepelewicz, a member of this newsletter's Board of Editors, is a partner at Garfunkel Wild, P.C. Lacey E. Tucker is an associate at the firm.

The Department of Health and Human Services Office of Civil Rights (OCR) is putting new emphasis on enforcing patient privacy rights since the passage of the Health Information Technology for Economic and Clinical Health Act, 42 U.S.C. ” 17921-17954 (HITECH) in 2009. The HITECH Act gave the OCR increased capabilities to ferret out breaches of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and it is using them to step up enforcement.

Settlements in 2012

OCR entered into four settlement agreements with health-care entities in 2012, three of which came to the agency's attention through breach notifications. Let us look at them.

Phoenix Cardiac Surgery

The OCR investigated this group of six cardiothoracic surgeons after it received a complaint alleging that ePHI (electronic protected health information) was publicly available on the Internet. The investigation revealed that, over the course of a year and a half, more than 1,000 entries containing ePHI were posted on a publicly accessible Internet-based calendar. In addition, for more than four years, ePHI had been e-mailed to employees via personal, Internet-based e-mail accounts. Besides these specific actions, the OCR found that the covered entity did not provide or document employee training on proper ePHI policies and procedures; did not implement the required administrative and technical security safeguards in that it failed to have an identified Security Official; did not have business associate agreements with the vendors of the Internet-based services; and failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of its ePHI. The group's new policies and procedures will be required to include:

• A risk analysis, including, but not limited to, when ePHI is posted in an Internet-based calendar, transmitted over Internet-based e-mail, accessed remotely or transmitted to or stored on a portable device;
• A risk management plan addressing the risks identified in the analysis;
• Identification of a Security Official;
• Written contracts with business associates;
• Technical safeguards to permit access to electronic information systems only by those granted the authority;
• Encryption or other adequate safeguard for any ePHI transmitted to or from a portable device; and
• Workforce training.

The settlement amount was $100,000. The term of the CAP is a year, and there is no Monitor.

Blue Cross/Blue Shield of Tennessee

The investigation arose from Blue Cross/Blue Shield of Tennessee's (BCBST) Breach Report of the theft of 57 unencrypted hard drives containing the ePHI of more than one million people. The hard drives were taken from a network data closet in a facility that BCBST had recently vacated, but from which the hard drives had not yet been relocated. Although the data closet was secured by the building's security services, by biometric and keycard scan security devices with a magnetic lock and by a second door with a keyed lock, the OCR nevertheless found BCBST to be responsible for the loss and lacking in physical security measures, among other violations.

The settlement amount was $1.5 million. The CAP, which will last 420 days, includes the updating of policies and procedures to include those related to: 1) conducting a risk analysis and implementing a resulting risk management plan specific to portable devices; 2) facility access controls; 3) a security plan to limit access to electronic information systems and facilities and to safeguard equipment from unauthorized physical access, tampering and theft; and 4) physical safeguards governing the storage of electronic storage containing ePHI. The CAP requires monitoring by BCBST's Chief Privacy Officer (not an outside person), who is required to make unannounced site visits to facilities housing portable devices and produce two Monitor Reviews and two Biannual Reports.

MEEI

MEEI filed a Breach Report for the loss of a non-MEEI owned portable device that contained MEEI ePHI. The OCR found that MEEI had violated the Security Rule because it did not properly assess the risks associated with having unencrypted PHI on portable devices or implement appropriate policies and procedures to address the risks. Specifically, MEEI did not adequately implement policies and procedures to:

• Restrict access to ePHI on portable devices to authorized users or software programs;
• Track which portable devices access its network;
• Track movement of portable devices into, out of and within the facility, including non-MEEI owned portable devices; or
• Implement an appropriate alternative measure to encryption.

The settlement amount was $1.5 million and the CAP is for three years, under which MEEI must create new policies and procedures to address the violations noted above, and also to address an appropriate risk analysis and resulting risk management plan; the choice of a Security Official; the response to security incidents; and permissible and impermissible uses of ePHI on any portable device. In addition, a Monitor will make unannounced on-site visits to review MEEI's compliance with the CAP and will issue a report every six months to OCR.

Alaska Medicaid

Following a Breach Report from the Alaska Department of Health and Social Services (DHSS) that a portable electronic device (a USB drive) containing ePHI had been stolen from an employee's car, the OCR found systemic HIPAA violations similar to those described above. These included lack of: 1) risk analysis; 2) sufficient risk management measures; 3) workforce training; 4) tracking receipt and removal of hardware containing ePHI in and out of and within the facility; and 5) properly addressing encryption.

In the first settlement agreement with a state agency, Alaska Medicaid entered a settlement agreement with OCR for $1.7 million, a CAP of three years and monitoring by an independent monitor chosen by DHSS. The Monitor must provide quarterly reports to the OCR based on its reviews of DHSS' compliance with the CAP.

As with the other settlement agreements, the corrective action focuses on the implementation of new policies and procedures that address: tracking; safeguarding; encrypting; reusing or disposing of devices containing ePHI; responding to security incidents; and sanctions for workforce members who violate the new policies and procedures.

Audits in 2012

The first 20 audits of 2012 were conducted on eight health plans, 10 health-care providers and two health-care clearinghouses. The health-care providers included physicians, hospitals, laboratories, dental practices, nursing and custodial care facilities and pharmacies.

The audit protocol contains 165 “key activities” that the auditors can assess, 77 of which are related to the Security Rule, and 88 of which are related to the Privacy and Breach Notification rules. Generally, the majority of transgressions found involved violations of the Security Rule. Issues most commonly identified in the 20 audits included the following:

• With respect to the Privacy Rule: missing business associate contracts; improper use and disclosure of information concerning deceased patients; and failure to verify the identity of the person requesting health information;
• With respect to administrative requirements: lack of written policies and procedures and privacy training; and
• With respect to the Security Rule, which had by far the most violations: failure to conduct or update a risk analysis; granting or modifying user access to ePHI; lack of contingency planning in cases of emergencies in order to access electronic records; media reuse and destruction; authentication of the user attempting to access ePHI and protection of ePHI from unauthorized alteration or destruction; and, with the highest number of violations, monitoring of user activity on devices and systems that contain ePHI.

Conclusion

From the OCR's activity in 2012, we can infer several things. First, Breach Reports involving the PHI of more than 500 individuals can result in investigations that can lead to settlements and/or CMPs. Second, the settlement agreement with Phoenix shows that the OCR will treat small covered entities in the same manner that it treats larger covered entities. Third, the systemic violations of the three larger covered entities discussed here resulted in large settlement amounts of $1.5 to $1.7 million, a trend that could continue for violations by large covered entities. Fourth, the OCR is particularly focused on the proper protection of portable devices, including tracking their movement in and out of facilities, and providing adequate alternative safeguards where encryption is not used. Fifth, the OCR is showing a strong interest in proper workforce training. Sixth, the bulk of violations in the 2012 settlements involve the Security Rule.

And, finally, although there have not yet been any settlements or CMPs based on the new audit program, it is important to remember that the OCR has the power to enforce violations uncovered during an audit, either through a settlement or the assessment of CMPs. All covered entities should therefore be well-prepared for a potential audit.

Barry B. Cepelewicz, a member of this newsletter's Board of Editors, is a partner at Garfunkel Wild, P.C. Lacey E. Tucker is an associate at the firm.