Properly encrypt and protected electronic protected health information (ePHI) on laptops and in other mediums!
That's the clear message of the Department of Health and Human Services (HHS) Office of Civil Rights (OCR) in its announcement of its first settlement under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule involving a breach of ePHI of fewer than 500 individuals by a HIPAA-covered entity, Hospice of North Idaho (HONI).
The settlement shows that the Office of Civil Rights stands ready to penalize these healthcare providers, health plans, healthcare clearinghouses and their business associates (covered entities) when their failure to properly secure and protect ePHI on laptops or in other systems results in a breach of ePHI even when the breach affects fewer than 500 individuals.
HIPAA Security & Breach Notification For ePHI
Under the originally enacted requirements of HIPAA, covered entities and their business associates are required to restrict the use, access and disclosure of protected health information and establish and administer various other policies and safeguards in relation to protected health information. Additionally, the Security Rules require specific encryption and other safeguards when covered entities collect, create, use, access, retain or disclose ePHI.
The Health Information Technology for Economic and Clinical Health (HITECH) Act amended HIPAA, among other things to tighten certain HIPAA requirements, expand its provisions to directly apply to business associates, as well as covered entities and to impose specific breach notification requirements. The HITECH Act Breach Notification Rule requires covered entities to report an impermissible use or disclosure of protected health information, or a "breach," of 500 individuals or more (Large Breach) to the Secretary of HHS and the media within 60 days after the discovery of the breach. Smaller breaches affecting less than 500 individuals (Small Breach) must be reported to the Secretary on an annual basis.
Since the Breach Notification Rule took effect, the Office of Civil Rights' announced policy has been to investigate all Large Breaches and such investigations have resulted in settlements or other corrective action in relation to various Large Breaches. Until now, however, the Office of Civil Rights has not made public any resolution agreements requiring settlement payments involving any Small Breaches.
Hospice Of North Idaho Settlement
On January 2, 2013, the Office of Civil Rights announced that Hospice of North Idaho will pay the Office of Civil Rights $50,000 to settle potential HIPAA violations that occurred in connection with the theft of an unencrypted laptop computer containing ePHI. The Hospice of North Idaho settlement is the first settlement involving a breach of ePHI affecting fewer than 500 individuals. Read the full HONI Resolution Agreement here.
The Office of Civil Rights opened an investigation after Hospice of North Idaho reported to the Department of Health and Human Services that an unencrypted laptop computer containing ePHI of 441 patients had been stolen in June 2010. Hospice of North Idaho team members regularly use laptops containing ePHI in their field work.
Over the course of the investigation, the Office of Civil Rights discovered that Hospice of North Idaho had not conducted a risk analysis to safeguard ePHI or have in place policies or procedures to address mobile device security as required by the HIPAA Security Rule. Since the June 2010 theft, Hospice of North Idaho has taken extensive additional steps to improve their HIPAA Privacy and Security compliance program.
A significant problem faced by organizations offering services to youth, elderly, and the developmentally disabled is that individuals who sexually abuse are not easily identified. The majority of perpetrators involved in these incidents at nonprofit organizations have no prior abuse convictions. Also, they are often highly regarded by their peers and the families of those they are secretly abusing.
Data collected from 227 closed claims files over the past 22 years by the Nonprofits Insurance Alliance Group in Santa Cruz, California (a group with 11,000 members nationwide) reveals some interesting insights: 47% of sexual abuse claims involve agency staff members who have abused clients — mostly children, but also the elderly and mentally disabled; 22% of claims arise from client vs. client contacts — virtually all minors; foster home abuse claims account for another 11%; and claims against agency volunteers account for 4%.
The data indicates that most claims are without merit, but can be expensive to defend and costly when there has been actual abuse. Almost 75% of the claims closed with no indemnity paid and at an average defense cost of $4,000. The remaining 25% averaged almost $130,000 in paid indemnity and $40,000 in defense expenses. Those costs can put a serious dent in the budget of a nonprofit agency not insured for this special exposure.
The standard commercial general liability policy excludes coverage for an intentional act, a central requirement for conviction of sexual abuse. In most states, that exclusion extends to the agency responsible for supervision of the perpetrator. In recent years, many carriers have added specific exclusions for any claim of sexual misconduct, and also added those exclusions to Directors and Officers policies. That leaves agencies and their boards without protection for claims that they negligently hired, trained or supervised their staff or volunteers, negligently certified foster homes, or provided inadequate oversight to the activities of clients in their care.
This is the second of a two-part series on what non-profits should do when a lawsuit is filed against them. Part 1 of this series can be found here.
What Are All of These Papers?
Let's look at the lawsuit itself. When a lawsuit is served, there are two different parts: a summons and a complaint (or some other name). The summons is a notice to you and/or your organization that you have been sued. The complaint tells you what the suit is about and what the person suing wants.
The Summons: The top paper is the summons. The summons is a very important piece of paper. It tells you who has filed the lawsuit, what attorney represents that person and what court the suit will be heard in.
The summons will also tell you exactly who is being served.
The Complaint: The complaint is all of the rest of the papers you receive except for the top page, or summons. In some cases other documents will be included with the complaint. A statement of damages (usually a huge number, unrelated to the merits of the case), and a notice from the court extolling the virtues of arbitration or mediation are the most common attachments.
The complaint is a description of all of the bad things you are supposed to have done to the plaintiff and what they have suffered as a result of your actions.
Generally speaking, it is not a good idea to read the complaint right away. Most people get very upset at what the lawsuit claims to have happened. Remember, lawsuits are all written in the same manner and use the same type of language.
Many counties have adopted a "fill in the blank" form complaint where boxes are checked and a few paragraphs describing the particular event leading to the specific lawsuit are inserted in the appropriate places.
Remember that most of the language used is standardized from complaint to complaint and while this particular one may rant and rave about you or your organization, you will be comforted to know that all complaints rant and rave in the same fashion.
This is the first of a two-part series on what non-profits should do when a lawsuit is filed against them. Part 2 of the series can be found here.
When Can a Lawsuit Be Filed?
In each state, there are various statutes of limitations or time limits in which a lawsuit must be filed for damaged persons to protect their claims and preserve their rights. In cases claiming bodily injury, persons who are injured must have concluded their claim within a specified time from the date of the incident, or file a lawsuit by the close of court on that specified date if they wish to pursue the claim.
Minors enjoy additional protection under the law. They have until a specified time past their date of majority to file a lawsuit, regardless of when the accident happened.
The statute of limitations for property damage or breach of a written contract may even be longer.
In some cases, people with mental infirmities may have no applicable statutes of limitations.
What Court Will Be Used?
Each state differs and some have names you may not have heard before. In California, for example, there are two levels of state courts where most of the lawsuits will likely be heard. These are Small Claims and Superior Courts.
Small Claims Court has a jurisdictional limit, usually in the range of $5,000 to $7,500. Claims for larger amounts cannot be filed in Small Claims. Attorneys are often not permitted in Small Claims Court. The parties represent themselves.
Superior Court is where most of the lawsuits in which nonprofits are likely to be involved in will be filed. There is no limit to the amount of damages that can be awarded in Superior Court unless there is a specific statutory cap.
Federal Court is the most likely place for employment cases involving allegations of discrimination or harassment. Cases involving out-of-state parties are also candidates for Federal Court.
Where Will the Lawsuit Be Filed?
The geographical location of the court depends on where the accident or alleged wrongdoing happened, where the plaintiff lives, or where the defendant does business. The lawsuit is usually filed in the county where the event happened, but there are exceptions. If the plaintiff lives in a different county, the court may permit the lawsuit to be brought in that county rather than the one where the event occurred.