Tag Archives: ephi

Hard Lessons on Protecting Health Data

The $2.5 million payment and corrective action plan that the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) required for CardioNet to settle potential charges of noncompliance with the Health Insurance and Portability Act (HIPAA) Privacy and Security Rules contains many important lessons for other healthcare providers, health plans, healthcare clearinghouses (Covered Entities) and their business associates.

A remote cardiac monitoring provider, CardioNet is paying the $2.5 million settlement payment and implementing a corrective action plan to settle potential OCR charges it violated HIPAA by impermissible disclosure of unsecured electronic protected health information (ePHI).

The first OCR HIPAA settlement involving a wireless health services provider, the CardioNet Resolution Agreement and Corrective Action Plan (Resolution Agreement) announced by OCR on April 24, 2017, adds to the rapidly growing list of announced OCR HIPAA enforcement actions that clearly show all covered entities and their business associates the substantial enforcement liability risks of failing to finalize and actually adopt, implement, administer and maintain the necessary HIPAA Privacy and Security policies and procedures required by HIPAA as well as some of the steps OCR expects to fulfill these requirements.

CardioNet OCR Investigation and Resolution Agreement

As has become increasingly common in recent years, the CardioNet settlement arose from concerns initially brought to OCR’s attention in connection with a HIPAA breach notification report. On Jan. 10, 2012, OCR received notification from the provider of remote mobile monitoring of and rapid response to patients at risk for cardiac arrhythmias that a workforce member’s laptop with the ePHI of 1,391 individuals was stolen from a parked vehicle outside of the employee’s home. CardioNet subsequently notified OCR of a second breach of ePHI 2,219 individuals.

The facts outlined in the resolution agreement highlight compliance weaknesses existing in the operations of many HIPAA covered entities and business associates. According to the resolution agreement, OCR’s investigation in response to these breach reports revealed a series of continuing compliance concerns, including:

  • CardioNet failed to conduct an accurate and thorough risk analysis to assess the potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI and failed to plan for and implement security measures sufficient to reduce those risks and vulnerabilities;
  • CardioNet’s policies and procedures implementing the standards of the HIPAA Security Rule were in draft form and had not been implemented;
  • CardioNet was unable to produce any final policies or procedures regarding the implementation of safeguards for ePHI, including those for mobile devices;
  • CardioNet failed to implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of its facilities, the encryption of such media, and the movement of these items within its facilities until March 2015; and
  • CardioNet failed to safeguard against the impermissible disclosure of protected health information by its employees, thereby permitting access to that information by an unauthorized individual, and failed to take sufficient steps to immediately correct the disclosure.

See also: Healthcare Buyers Need Clearer Choices

To resolve these OCR charges, CardioNet agrees to pay $2.5 million to OCR and implement a corrective action plan. Among other things, the corrective action plan requires CardioNet to complete the following actions to the satisfaction of OCR:

  • Prepare a current, comprehensive and thorough risk analysis of security risks and vulnerabilities that incorporates its current facility or facilities and the electronic equipment, data systems and applications controlled, currently administered or owned by CardioNet, that contain, store, transmit, or receive electronic protected health information (“ePHI”) and update that risk analysis annually or more frequently, if appropriate in response to environmental or operational changes affecting the security of ePHI.
  • Assess whether its existing security measures are sufficient to protect its ePHI and revise its risk management plan, policies and procedures and training materials and implement additional security measures, as needed.
  • Develop and implement an organization-wide risk management plan to address and mitigate any security risks and vulnerabilities found in the risk analysis as required by the risk management plan.
  • Review and, to the extent necessary, revise, its current security rule policies and procedures based on the findings of the risk analysis and the implementation of the risk management plan to comply with the HIPAA Security Rule.
  • Provide certification to OCR that all laptops, flashdrives, SD cards and other portable media devices are encrypted, together with a description of the encryption methods used.
  • Review and revise its HIPAA security training to include a focus on security, encryption and handling of mobile devices and out-of-office transmissions and other policies and practices required to address the issues identified in the risk assessment and otherwise comply with the risk management plan and HIPAA train its workforce on these policies and practices.
  • Investigate all potential violations of its HIPAA policies and procedures and notify OCR in writing within 30 days of any violation.
  • Submit annual reports to OCR, which must be signed by an owner or officer of CardioNet attesting that he or she has reviewed the annual report, has made a reasonable inquiry regarding its content and believes that the information is accurate and truthful.
  • Maintain for inspection and copying, and provide to OCR, upon request, all documents and records relating to compliance with the corrective action plan for six years.

