The Department of Health and Human Services (HHS) has announced a settlement of potential violations of the Health Insurance Portability and Accountability Act (HIPAA) involving a nonprofit health care provider. The provider will pay $1,550,000 to settle the potential violations and must take corrective measures that include developing an organization-wide risk analysis and risk management plan. HHS also announced a $3.9 million HIPAA settlement involving potential HIPAA violations resulting from a stolen laptop.
According to HHS, the provider's breach report indicated that the electronic PHI of nearly 9,500 individuals was accessed when a password-protected but unencrypted laptop was stolen from the locked vehicle of an employee of the provider's contractor. At the time of the breach, the provider and the contractor had not yet entered into a BA agreement, though they did so a few months after the theft (see Standard Document, HIPAA Business Associate Agreement). As a result, at the time of the theft, the provider had made available access to its database, which stored the electronic PHI of nearly 290,000 individuals, without obtaining satisfactory assurances from its contractor under a BA agreement that the provider's PHI would be protected. According to HHS, the provider also failed to conduct a thorough risk analysis that incorporated all of its technology equipment, applications, and data systems using electronic PHI.
Under its resolution agreement with HHS, in addition to the $1,550,000 payment, the provider must:
Comply with the CAP (see Corrective Action Plan), and retain all documents and records relating to CAP compliance for six years.
Submit annual reports detailing its compliance with the CAP for each reporting period.
Corrective Action Plan
The CAP requires the provider to develop policies and procedures related to its BA relationships, including:
Designating one or more individuals to ensure that it enters into BA agreements with all its BAs before disclosing PHI to them.
Creating a process for determining when a business relationship requires a BA agreement.
Creating a process for negotiating and entering into BA agreements and maintaining documentation of the agreements for at least six years.
Limiting disclosures of PHI to BAs to the minimum necessary for the BAs to perform their duties.
The CAP also requires the provider to:
Complete, for approval by HHS, a comprehensive risk analysis of security risks and vulnerabilities that reflects all electronic equipment, data systems, and applications that contain, store, transmit, or receive electronic PHI.
Develop a complete inventory of all electronic equipment, data systems, and applications that contain or store electronic PHI, which will be incorporated in the risk analysis.
Develop, also for approval by HHS, an organization-wide risk management plan to address and mitigate any security risk and vulnerabilities identified in the risk analysis.
Promptly investigate potential violations of its compliance policies and procedures and, if it determines a violation has occurred, notify HHS in writing within 30 days.
Practical Impact
This settlement is but the latest in a steady drumbeat of expensive (and public) resolution agreements between HHS and HIPAA covered entities, including several within the past few months. Just a day after this settlement, in fact, HHS announced a $3.9 million settlement with a research institute, which also involved the theft of an unencrypted laptop computer containing individuals' ePHI from an employee's car.