On August 4, 2016, the Office of Civil Rights of the U.S. Department of Health and Human Services (“OCR”) announced that it had reached the largest monetary settlement to date from a single entity for breaches of the Health Insurance Portability and Accountability Act (“HIPAA”). OCR’s settlement with Advocate Health Care Network involves the payment of $5.5 million to the Government as well as fulfillment of an extensive – and likely very costly – corrective action plan and continued monitoring by OCR. The settlement agreement with Advocate (http://www.hhs.gov/sites/default/files/Advocate_racap.pdf) documents breaches of the HIPAA Privacy and Security Rules that compromised the privacy of over 4 million patients. Notably, one of these breaches involved the theft of an unencrypted laptop, containing patients’ protected health information, from an employee’s vehicle.
A ruling in another case earlier this year resulted in a significantly lower monetary penalty ($239,800) but reflects a plausible nightmare scenario for any employer. An employee of Lincare, Inc. worked as a manager for a health care provider that rendered services in patients’ homes and thus required employees to use patient information off-site. The employee routinely brought home paper patient records and transported them back and forth in her car. After she and her husband separated and she moved out of their home, her husband found almost 300 patient records “under a bed and in a kitchen drawer.” The husband filed a complaint with OCR, and Lincare ultimately was held responsible for the HIPAA breach.
In June 2016, OCR announced its settlement with Catholic Health Care Services, which provided non-medical management and information technology services to 6 nursing homes. An employee’s company-issued iPhone, containing health information of over 400 nursing home patients (including social security numbers, diagnosis and treatment information, medical procedures, names of family members and legal guardians and medication information) was stolen. Catholic Health Care Services was required to report the theft and potential HIPAA breach to OCR, and ultimately agreed to pay $650,000 to the Government and fulfill an extensive corrective action plan.
What do all of these cases have in common? The HIPAA breaches were the result of sloppy, careless, and/or unauthorized conduct of employees. Importantly, in each case, OCR noted that the employer had failed to adopt and implement policies and procedures that adequately specified the requirements of employees who handle HIPAA-protected information.
HIPAA has been around for a long time. What is required in its current form? HIPAA’s protection of patient health information has been in effect since 2003. Since that time, the federal government has augmented, refined, and intensified its enforcement of these HIPAA requirements in the form of the HIPAA Privacy, Security and Breach Notification Rules. The Privacy Rule requires certain individuals and organizations to adopt and implement policies and procedures, including those governing their workforce and workforce training, to ensure that appropriate use and disclosure of a patient’s Protected Health Information (“PHI”) regardless of whether the PHI is in paper, electronic, or oral form. The Security Rule requires these organizations to ensure, and protect against any reasonably anticipated threats or hazards to, the confidentiality, integrity and availability of electronic PHI. The Security Rule also requires each organization to conduct an ongoing risk assessment of its administrative, physical and technical safeguards and ensure its workforce member’s compliance. Finally, the Breach Notification Rule requires these organizations to notify patients, the federal government, and in certain circumstances the local media, upon discovery of a breach of unsecured PHI.
Our company’s business is not healthcare-related. Why should we care? HIPAA applies to all “Covered Entities” and, importantly, “Business Associates.” Covered Entities are defined as (1) a health plan; (2) a health care clearinghouse; or (3) a health care provider who transmits any health information in electronic form. A Business Associate, on the other hand, essentially is a Covered Entity’s third-party contractor which must create, receive, use or disclose protected patient information in order to accomplish the services or products required under its contract with the Covered Entity. Every Covered Entity must enter into a Business Associate Agreement with the Business Associate and require the Business Associate to comply with HIPAA. Therefore, even if an employer’s business is not specifically related to healthcare, the employer becomes a Business Associate – and is independently liable for HIPAA breaches – if it provides services or products (e.g., IT services) to a Covered Entity.
What Should an Employer Expect Regarding HIPAA Enforcement in the Future? The cases described above are the more recent examples of HIPAA enforcement initiated by either the breach notification or complaint process, and at this time employers subject to these HIPAA requirements should expect continued enforcement and high dollar settlement amounts. In addition, for the past several years, OCR has developed and is actively implementing an Audit Program to ensure HIPAA compliance, and it has specifically cautioned that “[e]very covered entity and business associate is eligible for an audit. . . . of all sizes and functions.”
What Can an Employer Do Now to Reduce its Risk of HIPAA Non-Compliance? Employers who are Covered Entities or Business Associates should conduct a comprehensive, updated review of its operations to ensure compliance with the HIPAA rules. With respect to management of the employer’s workforce, these activities should include ensuring that a Privacy and Security Officer is designated; updating and maintaining a workforce training checklist and training documentation forms; updating and evaluating security risks related to employees’ off-site use of mobile electronic devices to use, access and transmit PHI; and updating policies and procedures to specify the boundaries of an employee’s use, disclosure and transmission of PHI offsite.