Implications of CardioNet and Other HIPAA Enforcement For Covered Entities and Business Associates

The CardioNet resolution agreement contains numerous lessons for other covered entities and their business associates, including:

  • Like many previous resolution agreements announced by OCR, the resolution agreement reiterates the responsibility of covered entities and business associates to properly secure their ePHI and that as part of this process OCR expects all laptop computers and other mobile devices containing or with access to ePHI will be properly encrypted and secured.
  • It also reminds covered entities and their business associates to be prepared for, and expect an audit from, OCR when OCR receives a report that the organization experienced a large breach of unsecured ePHI.
  • The resolution agreement’s highlighting of the draft status of CardioNet’s privacy and security policies also reflects that OCR expects covered entities to actually finalize policies, procedures and training for maintaining compliance with HIPAA.
  • The discussion and requirements in the corrective action plan relating to requirements to conduct comprehensive risk assessments at least annually and in response to other events, and to update policies and procedures in response to findings of these risk assessments also drives home the importance of conducting timely, documented risk analyses of the security of ePHI, taking prompt action to address known risks and periodically updating the risk assessment and the associated privacy and security policies and procedures in response to the findings of the risk assessment and other changing events.
  • The requirement in the resolution agreement of leadership attestation and certification on the required annual report reflects OCR’s expectation that leadership within covered entities and business associates will make HIPAA compliance a priority and will take appropriate action to oversee compliance.
  • Finally, the $2.5 million settlement payment required by the resolution agreement and its implementation against CardiNet makes clear that OCR remains serious about HIPAA enforcement.

While the $2.5 million settlement payment sends a strong message about the risks of violating HIPAA by itself, this lesson takes on even greater significance when considered in light of OCR’s January 2017 announcement of its imposition of another HIPAA civil monetary penalty against Children’s Medical Center of Dallas and the growing list of expensive settlement payments that OCR has exacted from other covered entities wishing to avoid CMPs for their alleged HIPAA violations.

In January 2017, for instance, OCR announced Children’s paid a $3.2 million CMP assessed by OCR for failing to adequately secure electronic protected health information (ePHI) and correct other HIPAA compliance deficiencies that resulted from its failure to take appropriate, well-documented actions to timely to secure ePHI on systems and mobile devices and other actions needed to comply with other HIPAA privacy or security requirements.

Of course, covered entities and business associates need to keep in mind that that actions and inactions that create HIPAA liability risks also carry many other potential legal and business risks. For instance, since PHI records and data involved in such breaches usually incorporates Social Security Numbers, credit card or other debt or payment records or other personal consumer information, and other legally sensitive data, covered entities and business associates generally also may face investigation, notification and other responsibilities and liabilities under confidentiality, privacy or data security rules of the Fair and Accurate Credit Transaction Act (FACTA), the Internal Revenue Code, the Social Security Act, state identity theft, data security, medical confidentiality, privacy and ethics, insurance, consumer privacy, common law or other state privacy claims and a host of other federal or state laws. Depending on the nature of the covered entity or its business associates, the breach or other privacy event also may trigger fiduciary liability exposures for health plan fiduciaries in the case of a health plan, professional ethics or licensing investigations or actions against health care providers, insurance companies, administrative service providers or brokers, shareholder or other investor actions, employment or vendor termination or disputes and a host of other indirect legal consequences.

See also: Healthcare Disruption: Providers Are Making Newspaper Industry Mistakes  

Beyond, and regardless of the technical legal defensibility of its actions under these and other laws, however, the most material and often most intractable consequences of a HIPAA or other data or other privacy breach report or public accusation, investigation, admission also typically are the most inevitable:

  • The intangible, but critical loss of trust and reputation that covered entities and business associates inevitably incur among their patients, participants, business partners, investors and the community; and
  • The substantial financial expenses and administrative and operational disruptions of investigating, defending the actions of the organization and implementation of post-event corrective actions following a data or other privacy breach, audit, investigation or charge.

