The Department of Health and Human Services (HHS) has announced a settlement of potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) involving health care facilities and providers affiliated with a major West Coast university. The university will pay $750,000 to settle the potential violations and must take corrective measures that include a comprehensive risk analysis.
According to HHS, the university's breach report indicated that the electronic PHI of more than 90,000 patients was accessed when an employee downloaded an email attachment containing malicious malware. The malware ultimately compromised the organization's IT systems and impacted individual information that included patients' names, Social Security numbers, medical record numbers, addresses and phone numbers, dates of birth, dates of service, bill balances, and insurance identification or Medicare numbers. HHS's investigation indicated that the university's medical school failed to implement policies and procedures to prevent, detect, contain, and correct security violations.
Under its resolution agreement with HHS, in addition to the $750,000 payment, the university must:
Submit annual reports detailing the status of and findings regarding the university's compliance with the corrective action plan for each reporting period.
Retain all documents and records relating corrective action plan compliance for six years.
Corrective Action Plan
The corrective action plan requires the university to:
Develop, for approval by HHS, a comprehensive risk analysis of security risks and vulnerabilities that includes electronic PHI created, received, maintained, or transmitted by any facilities that were excluded from an earlier risk assessment conducted by the university.
Review its risk analysis annually (or more frequently if appropriate) and promptly evaluate and update the risk analysis as necessary in response to changes affecting the security of electronic PHI.
Following any updates to its risk analysis, take certain actions, which include:
assessing whether its existing security measures are sufficient to protect electronic PHI;
developing a strategy to mitigate risks to electronic PHI;
revising policies and procedures and training materials, as needed; and
Develop and (following approval by HHS) implement a risk management plan that addresses the risks identified in the risk analysis.
Provide documentation to HHS within 180 days regarding development and implementation of the structural reorganization of its compliance program.
Promptly investigate potential violations of its compliance policies and procedures and, if it determines a violation has occurred, notify HHS in writing within 30 days.
Practical Impact
This settlement agreement caught our attention in part because of the relative ease, in this day and age, with which well-intentioned employees can become the victims of the same kinds of malicious malware that triggered this incident. As employers develop more sophisticated privacy compliance programs, this settlement (the latest in a series of high-cost enforcement actions by HHS) underscores the need for such programs to reflect HIPAA privacy and security safeguards, as appropriate (see Practice Note, Developing a Privacy Compliance Program). Safeguards may include use of up-to-date software to prevent malware incidents, and response procedures for handling malware incidents (particularly widespread ones).
The settlement also highlights the responsibilities of "affiliated covered entities" regarding HIPAA privacy and security compliance. An affiliated covered entity consists of legally separate entities that:
Designate and document themselves as a single covered entity for HIPAA compliance purposes.
Are under common ownership and control.
In this case, HHS faulted the university for not ensuring that all its affiliated entities were:
Properly conducting risk assessments. (As noted in the resolution agreement, certain affiliated facilities and applications were not included in an earlier risk assessment, but should have been.)
Appropriately responding to the risks and vulnerabilities in their particular settings.