Resolution Agreement: North Memorial Health Care (Undated); Resolution Agreement: Feinstein Institute for Medical Research (March 16, 2016)
HHS’s Office for Civil Rights (OCR) has announced two more resolution agreements settling potential HIPAA privacy and security violations. The first resolution agreement resulted from a health care provider’s failure to (1) enter into a business associate agreement with a major contractor; and (2) institute an organization-wide risk analysis to address risks and vulnerabilities to protected health information (PHI). OCR began an investigation after receiving a breach report indicating that an unencrypted laptop was stolen from the vehicle of a business associate’s employee. In its press release, OCR noted that the covered entity impermissibly gave its business associate access to PHI of nearly 300,000 patients without first obtaining satisfactory assurances in a written business associate contract that PHI would be appropriately safeguarded. And the investigation also revealed that the covered entity’s risk assessment did not take into account all applications, software, databases, servers, workstations, mobile devices, electronic media, devices for network administration and security, and associated business processes. In addition to the settlement payment of $1.55 million, the covered entity is required to (1) adopt policies and procedures to ensure compliance with the rules governing business associate relationships before disclosing PHI to contractors; (2) develop and implement an organization-wide risk analysis and risk management plan; (3) submit the policies and procedures, risk analysis, and risk management plan to OCR for approval; and (4) train employees on any new or revised policies and procedures.
The second resolution agreement—which, at $3.9 million, is now the largest single settlement to date—resulted from a breach report indicating theft of a laptop from an employee’s car. In its press release, OCR noted that the covered entity’s security management process was incomplete and insufficient to address potential risks and vulnerabilities to electronic PHI (ePHI). Moreover, the entity lacked policies and procedures to (1) authorize access to PHI; (2) restrict access to authorized users; and (3) track movement of laptops into, out of, and within its facilities. And it failed to encrypt ePHI—or implement an equivalent alternative mechanism after documenting why encryption was not reasonable and appropriate in its operating environment. The resolution agreement requires the covered entity to conduct an accurate, thorough risk analysis, with an inventory of all electronic equipment, data systems, and applications—including personally owned devices—containing or storing ePHI. Then, subject to OCR approval, the covered entity must update its policies and procedures, develop training materials, and provide workforce training.
EBIA Comment: As OCR gears up for phase 2 of its compliance audits (see our Checkpoint article), the message of these resolution agreements is clear: It is essential to have a comprehensive, organization-wide risk analysis taking into account all of the PHI created, received, maintained, or transmitted by, or on behalf of, the covered entity or business associate. And the risk analysis starts with a comprehensive inventory of all the places where PHI can be found—including personally owned devices. It also bears noting that PHI is seldom static, so it’s crucial to be able to track the movement of devices storing or transmitting PHI, who is using them, and for what purpose. For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Sections XX.D (“Resolution Agreements”), XXIX.D (“Flexibility of Approach: Written Risk Analysis Required”), and XXX (“Core Security Requirements”). You may also be interested in our recorded webinar “HIPAA Basic Training: Get Your Privacy and Security Compliance on Track for 2016.”
Contributing Editors: EBIA Staff.