In light of these risks, covered entities business associates and their management should use the experiences of CardioNet and other covered entities or business associates caught violating HIPAA or other privacy and security standards to reduce their HIPAA and other privacy and data security exposures. Management of covered entities and their business associates should take steps to ensure that their organizations policies, practices and procedures currently are up-to-date, appropriately administered and monitored, and properly documented. Management should ensure that their organizations carefully evaluate and strengthen as necessary their current HIPAA risk assessments, policies, practices, record keeping and retention and training in light of these and other reports as they are announced in a well-documented manner. The focus of these activities should be both to maintain compliance and position their organizations efficiently and effectively to respond to and defend their actions against a data breach, investigation, audit or accusation of a HIPAA or other privacy or security rule violation with a minimum of liability, cost and reputational and operational damages.

As the conduct of these activities generally will involve the collection and analysis of legally sensitive matters, most covered entities and business associates will want to involve legal counsel experienced with these matters and utilize appropriate procedures to be able to use and assert attorney-client privilege and other evidentiary privileges to mitigate risks associated with these processes. To help plan for and mitigate foreseeable expenses of investigating, responding to or mitigating a known, suspected or asserted breach or other privacy event, most covered entities and business associates also will want to consider the advisability of tightening privacy and data security standards, notification, cooperation and indemnification protections in contracts between covered entities and business associates, acquiring or expanding data breach or other liability coverage, or other options for mitigating the financial costs of responding to a breach notification, investigation or enforcement action.

More Pressure to Protect Health Data

Health plans, insurers and other health plan industry service providers need to ensure that their Internet applications properly safeguard protected health information (PHI), based on a recent warning from Department of Health and Human Services (HHS) Office of Civil Rights (OCR).

The warning comes in a resolution agreement with St. Elizabeth’s Medical Center (SEMC) that settles OCR charges that it breached the Health Insurance Portability and Accountability Act (HIPAA) by failing to protect the security of personal health data when using Internet applications. The agreement shows how complaints filed with OCR by workforce members can create additional compliance headaches for covered entities or their business associates.

With recent reports on massive health plan and other data breaches fueling widespread regulatory concern, covered entities and their business associates should prepare to defend the adequacy of their own HIPAA and other health data security practices. Accordingly, health plans and their employer or other sponsors, health plan fiduciaries, health plan vendors acting as business associates and others dealing with health plans and their management should contact legal counsel experienced in these matters for advice within the scope of attorney-client privilege about how to respond to the OCR warning and other developments to manage their HIPAA and other privacy and data security legal and operational risks and liabilities.

SEMC Resolution Agreement Overview

The SEMC resolution agreement settles OCR charges that SEMC violated HIPAA. The charges stem from an OCR investigation of a Nov. 16, 2012, complaint by SEMC workforce members and a separate data breach report that SEMC made to OCR of a breach of unsecured electronic PHI (ePHI). The information was stored on a former SEMC workforce member’s personal laptop and USB flash drive, and 595 individuals were affected.

In their complaint, SEMC workers complained that SEMC violated HIPAA by allowing workforce members to use an Internet-based document application to share and store documents containing electronic protected health information (ePHI) of at least 498 individuals without adequately analyzing the risks. OCR says its investigation of the complaint and breach report revealed among other things that:

  • SEMC improperly disclosed the PHI of at least 1,093 individuals;
  • SEMC failed to implement sufficient security measures regarding the transmission of and storage of ePHI to reduce risks and vulnerabilities to a reasonable and appropriate level; and
  • SEMC failed to identify and respond to a known security incident, mitigate the harmful effects of the security incident and document the security incident and its outcome in a timely manner.

To resolve OCR’s charges, SMCS agreed to pay $218,400 to OCR and implement a “robust corrective action plan.” Although the required settlement payment is relatively small, the resolution agreement merits attention because of its focus on security requirements for Internet application and data use and sharing activities engaged in by virtually every covered entity and business associate.

HIPAA-Specific Compliance Lessons

OCR Director Jocelyn Samuels said covered entities and their business associates must “pay particular attention to HIPAA’s requirements when using Internet-based document sharing applications.” She stated that, “to reduce potential risks and vulnerabilities, all workforce members must follow all policies and procedures, and entities must ensure that incidents are reported and mitigated in a timely manner.”

