HHS Claims a Record Haul With $5.55 Million HIPAA Settlement | Practical Law

HHS Claims a Record Haul With $5.55 Million HIPAA Settlement | Practical Law

The Department of Health and Human Services (HHS) has announced a settlement of multiple potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) involving an Illinois-based health care system. The health care system will pay $5.55 million, the largest amount to date against a single entity, to settle the potential HIPAA violations. It must also carry out extensive corrective measures that include a comprehensive risk analysis, risk management plan, and review by a third-party accessor.

HHS Claims a Record Haul With $5.55 Million HIPAA Settlement

Practical Law Legal Update w-002-9298 (Approx. 6 pages)

HHS Claims a Record Haul With $5.55 Million HIPAA Settlement

by Practical Law Employee Benefits & Executive Compensation
The Department of Health and Human Services (HHS) has announced a settlement of multiple potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) involving an Illinois-based health care system. The health care system will pay $5.55 million, the largest amount to date against a single entity, to settle the potential HIPAA violations. It must also carry out extensive corrective measures that include a comprehensive risk analysis, risk management plan, and review by a third-party accessor.
In a settlement proclaimed by HHS as the "largest-to-date against a single entity," an Illinois-based health care system will pay $5.55 million for multiple potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) involving electronic protected health information (ePHI) (see HIPAA Privacy, Security, and Breach Notification Toolkit and the related press release). The health care system, a HIPAA covered entity, must also undertake an onerous corrective action plan (CAP) consisting of a thorough risk analysis, a risk management plan, HIPAA training, review by a compliance accessor, and more (see Standard Document: HIPAA Training for Group Health Plans: Presentation Materials). According to HHS, the record-setting size of this settlement is due to:
  • The extent and duration of the alleged noncompliance, which dated back to the HIPAA Security Rule's inception in some cases (see Practice Note, HIPAA Security Rule).
  • The State Attorney General's involvement in a corresponding investigation.
  • The large number of individuals whose information was affected by the potential HIPAA violations.
HHS began its investigation after the health care system submitted three separate breach notification reports to the government in less than a four-month period, each involving the same subsidiary within the health care system (see Practice Note, HIPAA Breach Notification Rules for Group Health Plans). Specifically, the incidents included:
  • A breach of unsecured ePHI after four desktop computers containing the ePHI of approximately four million individuals were stolen from the subsidiary's office building.
  • A breach involving the ePHI of more than 2,000 patients, whose information was potentially compromised after the networks of one of the subsidiary's business associates (BA) was accessed by an unauthorized third party.
  • The theft of an unencrypted laptop containing the ePHI of more than 2,200 individuals from the vehicle of one of the subsidiary's employees.
The ePHI at issue included demographic, clinical and health insurance information, patient names, addresses, credit card numbers and expiration dates, and individuals' dates of birth.

Scope of HIPAA Compliance Failures

In the resulting investigation of the health care system, HHS identified the following compliance failures:
  • A failure to conduct an accurate and thorough risk analysis incorporating all of the health care system's facilities, information technology equipment, applications, and data systems that used ePHI.
  • A lack of policies and procedures to restrict physical access to electronic information systems housed at the subsidiary's office building (and a related failure to reasonably safeguard individuals' ePHI).
  • A failure to obtain satisfactory assurances, through written BA agreements, that the BA would protect ePHI within the BA's possession or control.
  • The health care system's disclosure of individuals' ePHI to its BA without a BA agreement.
  • A failure to reasonably protect individuals' ePHI by leaving an unencrypted laptop in an unlocked vehicle overnight.

Corrective Action Plan

In addition to the $5.55 million payment, the health care system must adhere to a lengthy CAP that requires it to:
  • Conduct a comprehensive risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the health care system (including all its facilities, both owned and rented).
  • Develop an enterprise-wide "risk management plan" to address and mitigate any security risks and vulnerabilities identified in the risk analysis (along with an implementation timeline).
  • Implement a written process to regularly evaluate environmental or operational changes impacting the security of ePHI in the health care system's possession or control (including any newly acquired entities).
  • Develop an encryption report detailing the total number of devices and equipment that may be used to access, store, download, or transmit ePHI, including whether the devices and equipment are encrypted.
  • Review and revise its policies and procedures governing the use of hardware and electronic media used to access, store, download, or transmit ePHI (including desktop and laptop computers, servers, tablets, mobile phones, USB drives, and other items).
  • Review and revise its policies and procedures to limit physical access to electronic information systems and the facilities in which they are housed, and to ensure that properly authorized access is allowed (see Practice Note, HIPAA Security Rule: Physical Safeguards: Facility Access Controls).
  • Review and revise its policies and procedures relating to BAs (see Standard Document, HIPAA Business Associate Policy), a task that includes multiple subparts (for example, having procedures to identify potential relationships that must be governed by a BA agreement).
  • Promptly investigate reports that a workforce member has failed to comply with governing HIPAA policies and procedures.
Many of the tasks outlined above involve a submission of information to HHS and the government's substantive sign-off.

Training Materials

The CAP also requires the health care system to develop an enhanced training program on HIPAA privacy and security awareness for all workforce members with access to PHI, including ePHI (see Standard Document, HIPAA Training for Group Health Plans: Presentation Materials). The health care system must submit its proposed training materials to HHS for approval. The training program must include:
  • General instruction on compliance with the health care system's HIPAA policies and procedures.
  • Training on all of the new and revised policies and procedures under the CAP.
The health care system must review the training program at least every two years.

Monitoring and Third-Party Accessor

Under the CAP, the health care system must submit (and revise as necessary) a written "internal monitoring plan" to evaluate its own compliance with the CAP.
In addition, the health care system must engage an independent third-party assessor to review its subsidiary's compliance with the CAP. The chosen assessor must:
  • Demonstrate to HHS's approval that its expertise and experience are sufficient to carry out the required reviews.
  • Submit a written plan to the government for executing its duties.
The assessor will investigate, evaluate, and make specific determinations about the health care system's CAP compliance. Among other tasks, the assessor must:
  • Conduct unannounced site visits to facilities and departments to ensure that the health care system's policies and procedures are being followed by its workforce members.
  • Perform quarterly progress meetings with the health care system's security officer and BAs.
  • Follow-up on any reported noncompliance with the CAP.
  • Submit written reports to HHS regarding its findings, and immediately report any significant CAP violations to HHS and the health care system.
HHS also is authorized under the CAP to perform its own investigations of the assessor's reports to validate that the CAP's requirements are being followed.

Practical Impact

Aside from the record-setting payment required under this settlement, this resolution agreement is notable for the sheer breadth of requirements that the covered entity must perform under the CAP, most of which involve HHS's approval and ongoing oversight. As outlined above, the agreement includes the involvement of an assessor, in a role defined with great specificity under the CAP. By HHS's own admission, the severity of the payment and CAP provisions in this resolution agreement (relative to other agreements) are intended to send a "strong message" regarding the need for HIPAA covered entities to undertake a comprehensive risk analysis and implement a management plan to protect the security of individuals' ePHI (see Practice Note, HIPAA Enforcement and Group Health Plans: Penalties and Investigations: Examples of Resolution Agreements).