It was an active year for the federal government’s enforcement of the Health Insurance Portability and Accountability Act of 1996, the Health Information Technology for Economic and Clinical Health Act, their implementing regulation, HIPAA. So far in 2014, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) has entered into settlement arrangements with seven covered entities to resolve alleged violations of HIPAA. While at first glance this may not seem like substantial enforcement activity, it represents the greatest number of HIPAA settlements by OCR in any calendar year to date.

Skagit County, Washington (March 6, 2014)

OCR’s first HIPAA settlement of the year was entered into on March 6, 2014, with a county government. OCR opened an investigation of Skagit County, Washington, upon receiving a December 9, 2011, breach notification that money receipts with electronic protected health information (ePHI) of seven individuals were accessed by unknown parties after the ePHI had been inadvertently moved to a publicly accessible server maintained by the county.

OCR’s investigation revealed a broader exposure of the ePHI of 1,581 individuals whose information was accessible on the county’s public web server. Many of the accessible files involved ePHI of a sensitive nature, including information concerning the testing and treatment of infectious diseases. OCR’s investigation further uncovered general and widespread non-compliance by Skagit County with the HIPAA Privacy, Security and Breach Notification Standards (e.g., failure to notify the affected individuals of the breach, lack of sufficient policies and procedures, failure to train county workforce). The investigation was settled through the execution of a resolution agreement that included a payment of $215,000 and a corrective action plan (CAP). The CAP has a three-year term and requires Skagit County to take the following actions, among others:

• post a notification of the breach on the home page of the county’s website for 90 days and in major print or broadcast media;
• update its privacy, security and breach notification policies and procedures subject to OCR’s review;
• submit hybrid entity documents designating its covered health care components to OCR, and implement hybrid entity and related safeguards;
• report to OCR any violations of its HIPAA policies and procedures by workforce members, and
• submit annual compliance reports to OCR.

QCA Health Plan, Inc. (April 14, 2014)

On April 14, 2014, OCR entered into a resolution agreement and CAP with QCA Health Plan, Inc., to settle alleged violations of the HIPAA Privacy and Security Standards. OCR began investigating QCA after receiving a breach notification from the insurer on February 21, 2012, that an unencrypted laptop containing the ePHI of 148 individuals was stolen from a workforce member’s car.  In addition to the unauthorized disclosure of ePHI, OCR’s investigation revealed that QCA had not: implemented policies and procedures to prevent, contain and correct security violations; conducted an assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of the ePHI it held; implemented security measures sufficient to reduce any identified risks and vulnerabilities to a reasonable and appropriate level, or implemented appropriate physical safeguards for workstations that accessed ePHI.

The investigation was settled through the execution of a resolution agreement that included a payment of $250,000 and a CAP. The CAP has a two-year term and requires QCA to take the following actions, among others:

• provide OCR with an updated risk analysis and corresponding risk management plan that includes specific security measures to reduce the risks to and vulnerabilities of its ePHI;
• retrain its workforce;
• report to OCR any violations of its HIPAA policies and procedures by workforce members, and
• submit annual compliance reports to OCR.

Concentra Health Services (April 21, 2014)

On April 21, 2014, OCR entered into a resolution agreement and CAP with Concentra Health Services to settle alleged violations of the HIPAA Privacy and Security Standards. The settlement resulted from an investigation initiated by OCR upon receiving a December 2011 breach report that an unencrypted laptop was stolen from a Concentra physical therapy center.

The total number of affected patients was unclear. OCR alleged that Concentra failed to remediate and manage its lack of encryption, which was identified as a potential source of vulnerability in Concentra’s HIPAA risk assessment. For instance, only 434 out of the covered entity’s 597 laptops were encrypted. OCR also alleged that Concentra had failed to implement policies and procedures to prevent, detect, contain and correct security violations. Prior to this incident, Concentra had been subject to two security breaches involving stolen, unencrypted laptops that each affected more than 500 individuals, as well as 16 additional breaches affecting fewer than 500 individuals. The investigation was settled through the execution of a resolution agreement that included a payment of $1,725,220 and a CAP. The term of the CAP is two years and requires Concentra to take the following actions, among others:

• conduct and submit for OCR’s approval periodic risk analyses, including assessments of potential risks and vulnerabilities to the confidentiality of Concentra’s ePHI;
• implement risk management plans and provide OCR with evidence of such implementation and timelines for any expected remediation actions;
• provide to OCR periodic encryption status updates;
• provide security awareness training to its workforce members, and
• submit annual compliance reports to OCR.

Columbia University and New York-Presbyterian Hospital (May 7, 2014)

On May 7, 2014, OCR entered into a resolution agreement and CAP with each of The Trustees of Columbia University in the City of New York (CU) and New York-Presbyterian Hospital (NYP) to settle alleged violations of the HIPAA Privacy and Security Standards. The settlements arose from OCR investigations of CU and NYP following their September 27, 2010, joint notification to OCR of the unauthorized disclosure of ePHI for 6,800 individuals, including patient status, vital signs, medications and laboratory results.

NYP and CU are separate covered entities that participate in a joint arrangement in which CU faculty members serve as attending physicians at NYP. The breach was caused when “a physician employed by CU who developed applications for both NYP and CU attempted to deactivate a personally owned computer server on the network containing NYP patient ePHI.” Deactivation of the server resulted in ePHI being accessible on Internet search engines. The breach was discovered when an individual complained after finding the ePHI of the individual’s deceased partner, a former NYP patient, on the Internet.

