2013 was a busy year for the Department of Health and Human Services. In January 2013, HHS issued its Final Omnibus Rule, substantially modifying both the Privacy, Security, and Enforcement Rules related to the Health Insurance Portability and Accountability Act (HIPAA) and the Breach Notification Rule under the Health Information Technology for Economic and Clinical Health Act (the HITECH Act). The Final Omnibus Rule gives HHS’s Office of Civil Rights even greater authority to police covered entities and to enforce HIPAA/HITECH Act privacy regulations. As expected, OCR was active in its enforcement of the Final Omnibus Rule in 2013.
In May 2013, Idaho State University entered into a Resolution Agreement with HHS after self-reporting a data breach involving approximately 17,500 patients of the university’s Pocatello Family Medicine Clinic. This breach occurred as a result of the school disabling its servers’ firewall protections, which left patients’ electronic protected health information exposed for a 10-month period. As a result, OCR fined Idaho State $400,000, concluding that it failed to: 1) conduct a breach risk analysis as required by the Final Omnibus Rule; 2) “adequately implement security measures sufficient to reduce the risk and vulnerabilities to a reasonable and appropriate level;” and 3) “adequately implement procedures to regularly review records of information system activity to determine if any [electronic protected health information] was used or disclosed in an inappropriate manner.” OCR’s Director Leon Rodriguez stated that “risk analysis, ongoing risk management, and routine information system reviews are the cornerstones of an effective HIPAA security compliance program.”
In July 2013, WellPoint, Inc., an Indiana managed care company, agreed to pay HHS $1.7 million to resolve WellPoint’s alleged violation of the HITECH Act. OCR initiated its investigation after WellPoint notified OCR of a potential data breach involving approximately 612,000 customers resulting from WellPoint’s implementation of a software upgrade to its online application database, which exposed customer names, birth dates, addresses, phone numbers, social security numbers, and health information to unauthorized access. OCR ultimately concluded that WellPoint failed to: 1) “adequately implement policies and procedures for authorizing access to the online application database;” 2) “perform an appropriate technical evaluation in response to a software upgrade to its information systems;” and 3) “have technical safeguards in place to verify the person or entity.” HHS cautioned that “this case sends an important message to HIPAA-covered entities to take caution when implementing changes to their information systems, especially when those changes involve updates to Web-based applications or portals that are used to provide access to consumers’ health data using the Internet.”
In August 2013, Affinity Health Plan, Inc., a New York not-for-profit managed care plan, entered into a Resolution Agreement with HHS, agreeing to pay a $1,215,780 settlement. OCR initiated an investigation after Affinity’s breach was reported by CBS Evening News. In its investigative report, CBS went to a New Jersey warehouse and purchased several photocopiers, which included one previously leased by Affinity. With little effort, CBS was able to retrieve 300 pages of medical records from the Affinity photocopier’s hard drive, including patient test results, diagnostic assessments, and drug prescriptions. OCR found that: 1) Affinity unlawfully disclosed electronic protected health information of 344,579 individuals; 2) Affinity failed to “assess and identify the potential security risks and vulnerabilities” related to the storage of electronic protected health information on photocopier hard drives; and 3) Affinity failed to develop and implement proper electronic protected health information disposal policies and procedures related to the use and return of leased photocopiers. In announcing HHS’s settlement with Affinity, Director Rodriguez sent a clear message to the healthcare industry: “HIPAA covered entities are required to undertake a careful risk analysis to understand the threats and vulnerabilities to individuals’ data, and have appropriate safeguards in place to protect this information.” He went on to say that “[t]his settlement illustrates an important reminder about equipment designed to retain electronic information: make sure that all personal information is wiped from hardware before it’s recycled, thrown away or sent back to a leasing agent.”
Finally, in December 2013, HHS announced that Adult & Pediatric Dermatology, P.C., a private Massachusetts dermatology practice, agreed to a $150,000 settlement to HHS after an A&PD staff member lost an unencrypted thumb drive containing the electronic protected health information of approximately 2,200 patients. OCR’s resulting investigation found that A&PD failed to “conduct an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality of electronic protected health information as part of its security management process” and “fully comply with requirements of the Breach Notification Rule to have in place written policies and procedures and train workforce members.” In announcing the settlement, Director Rodriguez warned that “covered entities of all sizes need to give priority to securing electronic protected health information.”
OCR’s 2013 enforcement actions focused on: 1) breach risk assessments, 2) sufficient implementation and enforcement of privacy policies and procedures, 3) adequacy of electronic protected health information technical security measures, and 4) proper electronic protected health information data retention and disposal policies and procedures. In its first full year enforcing the changes brought about under the Final Omnibus rule, OCR sent a clear message to covered entities of all sizes: take adequate precautions to protect electronic protected health information or face serious monetary penalties.