Hacker's Theft of Over Six Million Individuals' PHI Leads to $2.3 Million HIPAA Settlement | Practical Law

Hacker's Theft of Over Six Million Individuals' PHI Leads to $2.3 Million HIPAA Settlement | Practical Law

The Department of Health and Human Services (HHS) has announced a settlement of potential violations of the Health Insurance Portability and Accountability Act (HIPAA) with a Tennessee-based business associate (BA) that provides health information management and other services to hospitals and clinics. Under the agreement, the BA must pay $2.3 million to HHS and comply with an extensive two-year corrective action plan (CAP).

Hacker's Theft of Over Six Million Individuals' PHI Leads to $2.3 Million HIPAA Settlement

by Practical Law Employee Benefits & Executive Compensation
Published on 24 Sep 2020USA (National/Federal)
The Department of Health and Human Services (HHS) has announced a settlement of potential violations of the Health Insurance Portability and Accountability Act (HIPAA) with a Tennessee-based business associate (BA) that provides health information management and other services to hospitals and clinics. Under the agreement, the BA must pay $2.3 million to HHS and comply with an extensive two-year corrective action plan (CAP).
On September 23, 2020, HHS issued a resolution agreement and related press release announcing a settlement with a Tennessee-based business associate (BA) for potential violations of the HIPAA Privacy and Security Rules (see Practice Notes, HIPAA Privacy Rule and HIPAA Security Rule). The BA provides compliance, legal, accounting, human resources, information technology, and health information management services to hospitals and clinics. Under the agreement, the BA must pay $2.3 million to HHS and comply with an extensive two-year corrective action plan (CAP).

Hacker Steals PHI of Over Six Million Individuals

In April 2014, a cyberhacking group used compromised credentials to remotely access the BA's information system through its virtual private network (VPN). Although the BA was initially unaware of the incident, it received notice of the intrusion from the FBI eight days after it occurred. Despite this notice, however, the attacker's impermissible access continued until August 2014. The breach affected well over 200 HIPAA covered entities (CEs) served by the BA, and the electronic protected health information (ePHI) of more than 6 million individuals. The affected PHI included individuals' names, sex, dates of birth, phone numbers, social security numbers, emails, ethnicities, and emergency contact information.
HHS's investigation revealed that the BA failed to:
  • Prevent unauthorized access to the ePHI of more than 6 million individuals on its network.
  • Failed to adequately respond, mitigate, and document the security incident for several months.
  • Implement technical policies and procedures to limit access to its information systems to persons and software programs with access rights.
  • Implement procedures for regularly reviewing activity on its information system (for example, audit logs, access reports, and security incident tracking reports).
  • Conduct accurate and thorough assessments of the risks and vulnerabilities concerning the ePHI in its possession.

Corrective Action Plan

In addition to the $2.3 million payment, the BA must comply with a CAP that imposes extensive requirements on the BA regarding risk analysis and risk management, HIPAA policies and procedures, training for workforce members, and internal reporting procedures.

Internal Monitoring of CAP Compliance

The BA must submit to HHS for approval a written plan for internally monitoring its compliance with the CAP. Although the CAP permits the BA to revise or create a new internal monitoring compliance plan, the BA may not implement the new or revised plan until obtaining HHS approval.

Risk Analysis and Risk Management

The CAP also requires the BA to:
  • Perform an accurate, thorough, and enterprise-wide risk analysis of security risks and vulnerabilities covering all electronic equipment, data systems, programs, and applications that contain, store, transmit, or receive ePHI.
  • Develop a complete inventory of the BA's electronic equipment, data systems, off-site data storage facilities, and applications that contain or store ePHI, including data centers, shared service centers, and corporate offices.
  • Create and adopt an enterprise-wide risk management plan to address and mitigate any security risks and vulnerabilities identified in the risk analysis.
  • Perform an annual risk analysis and document the security measures implemented to address the security risks and vulnerabilities identified in the risk analysis.
The BA must submit to HHS for approval the initial risk analysis, including its proposed scope and methodology, risk management plan, and subsequent risk analyses.

