Kusserow on Compliance: OCR is off to the races with $5.4 million in penalties for HIPAA violations

At the end of 2015, the HHS Office for Civil Rights (OCR) took major action against Triple-S Management Corporation. Ultimately, Triple-S settled the claims, which were potential HIPAA violations, for $3.5 million and agreed to adopt a robust corrective action plan to correct deficiencies in its HIPAA compliance program. So far, in 2016, two more large settlements for claims relating to HIPPA violations were announced by the HHS OCR. On March 16, 2016, North Memorial Health Care of Minnesota (North Memorial) agreed to pay $1.5 million to settle HIPAA violations by failing to enter into a Business Associate (BA) agreement with a major contractor and failing to address the risks and vulnerabilities to its patient information. The following day the OCR announced a $3.9 million settlement with the Feinstein Institute for Medical Research (Feinstein) for violating HIPAA Privacy and Security rules.

North Memorial settlement

The case involved a breach report that indicated that an unencrypted, password-protected laptop was stolen from a BA’s workforce member’s locked vehicle, impacting the electronic protected health information (ePHI) of 9,497 individuals. The investigation revealed North Memorial had given its BA, Accretive Health, Inc., access to the hospital database of the ePHI of 289,904 patients, as it performed services on-site, without establishing a BA agreement. An aggravating factor was that the organization failed to complete a risk analysis to address all of the potential risks and vulnerabilities to the ePHI in its entire IT infrastructure, including but not limited to all applications, software, databases, servers, workstations, mobile devices and electronic media, network administration and security devices, and associated business processes. In addition to the money penalties, North Memorial was also was required to develop an organization-wide risk analysis and risk management plan and provide training of the workforce members on all policies and procedures developed or revised pursuant to an approved corrective action plan.

Feinstein settlement

Northwell Health, Inc., formerly known as North Shore Long Island Jewish Health System, in New York (Northwell), is comprised of twenty one hospitals and over 450 patient facilities and physician practices. Northwell sponsors Feinstein, a New York not-for-profit corporation biomedical research institute. Feinstein was investigated based on a breach report indicating that a laptop computer containing the electronic protected health information (ePHI) of approximately 13,000 patients and research participants was also stolen from an employee’s car. The ePHI stored in the laptop included the names of research participants, dates of birth, addresses, social security numbers, diagnoses, laboratory results, medications, and medical information relating to potential participation in a research study. The OCR found Feinstein’s security management process was limited in scope, incomplete, and insufficient to address potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the entity. The organization also lacked policies and procedures for authorizing access to ePHI by its workforce members, failed to implement safeguards to restrict access to unauthorized users, and lacked policies and procedures to govern the receipt and removal of laptops that contained ePHI into and out of its facilities. Feinstein also failed to implement proper mechanisms for safeguarding ePHI as required by the Security Rule.

Tips and lessons learned from the settlements

  • Conduct a complete a security risk analysis that addresses ePHI vulnerabilities to confidentiality, integrity, and availability.
  • Ensure security management processes are adequate to address potential ePHI risks and vulnerabilities.
  • Ensure laptops and mobile devices are properly encrypted and password protected.
  • Keep track of mobile devices and employee access, both basic security requirements.
  • Ensure all contractors sign BA agreements.
  • Implement adequate policies/procedures for authorizing access to ePHI.
  • Implement safeguards to restrict access to unauthorized users.
  • Follow the basics in reviewing compliance for information security risks PHI breaches.
  • Train the workforce on all policies and procedures developed or revised.
  • Implement policies/procedures governing receipt and removal of laptops containing ePHI and for controlling access to ePHI by workforce members and users.
  • Develop a corrective action plan to promptly address any weaknesses identified.
  • Ensure all research programs meet the same compliance standards as other HIPAA-covered entities, requiring privacy/security protection assurance for participating patients in their research project.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2016 Strategic Management Services, LLC. Published with permission.