Malicious Malware Leads to $750,000 HIPAA Settlement | Practical Law

Malicious Malware Leads to $750,000 HIPAA Settlement | Practical Law

The Department of Health and Human Services (HHS) has announced a settlement of potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) involving health care facilities and providers affiliated with a major West Coast university. The university will pay $750,000 to settle the potential violations and must take corrective measures that include a comprehensive risk analysis.

Malicious Malware Leads to $750, 000 HIPAA Settlement

Practical Law Legal Update w-001-0722 (Approx. 6 pages)

Malicious Malware Leads to $750,000 HIPAA Settlement

by Practical Law Employee Benefits & Executive Compensation
Published on 15 Dec 2015USA (National/Federal)
The Department of Health and Human Services (HHS) has announced a settlement of potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) involving health care facilities and providers affiliated with a major West Coast university. The university will pay $750,000 to settle the potential violations and must take corrective measures that include a comprehensive risk analysis.
On December 14, 2015, HHS issued a resolution agreement and related press release announcing a settlement with a major West Coast university for potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) security rule (see Practice Note, HIPAA Security Rule). The enforcement action involved several health care providers and related entities under the university's control and affiliated with the university's medical school and main teaching hospital. HHS began its investigation after the medical school submitted a breach notification to the government involving unsecured electronic protected health information (PHI) (see Practice Notes, HIPAA Breach Notification Rules for Group Health Plans and HIPAA Enforcement and Group Health Plans: Penalties and Investigations, and the HIPAA Privacy, Security, and Breach Notification Toolkit). The university will pay $750,000 to settle the potential violations and must adopt a corrective action plan that includes development of a "current, comprehensive and thorough" risk analysis.
According to HHS, the university's breach report indicated that the electronic PHI of more than 90,000 patients was accessed when an employee downloaded an email attachment containing malicious malware. The malware ultimately compromised the organization's IT systems and impacted individual information that included patients' names, Social Security numbers, medical record numbers, addresses and phone numbers, dates of birth, dates of service, bill balances, and insurance identification or Medicare numbers. HHS's investigation indicated that the university's medical school failed to implement policies and procedures to prevent, detect, contain, and correct security violations.
Under its resolution agreement with HHS, in addition to the $750,000 payment, the university must:
  • Comply with a corrective action plan (see Corrective Action Plan).
  • Submit annual reports detailing the status of and findings regarding the university's compliance with the corrective action plan for each reporting period.
  • Retain all documents and records relating corrective action plan compliance for six years.

Corrective Action Plan

The corrective action plan requires the university to:
  • Develop, for approval by HHS, a comprehensive risk analysis of security risks and vulnerabilities that includes electronic PHI created, received, maintained, or transmitted by any facilities that were excluded from an earlier risk assessment conducted by the university.
  • Review its risk analysis annually (or more frequently if appropriate) and promptly evaluate and update the risk analysis as necessary in response to changes affecting the security of electronic PHI.
  • Following any updates to its risk analysis, take certain actions, which include:
    • assessing whether its existing security measures are sufficient to protect electronic PHI;
    • developing a strategy to mitigate risks to electronic PHI;
    • revising policies and procedures and training materials, as needed; and
    • implementing additional security measures.
(See Standard Document, HIPAA Training for Group Health Plans: Presentation Materials.)
Additionally, the university must:
  • Develop and (following approval by HHS) implement a risk management plan that addresses the risks identified in the risk analysis.
  • Provide documentation to HHS within 180 days regarding development and implementation of the structural reorganization of its compliance program.
  • Promptly investigate potential violations of its compliance policies and procedures and, if it determines a violation has occurred, notify HHS in writing within 30 days.

Practical Impact

This settlement agreement caught our attention in part because of the relative ease, in this day and age, with which well-intentioned employees can become the victims of the same kinds of malicious malware that triggered this incident. As employers develop more sophisticated privacy compliance programs, this settlement (the latest in a series of high-cost enforcement actions by HHS) underscores the need for such programs to reflect HIPAA privacy and security safeguards, as appropriate (see Practice Note, Developing a Privacy Compliance Program). Safeguards may include use of up-to-date software to prevent malware incidents, and response procedures for handling malware incidents (particularly widespread ones).
The settlement also highlights the responsibilities of "affiliated covered entities" regarding HIPAA privacy and security compliance. An affiliated covered entity consists of legally separate entities that:
  • Designate and document themselves as a single covered entity for HIPAA compliance purposes.
  • Are under common ownership and control.
In this case, HHS faulted the university for not ensuring that all its affiliated entities were:
  • Properly conducting risk assessments. (As noted in the resolution agreement, certain affiliated facilities and applications were not included in an earlier risk assessment, but should have been.)
  • Appropriately responding to the risks and vulnerabilities in their particular settings.
As has become a theme in recent enforcement actions, HHS again emphasized the need for organization-wide risk analyses that are comprehensive in scope (see Legal Updates, $3.5 Million HIPAA Settlement Highlights Need for Training and Stolen Laptop Bag Leads to $750,000 HIPAA Settlement). The comprehensive risk analysis will not be a one-and-done undertaking for the university, but will instead require regular review and updating (if needed).