HIPAA Policies and Procedures; Minimum Content Requirements

The CAP requires the BA to review and revise its policies concerning:
  • Technical access control and restriction for any software application and network or server equipment containing ePHI, so that authorized access is limited to the minimum necessary (see Practice Note, HIPAA Privacy Rule: Minimum Necessary Standard).
  • Information system activity review for regular review of audit logs, access reports, and security incident tracking reports to monitor for suspicious events.
  • Security incident procedures, response, and reporting to detect, mitigate, and respond to security incidents.
  • Password management.
The CAP also imposes minimum content requirements for the BA's updated policies and procedures. The revised policies and procedures must meet the standards in the Security Rule's provisions addressing administrative, physical, and technical safeguards (45 C.F.R. §§ 164.308(a) and (b), 164.310, and 164.312; see Practice Note, HIPAA Security Rule: Safeguards and Related Organizational and Document Requirements).
Furthermore, the BA may need to create or revise policies and procedures in response to findings from the risk analysis or to implement a risk management plan.
The BA must submit its revised policies and procedures to HHS for approval. Once the policies and procedures are approved, the CAP requires the BA to:
  • Finalize and adopt the approved policies and procedures.
  • Distribute the policies and procedures to all workforce members.
  • Document that workforce members have read, understand, and will comply with the policies and procedures.
  • Review and, if necessary, revise the policies and procedures annually.

Training

Under the CAP, the BA must submit its proposed training materials to HHS for approval (see Standard Document, HIPAA Training for Group Health Plans: Presentation Materials). After the materials are approved, the BA must:
  • Provide training to all workforce members.
  • Obtain a certification, in written or electronic form, from each workforce member stating that the workforce member received the training.
  • Ensure that workforce members complete the required training.
  • Review and, if necessary, revise the training materials on an annual basis.

Internal Reporting Procedure

The BA also must develop and submit to HHS for approval an internal reporting procedure that requires workforce members to promptly report violations of the BA's HIPAA policies and procedures to the BA's compliance representative. The compliance representative must promptly investigate reported violations and document the investigation in writing. If an investigation reveals that a workforce member has materially violated the BA's policies and procedures (referred to in the CAP as a reportable event), the compliance representative must notify HHS in writing, including:
  • A description of the reportable event, including when and where the violation occurred, the workforce member involved, and the relevant provision that was violated.
  • A description of the BA's mitigation efforts and any steps it plans to take to prevent future violations.

Annual Reports

For each year of the CAP, the BA must submit an annual report regarding its CAP compliance. The annual reports must include:
  • The compliance representative's attestation that the obligations set out in the CAP have been met.
  • The compliance representative's attestation listing the BA's locations, contact information for each location, and an attestation that each location has complied with the CAP.
  • A summary of reportable events and any related corrective or preventive actions taken by the BA.
  • An attestation that the compliance representative reviewed the annual report, made reasonable inquiries, and believes the information to be correct.

Practical Impact

As in other recent HIPAA settlements, this latest agreement underscores the potential liability that HIPAA BAs face regarding failures to comply with HIPAA (in this case, HIPAA's Security Rule requirements) (see also Practice Note, HIPAA Enforcement: Settlement Agreements: Business Associate Issues and Legal Update, In $1 Million HIPAA Settlement, HHS Emphasizes Business Associate and Encryption Compliance). This agreement also is notable in terms of its monetary amount—and even more so regarding the number of affected individuals and CEs. In addition, the enforcement action is the second in just over a week to result from a hacking incident. The other recent settlement agreement included more detailed requirements regarding policy and procedure changes to address hacking-related intrusions (see Legal Update, Hacker Group's Impermissible Access to ePHI Leads to $1.5 Million HIPAA Settlement: HIPAA Policies and Procedures).