Lessons Learned from Recent HIPAA Enforcement Cases

Which ones do I follow?

By Paul J. Welk, PT, JD*

Each issue of Impact magazine has a theme to help guide the contributing authors. Sometimes it is difficult to plan the Legal Impact column consistent with the monthly theme. That is not the case for this month’s article. August’s theme of “Lessons Learned” creates a good opportunity to review recent Health Insurance Portability and Accountability Act (HIPAA) enforcement examples to determine what lessons can be learned.

Lesson Number 1

Lost or stolen electronic devices continue to be at the center of many enforcement actions. In February 2017, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) announced a $3.2 million civil money penalty against a medical center. The penalty stemmed from two breach reports by the medical center, one related to the loss of an unencrypted, non–password protected BlackBerry device and one related to the theft of an unencrypted laptop from the medical center’s premises.¹ In total, the devices contained electronic protected health information of approximately 6,000 individuals. In April 2017, OCR announced a $2.5 million settlement with a wireless health services provider of remote mobile monitoring of cardiac patients.² In this case, a laptop was stolen from a vehicle outside of an employee’s home. In announcing these enforcement actions, OCR noted a number of compliance concerns including the failure to deploy encryption on laptops, mobile devices, and other media; the drafting of form policies and procedures but failing to implement the same; and the failures to perform an appropriate risk analysis and utilize necessary risk management processes. Practices should take this opportunity to review their policies and procedures, confirm that they have performed and documented a risk assessment, and considered appropriate security options for their electronic devices.

Lesson Number 2

State Attorneys General remain active in enforcement. The Health Information Technology for Economic and Clinical Health (HITECH) Act gave state attorneys general the authority to bring actions on behalf of state residents for violating HIPAA’s privacy and security rules.³

In November 2017, the California Office of the Attorney General announced a $2 million settlement with a health system to resolve allegations that the health system did not implement reasonable safeguards to protect health information in violation of both state and federal laws. Specifically, two separate data breaches allegedly revealed patient information online when the health system’s information storage depository was connected to the internet without passwords, encryption, firewalls, or permissions.⁴

In November 2017, the Massachusetts Attorney General entered into a consent judgment with a billing company for losing a laptop that contained unencrypted information of more than 2,500 individuals. As part of the consent judgment, the billing company was required to implement and improve security practices and to pay a $100,000 fine.⁵

Finally, in March 2018 the New York Attorney General announced a $575,000 settlement with a health insurer stemming from a breach in which the social security numbers of over 80,000 policyholders were mistakenly printed on envelopes containing benefit information. The Attorney General’s press release noted the health plan’s failure to comply with a number of specifications under HIPAA as well as a violation of New York law. The health plan was required to implement a corrective action plan that required, among other things, the performance of a risk analysis and a review of its policies and procedures based on the results of the assessment.

Oftentimes health care providers put extensive time and effort into complying with HIPAA while failing to give appropriate consideration to applicable state laws. These enforcement examples are an important reminder of the necessity to consider state as well as federal obligations.

Lesson Number 3

Impermissible access to, or disclosure of, protected health information remains a key concern. A number of OCR settlements related in whole or in part to impermissible access to, or disclosure of, protected health information. In February 2017, OCR announced a $5.5 million settlement with a corporation that operates a variety of health care facilities. In this enforcement action, protected health information of over 115,000 individuals was accessed impermissibly by employees and improperly disclosed to affiliated physician office staff. Additionally, the login credentials of a former employee were utilized to access information on a frequent basis without being detected for approximately one year. Although the corporation had policies and procedures in place, they were not implemented.⁶

In April 2017, a health center reached a $400,000 settlement in connection with a hacker accessing employees’ email accounts and obtaining protected health information of approximately 3,200 individuals through a phishing incident. OCR noted the failure to conduct a risk analysis and the insufficiency of a risk analysis when it was ultimately performed.⁷

In February 2018, a provider of products and services for patients with kidney failure agreed to pay $3.5 million and adopt a corrective action plan in connection with multiple breach reports. These breach reports related to impermissible disclosures of electronic protected health information through unauthorized access, failure to implement policies and procedures, and failure to implement a mechanism to encrypt and de-encrypt electronic protected health information.⁸

In May 2017, OCR announced a $387,200 settlement with a hospital center that resulted from a complaint to OCR alleging that a staff member impermissibly disclosed protected health information to a patient’s employer. Specifically, the information was impermissibly faxed to the employer rather than to the personal post office box requested by the individual.

Finally, in May 2017 a health system agreed to pay $3.4 million in connection with the arrest of a patient for allegedly using a fraudulent identification card. In its publication, OCR noted that the disclosure of protected health information to law enforcement was permitted under HIPAA; however, the health system subsequently published a press release concerning the incident and added the patient’s name in the title of the press release. OCR also noted that the health system failed to timely document the sanctioning of its workforce members for the impermissible disclosure.⁹

In reviewing these enforcement examples, whether through the brief summaries given or in greater detail through the referenced footnotes and resolution agreements, one can see a number of lessons that can be learned. While none of these examples deal with a physical therapy private practice, it is not difficult to imagine how these sets of facts could have easily occurred in the physical therapy setting. From a compliance and risk management perspective, reviewing these enforcement examples should provide an excellent framework for readers to learn from the mistakes of others and take appropriate action to avoid similar issues in their practice.

---

References

¹ Lack of timely action risks security and costs money. February 1, 2017. https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/childrens/index.html. Accessed May 4, 2018.

² $2.5 million settlement shows that not understanding HIPAA requirements creates risk. April 24, 2017. https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/cardionet/index.html. Accessed May 4, 2018.

³ State Attorneys General. https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/state-attorneys-general/index.html. Accessed May 4, 2018.

⁴ Attorney General Becerra announces $2 million settlement involving Santa Barbara-based cottage health system over failure to protect patient medical records. https://www.oag.ca.gov/news/press-releases/attorney-general-becerra-announces-2-million-settlement-involving-santa-barbara. Accessed May 4, 2018.

⁵ AG Healey settles with billing company over data breach impacting children. https://www.mass.gov/news/ag-healey-settles-with-billing-company-over-data-breach-impacting-children. Accessed May 4, 2018.

⁶ $5.5 million HIPAA settlement shines light on the importance of audit controls. https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/memorial/index.html. Accessed May 4, 2018.

⁷ Overlooking risks leads to breach, $400,000 settlement. https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/mcpn.html. Accessed May 4, 2018.

⁸ Five breaches add up to millions in settlement costs for entity that failed to heed HIPAA’s risk analysis and risk management rules. https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/fmcna/index.html. Accessed May 4, 2018.

⁹ Texas health system settles potential HIPAA violations for disclosing patient information. https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/mhhs/index.html. Accessed May 4, 2018.

*Please note that this article is not intended to, and does not, serve as legal advice to the reader but is for general information purposes only.

Paul J. Welk, PT, JD, is a Private Practice Section member and an attorney with Tucker Arensberg where he frequently advises physical therapy private practices in the areas of corporate and health care law. He can be reached at pwelk@tuckerlaw.com.

*This author has a vested interest in this subject.