Helen Pfister and Michelle Gabriel McGovern ()
On May 7, New York Presbyterian Hospital (NYP) and Columbia University (CU) entered into the largest settlement agreement to date with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) for alleged violations of the Health Insurance Portability and Accountability Act (HIPAA). According to an HHS official, the settlement, which totaled $4.8 million, is part of a more aggressive enforcement period at OCR.
Jerome Meites, a chief regional civil rights counsel at HHS, said on June 12 that OCR planned to ramp up enforcement action in coming months. Although HHS has collected more than $10 million in settlements from HIPAA-covered entities in the past 12 months, Meites said that the past year’s collections “will be low compared to what’s coming up.” Meites, who was speaking at an American Bar Association conference, said that OCR enforcement agents “think they can affect the industry with high-impact cases.”
Annual HIPAA settlements have ranged from a low of $100,000 in 2008, the year the first HIPAA settlement was announced, to a high of approximately $6.2 million in 2011. However, settlements collected so far in 2014—totaling just shy of $7 million—have already surpassed OCR’s most aggressive enforcement period to date.
The recent uptick in HIPAA settlement amounts coincides with the 2009 passage of the Health Information Technology for Economic and Clinical Health Act (HITECH Act), which increased maximum penalties for violations of the same HIPAA provision to $1.5 million per year from the previous maximum of $25,000 per year. The HIPAA Omnibus Final Rule, which implemented the more aggressive penalty structure, was released in January 2013.
The NYP-CU settlement agreement is the most recent in a series of enforcement actions taken against health care organizations that have failed to protect patient health care data on computer systems, electronic networks or other portable media. According to Meites, portable media is at the root of “an enormous number” of HIPAA complaints, and is “the bane of existence for covered entities.”
The settlement with NYP and CU, which is greater than the last five HHS settlements for HIPAA violations combined, involved an alleged breach of electronic protected health information (ePHI) that impacted approximately 6,800 individuals.
NYP and CU are parties to a joint arrangement where CU faculty members serve as attending physicians at NYP, through an affiliation called the New York Presbyterian Hospital/Columbia University Medical Center. As part of this affiliation, NYP and CU store ePHI on a shared electronic network that links the entities’ patient information systems.
In September 2010, New York Presbyterian Hospital/Columbia University Medical Center submitted a joint breach report to OCR, after a CU physician attempted to deactivate a personally owned computer server on the health care organizations’ shared network. Because the shared server lacked certain technical safeguards, the attempted deactivation resulted in the disclosure of ePHI, which included patient health status, vital signs, medication information and laboratory results, to generally accessible public databases. The partner of a former patient first alerted NYP and CU to the alleged breach after finding that patient’s information on the Internet.
While investigating the breach, OCR also uncovered a number of data security risks, which included a failure to implement security measures to reduce the risk of ePHI disclosure, and a failure to conduct an accurate and thorough risk analysis of all information technology equipment, applications and data systems using ePHI. OCR further found that both NYP and CU failed to implement the security measures necessary to reduce the risk of ePHI disclosure, resulting in insufficient risk management at both entities.
Of particular relevance to the incident surrounding the alleged data breach, OCR found that NYP did not have appropriate policies and procedures in place for authorizing access to databases containing patient information. Further, OCR found that NYP did not comply with the policies that were in place to manage information access.
In the wake of the investigation, OCR stressed that joint health care arrangements can result in liability for all covered entities involved. “When entities participate in joint compliance arrangements, they share the burden of addressing the risks to protected health information,” Christina Heide, OCR’s Acting Deputy Director of Health Information Privacy, said in a statement. “Our cases against NYP and CU should remind health care organizations of the need to make data security central to how they manage their information systems.”
NYP’s share of the settlement agreement­—$3.3 million—was more than twice the share paid by CU ($1.5 million). In addition, both entities entered into corrective action plans (CAPs) with HHS, which will be in effect for three years. Under the CAPs, each entity is required to (among other things) undertake a risk analysis, develop a risk management plan, revise policies and procedures on information access management and device and media controls, and develop a privacy and security awareness training program.
The NYP and CU settlement agreements are among a number of notable recent HIPAA settlements, during a period when data breaches are at an all-time high. On April 22, 2014, HHS announced a settlement with Concentra Health Services, a provider whose locations include New York, New Jersey and Connecticut, in connection with a stolen laptop computer that stored unencrypted ePHI. OCR’s investigation uncovered evidence that Concentra had recognized—but failed to appropriately respond to—issues involving lack of encryption on multiple devices, including laptops.
