HIPAA Resolution Agreement Emphasizes Corrective Actions and Requires Independent Compliance Monitor

HHS’s Office for Civil Rights (OCR) has announced a $25,000 settlement with a clinical laboratory (a HIPAA covered entity) to resolve alleged violations of the HIPAA security rule. OCR began its investigation after the laboratory was acquired by another business that was already under an OCR compliance review. OCR found that the laboratory failed to conduct accurate and thorough risk and vulnerability assessments with respect to protected health information (PHI); adopt security measures to reduce identified risks and vulnerabilities to a reasonable and appropriate level; implement hardware, software, or procedural mechanisms to record and analyze activity in information systems containing PHI; and document policies and procedures to comply with the security rule.

In addition to the settlement payment, the laboratory agreed to a corrective action plan (CAP). The CAP requires the laboratory to conduct an enterprise-wide risk analysis for all its owned, controlled, or leased electronic media, workstations, and information systems that store or can access PHI. The laboratory must adopt an enterprise-wide risk management plan corresponding to the risk analysis. Both the risk analysis and risk management plan are subject to OCR’s review and approval. Then, the laboratory must revise its policies and procedures to comply with the privacy and security rules, and the revisions must be reviewed and approved by OCR. The approved policies and procedures must be incorporated in workforce training materials (also subject to OCR review and approval) and distributed to workforce members, who must acknowledge in writing that they have received training, and have read, understood, and will abide by the policies and procedures. The policies and procedures must be updated at least annually (with updates subject to OCR review and approval). The laboratory must also engage an independent, qualified third-party monitor approved by OCR to investigate, assess, and analyze the laboratory’s compliance with the CAP and security rule, and make reports to HHS and the laboratory. The laboratory must submit an implementation report and annual reports addressing compliance with the CAP for three years after the CAP’s effective date.

EBIA Comment: This agreement is noteworthy because OCR’s investigation stemmed from a corporate transaction rather than a breach or security incident—a difference from prior OCR settlements. Also noteworthy is that this “robust” (in OCR’s words) CAP includes detailed compliance monitoring and reporting provisions. Although other CAPs have required a third-party monitor (see our Checkpoint article), a compliance representative (see our Checkpoint article), or both (see our Checkpoint article), those CAPs involved multimillion-dollar settlements and breaches of PHI affecting large numbers of individuals. Neither factor is present in this case. And despite the modest settlement amount, this agreement reminds us that OCR enforcement actions may result in substantial compliance costs. For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Sections XX.D (“Resolution Agreements”) and XXX (“Core Security Requirements”). You may also be interested in our webinar “HIPAA Breaches: Preparation and Response” (recorded on 9/10/20).

Contributing Editors: EBIA Staff.