The resolution agreement makes clear that OCR expects health plans and other covered entities and their business associates to be able to show both their timely investigation of reported or suspected HIPAA susceptibilities or violations as well as to self-audit and spot test HIPAA compliance in their operations. The SEMC corrective action plan also indicates covered entities and business associates must be able to produce evidence showing a top-to-bottom dedication to HIPAA, to prove that a “culture of compliance” permeates their organizations.

Covered entities and business associates should start by considering the advisability for their own organization to take one or more of the steps outlined in the “robust corrective action plan,” starting with the specific steps that SEMC must take:

  • Conducting self-audits and spot checks of workforce members’ familiarity and compliance with HIPAA policies and procedures on transmitting ePHI using unauthorized networks; storing ePHI on unauthorized information systems, including unsecured networks and devices; removal of ePHI from SEMC; prohibition on sharing accounts and passwords for ePHI access or storage; encryption of portable devices that access or store ePHI; security incident reporting related to ePHI; and
  • Inspecting laptops, smartphones, storage media and other portable devices, workstations and other devices containing ePHI and other data devices and systems and their use; and
  • Conducting other tests and audits of security and compliance with policies, processes and procedures; and
  • Documenting results, findings, and corrective actions including appropriate up-the-ladder reporting and management oversight of these and other HIPAA compliance expectations, training and other efforts.

Broader HIPAA Compliance and Risk Management Lessons

Covered entities and their business associates also should be mindful of more subtle, but equally important, broader HIPAA compliance and risk management lessons.

One of the most significant of these lessons is the need for proper workforce training, oversight and management. The resolution agreement sends an undeniable message that OCR expects covered entities, business associates and their leaders to be able to show their effective oversight and management of the operational compliance of their systems and members of their workforce with HIPAA policies.

The resolution agreement also provides insights to the internal corporate processes and documentation of compliance efforts that covered entities and business associates may need to show their organization has the required “culture of compliance.” Particularly notable are terms on documentation and up-the-ladder reporting. Like tips shared by HHS in the recently released Practical Guidance for Health Care Governing Boards on Compliance Oversight, these details provide invaluable tips.

Risks and Responsibilities of Employers and Their Leaders

While HIPAA places the primary duty for complying with HIPAA on covered entities and business associates, health plan sponsors and their management still need to make HIPAA compliance a priority for many practical and legal reasons.

HIPAA data breach or other compliance reports often trigger significant financial, administrative, workforce satisfaction and other operational costs for employer health plan sponsors. Inevitable employee concern about health plan data breaches undermines employee value and satisfaction. These concerns usually require employers to expend significant management and financial resources to respond.

The costs of investigation and redress of a known or suspected HIPAA data or other breach typically far exceed the actual damages to participants resulting from the breach. While HIPAA technically does not make sponsoring employers directly responsible for these duties or the costs of their performance, as a practical matter sponsoring employers typically can expect to pay costs and other expenses that its health plan incurs to investigate and redress a HIPAA breach. For one thing, except in the all-too-rare circumstances where employers as plan sponsors have specifically negotiated more favorable indemnification and liability provisions in their vendor contracts, employer and other health plan sponsors usually agree in their health plan vendor contracts to pay the expenses and to indemnify health plan insurers, third party administrators and other vendors for costs and liabilities arising from HIPAA breaches or other events arising in the course of the administration of the health plan. Because employers typically are obligated to pay health plan costs in excess of participant contributions, employers also typically would be required to provide the funding their health plan needs to cover these costs even in the absence of such indemnification agreements.

Sponsoring employers and their management also should be aware that the employer’s exception from direct liability for HIPAA compliance does not fully insulate the employer or its management from legal risks in the event of a health plan data breach or other HIPAA violation.