As with NYP and CU, OCR noted that Concentra’s security management processes did not appropriately safeguard necessary information. In addition to paying a settlement totaling $1.725 million, Concentra also entered into a CAP with HHS., which requires (among other things) Concentra to complete a risk analysis and implement a risk management plan.
In the press release announcing the Concentra settlement, OCR’s then-Deputy Director of Health Information Privacy, Susan McAndrew, stressed the importance of encrypting laptops and other mobile devices. “Covered entities and business associates must understand that mobile device security is their obligation,” McAndrew said. “Our message to these organizations is simple: encryption is your best defense against these incidents.”
On Dec. 26, 2013, HHS announced a settlement with a provider entity, Massachusetts-based Adult & Pediatric Dermatology (APD), for $150,000 for failing to have in place HIPAA breach notification policies and procedures. Although the settlement agreement was noteworthy for its subject matter (it marked the first settlement with a HIPAA- covered entity for failure to have appropriate breach notification policies and procedures in place), OCR launched its investigation after an unencrypted thumb drive containing ePHI of approximately 2,200 patients was stolen from an APD employee’s vehicle.
The APD settlement further underscores the importance of ensuring that devices storing ePHI are secure, and that policies and procedures are in place for both preventing unintended disclosure of ePHI, and for promptly addressing any actual or suspected breaches. As providers increasingly use technology for storing and transporting patient data, they should ensure that HIPAA policies and procedures are bolstered as shared networks and portable data storage systems proliferate.
Since HHS entered into its first resolution agreement with a HIPAA-covered entity in July 2008, the enforcement landscape has grown increasingly rigorous, while the number of individuals impacted by data breaches continues to rise. According to Modern Healthcare, nearly 31.7 million people—or one in 10 in the United States—have had their medical records exposed through reported breaches.1
In recent years, HHS has entered into landmark settlements (such as the multimillion dollar NYP-CU settlement), and indicated a particular interest in laptop and mobile device security (for instance, in the Concentra and ADP settlements). Further, OCR has indicated a willingness to pursue enforcement actions involving breaches of fewer than 500 patients’ protected health information, which is less than the amount that would require immediate notification of HHS and notification of local media.
The first settlement of a breach involving fewer than 500 patients’ PHI was announced on Jan. 2, 2013. In this instance, a provider entity called the Hospice of North Idaho agreed to pay $50,000 and entered into a CAP with HHS after reporting the theft of an unencrypted laptop computer containing ePHI of 441 patients in June 2010. More recently, on April 22, 2014, QCA Health Plan of Arkansas settled with OCR for $250,000 after reporting the theft of an unencrypted laptop containing ePHI of 148 individuals in February 2012.
While the settlement agreements involving fewer than 500 patients are far smaller than the nearly $5 million paid by NYP-CU in May, when viewed as a whole, they indicate a willingness on the part of OCR to investigate breaches at any level, and occurring at all provider types. Smaller, singular entities (as opposed to large health systems or providers with “deep pockets”) are not insulated from enforcement action for being less sophisticated—they are held to the same standards, and subject to the same enforcement actions, as larger providers.
HHS has also brought enforcement action against entities that have failed to adequately detect—and protect against—security risks. In July 2013, WellPoint, a managed care company, entered into a $1.7 million settlement agreement for (among other things) failing to implement the safeguards required by the HIPAA security rule. OCR’s investigation of the Wellpoint breach, which impacted nearly 613,000 people, revealed that the entity failed to perform appropriate technical evaluations or have in place the necessary safeguards to protect members’ PHI.
In June 2012, the Alaska Department of Health and Social Services (DHSS) settled with HHS for $1.7 million after OCR, while investigating a reported HIPAA breach, determined that the department failed to implement adequate policies and procedures to safeguard PHI. In addition to the incident at the root of the reported breach (the theft of a USB hard drive containing ePHI), OCR found that DHSS had failed to complete a risk analysis, implement sufficient risk management procedures, appropriately train work force members on privacy and security, implement device and media controls or encrypt electronic devices as required by the HIPAA Security Rule.
Thus, the importance of implementing, and insuring compliance with, HIPAA policies and procedures is of critical importance to providers of all sizes, and all levels of sophistication—particularly those that store ePHI on laptops and mobile devices, and that use shared networks. And, as the NYP-CU settlement indicates, the cost of noncompliance can be extreme.
Helen Pfister is a partner and Michelle Gabriel McGovern is an associate in Manatt, Phelps & Phillips’ health care practice.
1. Joseph Conn, “Major medical records breaches pass 1,000 milestone as enforcement ramps up,” Vital Signs, Modern Healthcare, June 13, 2014.