The U.S. Department of Health and Human Services (HHS) Office for Civil Rights’ (OCR) is continuing with its recent trend towards stricter enforcement for violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules. Increased enforcement actions have followed OCR investigations, most recently arising from a breach reported under the Health Information Technology for Economic and Clinical Health (HITECH) Act’s breach notification rule.
In March, Blue Cross Blue Shield of Tennessee (BCBST) agreed to pay a $1.5 million settlement related to potential violations of the HIPAA Privacy and Security Rules. This settlement resulted from a BCBST breach report that 57 unencrypted computer hard drives containing protected health information of over one million individuals were stolen from a leased facility in Tennessee. The OCR investigation revealed that BCBST had failed to implement appropriate administrative safeguards to adequately protect its health information by failing to perform the required security evaluation, and had failed to implement appropriate physical safeguards. In addition to the monetary settlement, BCBST agreed to implement a corrective action plan addressing gaps in HIPAA compliance; to review, revise, and maintain its Privacy and Security Policies and Procedures; to conduct regular and robust training for employees; and to perform monitor reviews to ensure compliance with the corrective action plan.
A more recent example of this strict enforcement involved a physician practice’s agreement to pay a $100,000.00 fine and implement a corrective action plan under a Resolution Agreement with the OCR. Phoenix Cardiac Surgery, P.C., agreed to the terms of the Resolution Agreement following the OCR’s investigation of its practice of posting clinical and surgical appointments on a publicly accessible internet-based calendar. OCR initiated the investigation after receiving a complaint alleging that the practice impermissibly disclosed electronic protected health information by making it publically available on the internet. The OCR found that Phoenix Cardiac Surgery had failed to implement sufficient policies and procedures to adequately protect patient information. Further, OCR determined that Phoenix Cardiac Surgery had inadequately documented employee training with respect to Privacy and Security Rules, and failed to identify a security official, conduct a risk analysis, or obtain satisfactory assurances in Business Associate Agreements with internet-based calendar and email providers. The Resolution Agreement made clear that vendors who store and transmit patient information are business associates and must comply with the HIPAA Privacy and Security Rules. Health care providers should therefore verify that they have Business Associate Agreements in place for these types of services.
Covered entities should expect an OCR follow-up investigation after any major reporting of a breach. Those that wish to minimize their exposure to future enforcement sanctions should evaluate their policies and procedures, risk assessments, documentation (including Business Associate Agreements), and employee compliance training on HIPAA related issues at their earliest opportunity.