While HIPAA generally limits direct responsibility for compliance with the HIPAA rules to a health plan or other covered entity and their business associates, HIPAA hybrid entity and other organizational rules and criminal provisions of HIPAA, as well as various other federal laws, arguably could create liability risks for the employer. See, e.g., Cyber Liability, Healthcare: Healthcare Breaches: How to Respond; Restated HIPAA Regulations Require Health Plans to Tighten Privacy Policies and Practices; Cybercrime and Identity Theft: Health Information Security Beyond. For example, hybrid entity and other organizational provisions in the HIPAA rules generally require employers and their health plan to ensure that health plan operations are appropriately distinguished from other employer operations for otherwise non-covered human resources, accounting or other employer activities to avoid subjecting their otherwise non-covered employer operations and data to HIPAA Rules. To achieve this required designation and separation, the HIPAA rules typically also require that the health plan include specific HIPAA language and the employer and health plan take appropriate steps to designate and separate health plan records and data, workforces and operations from the non-covered business operations and records of the sponsoring employer. Failure to fulfill these requirements could result in the unintended spread of HIPAA restrictions and liabilities to other aspects of the employer’s human resources or other operations. Sponsoring employers will want to confirm that health plan and other operations and workforces are properly designated, distinguished and separated to reduce this risk.

When putting these designations and separations in place, employers also generally will want to make arrangements to ensure that their health plan includes the necessary terms and that the employer implements the policies necessary for the employer to provide the certifications to the health plan that HIPAA will require that the health plan receive before HIPAA will allow health plan PHI to be disclosed to the employer or its representative for the limited underwriting and other specified plan administration purposes permitted by the HIPAA rules.

Once these arrangements are in place, employers and their management also generally will want to take steps to minimize the risk that their organization or a member of the employer’s workforce honors these arrangements and does not improperly access or use health plan PHI systems in violation of these conditions or other HIPAA rules. This or other wrongful use or access of health plan PHI or systems could violate criminal provisions of HIPAA or other federal laws making it a crime for any person – including the employer or a member of its workforce – to wrongfully access health plan PHI, electronic records or systems. Because  health plan PHI records also typically include personal tax, Social Security information that the Internal Revenue Code, the Social Security Act and other federal laws generally would require the employer to keep confidential and to protect against improper use, employers and their management also generally should be concerned about potential exposures for their organization that could result from improper use or access of this information in violation of these other federal laws. Because HIPAA and some of these other laws under certain conditions make it a felony to violate these rules, employer and their management generally will want to treat compliance with these federal rules as critical elements of the employer’s federal sentencing guideline and other compliance programs.

Employers or members of their management also may have an incentive to promote health plan compliance with HIPAA or other health plan privacy or data security requirements.

For instance, health plan sponsors and management involved in health plan decisions, administration or oversight could face personal fiduciary liability risks under ERISA for failing to act prudently to ensure health plan compliance with HIPAA and other federal privacy and data security requirements.. ERISA’s broad functional fiduciary definition encompasses both persons and entities appointed as “named” fiduciaries and others who functionally exercise discretion or control over a plan or its administration. This fiduciary status and risk can occur even if the entity or individual is not named a named fiduciary, expressly disclaims fiduciary responsibility or does not realize it bears fiduciary status or responsibility. Because fiduciaries generally bear personal liability for their own breaches of fiduciary duty as well as potential co-fiduciary liability for fiduciary breaches committed by others that they knew or prudently should have known, most employers and members of their management will make HIPAA health plan compliance a priority.

Furthermore, most employers and their management also will appreciate the desirability of taking reasonable steps to manage potential exposures that the employer or members of its management could face if their health plan or the employer violates the anti-retaliation rules of HIPAA or other laws through the adoption and administration of appropriate human resources, internal investigation and reporting, risk management policies and practices. See Employee & Other Whistleblower Complaints Common Source of HIPAA Privacy & Other Complaints.

Manage HIPAA and Related Risks

At minimum, health plans and their business associates should move quickly to conduct a documented assessment of the adequacy of their health plan internet applications and other HIPAA compliance in light of the Resolution Agreement and other developments. Given the scope and diversity of the legal responsibilities, risks and exposures associated with this analysis, most health plan sponsors, fiduciaries, business associates and their management also will want to consider taking other steps to mitigate various other legal and operational risks that lax protection or use of health plan PHI or systems could create for their health plan, its sponsors, fiduciaries, business associates and their management. Health plan fiduciaries, sponsors and business associates and their leaders also generally will want to explore options to use indemnification agreements, liability insurance or other risk management tools as a stopgap against the costs of investigation or defense of a HIPAA security or other data breach.

OCR Nails Hospice For $50K In First HIPAA Breach Settlement Involving Small Data Breach

Properly encrypt and protected electronic protected health information (ePHI) on laptops and in other mediums!

