In $1 Million HIPAA Settlement, HHS Emphasizes Business Associate and Encryption Compliance | Practical Law

In $1 Million HIPAA Settlement, HHS Emphasizes Business Associate and Encryption Compliance | Practical Law

The Department of Health and Human Services (HHS) has announced a settlement of potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) involving a nonprofit health care provider and HIPAA covered entity (CE). The CE will pay $1,040,000 to settle the potential violations resulting from a stolen laptop and must take corrective measures that include encryption compliance, revising its affiliated covered entity status, and designating a business associate (BA) manager to identify its BAs.

In $1 Million HIPAA Settlement, HHS Emphasizes Business Associate and Encryption Compliance

by Practical Law Employee Benefits & Executive Compensation
Published on 29 Jul 2020USA (National/Federal)
The Department of Health and Human Services (HHS) has announced a settlement of potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) involving a nonprofit health care provider and HIPAA covered entity (CE). The CE will pay $1,040,000 to settle the potential violations resulting from a stolen laptop and must take corrective measures that include encryption compliance, revising its affiliated covered entity status, and designating a business associate (BA) manager to identify its BAs.
On July 27, 2020, HHS issued a resolution agreement and related press release announcing a settlement with a Rhode Island-based nonprofit health care provider and HIPAA covered entity (CE) for potential violations of the HIPAA Privacy and Security Rules (see Practice Notes, HIPAA Privacy Rule and HIPAA Security Rule). The CE, which includes several health care providers, has designated itself as a HIPAA affiliated covered entity (see Practice Notes, HIPAA Privacy Rule: Affiliated Covered Entities and HIPAA Enforcement: Penalties and Investigations: CE or BA Liability and Agency Law).
HHS began its investigation in April 2017 after the CE filed a HIPAA breach notification involving the theft of an unencrypted MacBook laptop from a hospital employee's car that was parked in a public parking lot (see Practice Notes, HIPAA Breach Notification Rules for Group Health Plans and HIPAA Enforcement and Group Health Plans: Penalties and Investigations, and the HIPAA Privacy, Security, and Breach Notification Toolkit). The employee used the laptop for work purposes, and the employee's work emails may have been cached in a file on the laptop's hard drive. Compromised information on the laptop included patient names, medical record numbers, partial address information, demographic information, and the names of prescribed or administered medications. The laptop was never recovered.
According to HHS, the CE did not:
As a result, the CE impermissibly disclosed the PHI of more than 20,400 individuals.
Under its resolution agreement with HHS, the CE must:
  • Pay $1,040,000 to settle the potential violations.
  • Comply with a corrective action plan (CAP) and retain all documents and records relating to CAP compliance for six years.
  • Submit an annual report detailing its compliance with the CAP.

Corrective Action Plan Emphasizes BA Issues, Encryption, and Training

The CAP requires the CE to perform several actions relating to its status as an affiliated CE, including:
  • Providing HHS evidence of the status of the affiliated CE and which CEs are members of the affiliated CE.
  • Revising its affiliated CE status according to any recommended changes from HHS, and providing the revised affiliated CE status to HHS for review and approval.

CAP Provisions Addressing BA Agreements

A section of the CAP includes extensive requirements involving BA agreements. Under the CAP, the CE must revise its policies and procedures relating to its BA agreements to:
  • Designate one or more individuals who will be responsible for ensuring the CE enters into a BA agreement with each of its BAs before disclosing PHI to them.
  • Adopt a process for assessing the CE's current and future business relationships to determine whether each relationship is with a BA, and requiring the CE to negotiate and enter into BA agreements with its BAs before disclosing PHI to them.
  • Create a standard template BA agreement (see Standard Document, HIPAA Business Associate Agreement).
  • Limit disclosures of PHI to BAs to the minimum necessary for BAs to perform their duties (see Practice Note, HIPAA Privacy Rule: Minimum Necessary Standard).
  • Provide HHS with an accounting of the BA arrangements with its affiliated CEs that includes the BAs' names, a description of the services provided, and the date that services began (in addition to the governing BA agreements).

Report of Encryption and Access Controls

Another section of the CAP addresses detailed compliance requirements related to a report on encryption and access controls. For example, the CE must timely provide HHS a written report that provides proof of its encryption and access controls regarding its devices. The report must reflect:
  • The CE's total number of devices and equipment, including desktop and laptop computers, tables, mobile phones, and USB drives, that may be used to store, access, download or transmit ePHI.
  • The total number of devices that are encrypted – and evidence of such encryption.
  • The status of non-encrypted devices (including, as applicable, any plans to encrypt the devices).
  • For each category of covered electronic media, documentation reflecting the encryption solution used, for example:
    • a native or third-party encryption product and product version number; and
    • if applicable, a copy of the encryption software license deployed.
  • Regular updates to HHS regarding the encryption status of devices.
Regarding the encryption status updates, the CE must address implementation of "mobile device management" (MDM) solutions to ensure that CE-owned and personally owned mobile devices that access the CE's network are encrypted.

Other CAP Provisions

Under the CAP, the CE also must review and revise its written policies and procedures on device and media controls, and distribute those policies and procedures to all members of the CE's workforce who use or disclose ePHI. The CAP also includes training and reporting requirements (see Standard Document, HIPAA Training for Group Health Plans: Presentation Materials).

Practical Impact

This settlement is the latest in a line of resolution agreements between HHS and HIPAA CEs involving stolen laptops (see Legal Updates, Stolen Laptop Results in $2.5 Million HIPAA Settlement, HHS Nets Over $5 Million in HIPAA Settlements Involving Stolen Laptops, and Stolen Laptop Bag Leads to $750,000 HIPAA Settlement). It's nothing new for HHS to emphasize the need for encrypting devices that are used to access PHI. What is striking about this CAP is the level of detail regarding its encryption-related requirements which, as discussed above, include information on device inventories and specific encryption solutions deployed. The BA-related provisions, too, are extensive – though this isn't the first time in recent months that HHS has required use of a BA manager to keep track of a CE's BAs (see Legal Updates, HHS Emphasizes Business Associate Compliance in $100,000 HIPAA Settlement and PHI Visible Via Google Search Leads to $3 Million HIPAA Settlement).