OCR stated that its investigation found that neither entity had conducted an accurate and thorough risk analysis that identified all systems that access NYP ePHI, and therefore “neither entity had developed an adequate risk management plan that addressed the potential threats and hazards to the security of ePHI.” OCR also alleged that NYP had failed to implement appropriate policies and procedures for authorizing access to its databases and had failed to comply with its own policies on information access management.

In order to resolve the alleged violations, NYP entered into a resolution agreement with OCR that included a payment of $3.3 million and a three-year CAP. Similarly, CU entered into a resolution agreement with OCR that included a payment of $1.5 million and a three-year CAP. Under the CAPs, NYP and CU each agreed to take the following actions, among others:

• conduct and submit to OCR a risk analysis;
• implement a risk management plan;
• develop processes to evaluate environmental or operational changes to information systems that affect the security of ePHI;
• revise policies and procedures on information access management and device and media controls;
• develop/update a mandatory privacy and security awareness training program for workforce members with access to ePHI;
• investigate and notify OCR of any failures by workforce members to comply with HIPAA policies and procedures, and
• submit annual compliance reports to OCR.

Parkview Health System, Inc. (June 17, 2014)

On June 17, 2014, Parkview Health System entered into a resolution agreement and CAP with OCR to settle alleged violations of the HIPAA Privacy Standards resulting from a June 4, 2009, incident that involved paper medical records. OCR opened an investigation after receiving a complaint from a retiring physician alleging that Parkview had violated the HIPAA Privacy Rule when returning approximately 5,000–8,000 of the physician’s medical records. Parkview had taken custody of the records while assisting the retiring physician in transitioning her patients to new providers and was considering purchasing some of the records upon the physician’s retirement. OCR alleged that Parkview did not appropriately safeguard the records when returning them to the retiring physician. To settle the allegations, Parkview entered into a resolution agreement with OCR that included a payment of $800,000 and a CAP. The CAP has a one-year term and, in part, requires Parkview to:

• adopt and implement a policy governing the safeguarding of non-electronic PHI;
• train its workforce on the policy;
• notify OCR of any violations of the policy, and
• submit a report to OCR regarding its compliance with the CAP.

Anchorage Community Mental Health Services (December 17, 2014)

On December 2, 2014, Anchorage Community Mental Health Services, Inc., (ACMHS) and OCR entered into a resolution agreement and CAP to settle alleged violations of the HIPAA Security Standards. OCR initiated an investigation into ACMHS’s compliance with HIPAA after receiving a March 2, 2012, notification from the provider regarding a breach of unsecured ePHI affecting 2,743 individuals. The breach resulted from malware that compromised ACMHS’s information technology resources. OCR’s investigation found that ACMHS had never performed an accurate and thorough risk assessment, had never implemented HIPAA security policies and procedures and, since 2008, had failed to implement technical security measures to guard against unauthorized access to ePHI transmitted electronically by failing to ensure that appropriate firewalls were in place and regularly updated with available patches. ACMHS agreed to pay $150,000 and to comply with the requirements set forth in the CAP to settle the allegations. The term of the CAP is two years and, in part, obligates ACMHS to:

• revise, adopt and distribute to its workforce updated HIPAA security policies and procedures that have been approved by OCR;
• develop and provide updated, OCR-approved, security awareness training to applicable workforce members;
• conduct annual risk-assessments of the potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI held by ACMHS;
• document the security measures implemented to reduce identified risks and vulnerabilities to a reasonable and appropriate level;
• investigate and report to OCR any violations of its HIPAA security policies and procedures by workforce members, and
• submit annual reports to OCR describing ACMHS’s compliance with the CAP.

All but one of the settlements discussed above arose from unauthorized disclosures of ePHI and serve as reminders to covered entities and business associates to take appropriate steps to implement robust technical, administrative and physical safeguard to protect the ePHI in their possession.

It is also worth noting that the financial payments required under the 2014 resolution agreements do not appear to directly correlate to the number of individuals potentially affected by a breach. This is consistent with settlements in prior years and is likely due to a variety of factors including the egregiousness of the circumstances surrounding a breach, the findings of OCR’s compliance investigation, and the nature of the interactions between the covered entity and OCR.  

It is likely that OCR’s increased HIPAA enforcement activity will continue in 2015. The agency has been increasingly vocal about enforcement being a priority, possibly in response to congressional pressure to meet its statutory enforcement mandate and a recent Office of Inspector General investigation criticizing OCR’s enforcement practices. For example, OCR representatives recently backed away from prior statements that the upcoming round of HIPAA compliance audits are primarily intended to be educational, noting that the audit program will be used as an enforcement tool.

In addition, six of the seven settlements discussed above arose from self-reported breach notifications, the latest of which was made in March of 2012. Accordingly, OCR likely has a large pipeline of active investigations which will only increase due to the lower breach reporting threshold that was adopted in the final HIPAA Omnibus Regulations and became effective on September 23, 2013.

Finally, while there has recently been a notable amount of turnover in top-level HIPAA staff at OCR, there is nothing to suggest that the new leadership will divert from making enforcement an ongoing priority in the years to come. One might also expect an uptick in the level of enforcement by state Attorneys General as they increasingly assert their HIPAA enforcement authority granted under the 2009 HITECH Act.

Conducting a thorough risk assessment, addressing any identified vulnerabilities, implementing and updating comprehensive HIPAA policies and procedures, and appropriately training workforce members who have access to PHI are all steps that covered entities and business associates must take to comply with HIPAA and to protect the PHI in their possession.