HIPAA Enforcement Comes to Small Providers: $100,000 and Heightened Compliance Obligations
Alleged HIPAA Violations
The OCR action arose from allegations that the covered entity did not implement proper safeguards to protect the privacy and security of Protected Health Information (PHI) and electronic PHI (ePHI), failed to provide proper training to its workforce, and failed to obtain proper assurances from business associates to ensure privacy and security. In particular, the resolution agreement noted that the covered entity posted over 1,000 entries of ePHI on a publicly accessible Internet-based calendar, transmitted ePHI from an Internet-based email account to workforce members' personal Internet-based email accounts, did not conduct a thorough risk assessment of the potential vulnerabilities of ePHI that it maintained and transmitted, failed to obtain satisfactory assurances from the business associates that provided the covered entity's Internet-based email account and calendar application, and failed to identify a security official to police compliance.
The Corrective Action Plan
In addition to the $100,000 settlement payment, the practice assumed substantial obligations under the CAP, including:
- Developing and implementing policies and procedures to address the alleged violations, which are to be submitted to OCR for approval within 60 days;
- Distributing the policies and procedures to all members of the workforce who use or disclose PHI and obtaining documented certification that each individual received, read, understands and will abide by the policies and procedures;
- Revisiting the policies and procedures at least annually to make any necessary revisions; and
- Requiring the practice to report to OCR on its implementation within 60 days after receiving OCR's approval of the policies and procedures.
The CAP also specifies certain minimum content for the policies and procedures, including:
- Performing an accurate and thorough risk assessment and submitting documentation of the assessment;
- Developing and submitting a risk management plan to implement security measures that are sufficient to reduce risks to ePHI that is transmitted by, or stored on, portable devices;
- Identifying a security official;
- Obtaining written agreements from all business associates containing satisfactory assurances that they will appropriately safeguard ePHI;
- Implementing technical safeguards for systems that maintain ePHI in order to control access, including measures to encrypt or otherwise adequately safeguard ePHI that is transmitted by, or stored on, portable devices, regardless of whether the portable device is owned by the covered entity or a workforce member, and submitting evidence that the safeguards actually protect such ePHI, including ePHI in text messages; and
- Providing training on the policies and procedures for all members of the covered entity's workforce who will use or disclose PHI, including training on security awareness, security reminders, procedures for guarding against malicious software, log-in monitoring and safeguarding passwords.
The CAP gives the practice a 30-day window to report to OCR any determination that a member of the workforce has violated the policies and procedures. The report must include a description of the violation and the action taken to mitigate any resulting harm and prevent its recurrence.
This action suggests that no covered entity, no matter how small, is beyond the reach of OCR-imposed penalties and formal remediation for an apparent violation of HIPAA privacy and security requirements. OCR does not appear to view the scalability provisions of the security regulations, which allow covered entities to take into account their size and capabilities in developing their risk management plans, to serve as an excuse for failing to comply.
The CAP's requirements also go beyond what the privacy and security regulations specifically require. For example, the regulations do not require workforce members to certify that they have received, read and understood the covered entity's policies and procedures, or that they have attended training on the policies and procedures, but the CAP requires both.
The issues addressed appear to stem, at least in part, from email, text messaging and portable devices, which calls attention to the need to have appropriate safeguards in place to protect ePHI that is transmitted, stored or maintained using email or mobile devices. Historically, Internet service providers (ISPs) have been considered conduits rather than business associates and covered entities have not generally sought to enter into business associate agreements with them. This CAP's references to the need for satisfactory assurances, in the form of business associate agreements, from a provider of Internet-based public email that receives, stores, maintains and transmits ePHI for the covered entity may signal a change in OCR's position on ISPs.
The full list of reported breaches for 500 or more individuals is available here.
A copy of the CAP is available here.
The HHS press release is available here.
© 2012 Perkins Coie LLP