HHS Resolution Agreement: Medical Informatics Engineering, Inc. (Apr. 23, 2019) and HHS News Release (May 23, 2019); HHS Fact Sheet: Direct Liability of Business Associates (May 24, 2019)
HHS’s Office for Civil Rights (OCR) has announced a resolution agreement with a company that provides software and electronic medical record services to health care providers. The company, a HIPAA business associate, filed a breach report with OCR after discovering that hackers used a compromised user ID and password to access PHI of approximately 3.5 million individuals. OCR asserted that the company violated HIPAA by impermissibly disclosing the individuals’ PHI and failing to conduct an accurate and thorough risk analysis. In addition to a $100,000 settlement payment, the company agreed to a corrective action plan requiring it to conduct a thorough risk analysis and develop a risk management plan, each subject to OCR review and approval.
Shortly after announcing the resolution agreement, OCR issued a fact sheet listing the HIPAA administrative simplification provisions for which business associates may be directly liable (that is, subject to civil monetary penalties) under OCR’s expanded enforcement authority through the HITECH Act (see our Checkpoint article). The list includes privacy rule violations (such as impermissible uses or disclosures, and failure to observe the “minimum necessary” standard), breach notification failures, and failure to enter into business associate contracts with business associate subcontractors. Failure to comply with the security rule appears as a single entry on the list, but a footnote clarifies that nearly the entire security rule applies directly to business associates. OCR also notes it can directly impose penalties on business associates that fail to comply with business associate contract provisions requiring them to make PHI available to individuals who request access to their own PHI. And, although OCR cannot penalize business associates directly for charging excessive access fees, it can take enforcement action against covered entities that engage business associates that charge excessive fees.
EBIA Comment: The fact sheet underscores OCR’s continuing interest in compliance by business associates and helpfully clarifies the separate, and partially overlapping, lists of direct-liability provisions in the preamble to the 2013 omnibus regulations. The resolution agreement is noteworthy due to the small size of the settlement payment relative to the large number of affected individuals. It is unclear whether OCR’s recent revision to its enforcement policy (see our Checkpoint article) influenced the settlement amount. In any case, OCR’s prosaic description of the violations contrasts starkly with the detailed allegations in a complaint filed by 12 state attorneys general arising out of the same incident. (A consent judgment was recently announced in that case—we’ll provide coverage in next week’s EBIA Weekly.) For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Sections XX.D (“Resolution Agreements”), XXIV (“Business Associate Contracts”), XXIX.D (“Flexibility of Approach: Standards and Implementation Specifications”), and XXX (“Core Security Requirements”). You may also be interested in our webinar “Learning the Ropes: An Introduction to HIPAA Privacy & Security” (recorded on 2/20/19).
Contributing Editors: EBIA Staff.