Advanced Care Hospitalists: Resolution Agreement (Sept. 20, 2018) and Press Release (Dec. 4, 2018); Pagosa Springs Medical Center: Resolution Agreement (Nov. 5, 2018) and Press Release (Dec. 11, 2018)
HHS’s Office for Civil Rights (OCR) has announced two resolution agreements involving alleged violations of HIPAA’s privacy and security rules. The first agreement involves a health care provider that contracted with an individual—who falsely claimed to be the representative of a third-party billing company—to provide data-processing services. Almost two years after the contract ended, a hospital notified the provider that PHI of the provider’s patients was viewable on the billing company’s website. The provider filed breach notification reports with OCR, indicating that more than 8,800 individuals may have been affected. OCR’s investigation revealed that the provider never entered into a business associate contract for the data-processing services. Moreover, the provider did not conduct a risk analysis, implement security policies and procedures, or adopt a policy for business associate contracts until after the breach was discovered. In addition to a $500,000 payment, the provider agreed to a two-year corrective action plan (CAP) requiring, among other things, an accounting of business associates and copies of related contracts; a risk analysis and risk management plan (subject to OCR’s approval); updated policies and procedures addressing specified provisions of the privacy and security rules; and distribution of the policies and procedures to the workforce, with appropriate workforce training (also subject to OCR’s approval).
The second agreement resolved a complaint alleging that a health care provider failed to de-activate a terminated employee’s user name and password. OCR’s investigation revealed that the terminated employee was able to impermissibly access the PHI of at least 557 individuals using the provider’s web-based scheduling calendar. Moreover, because the provider did not enter into a business associate contract with the calendar’s vendor, the provider impermissibly disclosed the PHI of at least 557 individuals to the vendor. In addition to a $111,400 payment, the provider agreed to a two-year CAP requiring revised policies and procedures—including (1) designating individuals responsible for ensuring that business associate contracts are in place before PHI is disclosed; (2) creating processes to identify current and future business associates and negotiate contracts with them; (3) developing standard business associate contracts; (4) maintaining contracts for at least six years after relationships end; and (5) limiting disclosures to business associates to the minimum necessary. The CAP also requires adoption of guidelines for downloading and using third-party services and applications and, subject to OCR approval, a risk analysis, risk management plan, and revised workforce training materials.
EBIA Comment: To date, at least seven resolution agreements have resulted from a covered entity’s failure to enter into, or update, business associate contracts. Recognizing when a service provider is a business associate is crucial. Once business associates are identified, covered entities should keep a detailed inventory of business associate contracts and make sure they are accessible and updated. Failure to terminate access has also caught OCR’s attention—leading, for example, to a $5.5 million settlement in February 2017 (see our Checkpoint article). Robust procedures for terminating access to PHI for terminated workforce members are a critical aspect of security rule compliance. For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Sections XX.D.5 (“Resolution Agreements: Business Associate Contracts”) and XXX.B.3 (“Standard: Workforce Security”). You may also be interested in our recorded webinar “Negotiating a HIPAA Business Associate Contract from the Plan Sponsor and Service Provider Perspectives” (recorded 10/24/18).
Contributing Editors: EBIA Staff.