That’s the clear message of the Department of Health and Human Services (HHS) Office of Civil Rights (OCR) in its announcement of its first settlement under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule involving a breach of ePHI of fewer than 500 individuals by a HIPAA-covered entity, Hospice of North Idaho (HONI).

The settlement shows that the Office of Civil Rights stands ready to penalize these healthcare providers, health plans, healthcare clearinghouses and their business associates (covered entities) when their failure to properly secure and protect ePHI on laptops or in other systems results in a breach of ePHI even when the breach affects fewer than 500 individuals.

HIPAA Security & Breach Notification For ePHI
Under the originally enacted requirements of HIPAA, covered entities and their business associates are required to restrict the use, access and disclosure of protected health information and establish and administer various other policies and safeguards in relation to protected health information. Additionally, the Security Rules require specific encryption and other safeguards when covered entities collect, create, use, access, retain or disclose ePHI.

The Health Information Technology for Economic and Clinical Health (HITECH) Act amended HIPAA, among other things to tighten certain HIPAA requirements, expand its provisions to directly apply to business associates, as well as covered entities and to impose specific breach notification requirements. The HITECH Act Breach Notification Rule requires covered entities to report an impermissible use or disclosure of protected health information, or a “breach,” of 500 individuals or more (Large Breach) to the Secretary of HHS and the media within 60 days after the discovery of the breach. Smaller breaches affecting less than 500 individuals (Small Breach) must be reported to the Secretary on an annual basis.

Since the Breach Notification Rule took effect, the Office of Civil Rights’ announced policy has been to investigate all Large Breaches and such investigations have resulted in settlements or other corrective action in relation to various Large Breaches. Until now, however, the Office of Civil Rights has not made public any resolution agreements requiring settlement payments involving any Small Breaches.

Hospice Of North Idaho Settlement
On January 2, 2013, the Office of Civil Rights announced that Hospice of North Idaho will pay the Office of Civil Rights $50,000 to settle potential HIPAA violations that occurred in connection with the theft of an unencrypted laptop computer containing ePHI. The Hospice of North Idaho settlement is the first settlement involving a breach of ePHI affecting fewer than 500 individuals. Read the full HONI Resolution Agreement here.

The Office of Civil Rights opened an investigation after Hospice of North Idaho reported to the Department of Health and Human Services that an unencrypted laptop computer containing ePHI of 441 patients had been stolen in June 2010. Hospice of North Idaho team members regularly use laptops containing ePHI in their field work.

Over the course of the investigation, the Office of Civil Rights discovered that Hospice of North Idaho had not conducted a risk analysis to safeguard ePHI or have in place policies or procedures to address mobile device security as required by the HIPAA Security Rule. Since the June 2010 theft, Hospice of North Idaho has taken extensive additional steps to improve their HIPAA Privacy and Security compliance program.

Enforcement Actions Highlight Growing HIPAA Exposures For Covered Entities
While the Hospice of North Idaho settlement marks the first settlement on a small breach, this is not the first time the Office of Civil Rights has sought sanctions against a covered entity for data breaches involving the loss or theft of unencrypted data on a laptop, storage device or other computer device. In fact, the Office of Civil Rights’ first resolution agreement — reached before the enactment of the HIPAA Breach Notification Rules — stemmed from such a breach (see Providence To Pay $100000 & Implement Other Safeguards).

Breaches resulting from the loss or theft of unencrypted ePHI on mobile or other computer devices or systems has been a common basis of investigation and sanctions since that time, particularly since the Breach Notification rules took effect. See, e.g., OCR Hits Alaska Medicaid For $1.7M+ For HIPAA Security Breach. Coupled with statements by the Office of Civil Rights about its intolerance, the Hospice of North Idaho and other settlements provide a strong warning to covered entities to properly encrypt ePHI on mobile and other devices.

Furthermore, the Hospice of North Idaho settlement also adds to growing evidence of the growing exposures that health care providers, health plans, health care clearinghouses and their business associates need to carefully and appropriately manage their HIPAA encryption and other Privacy and Security responsibilities. See OCR Audit Program Kickoff Further Heats HIPAA Privacy Risks; $1.5 Million HIPAA Settlement Reached To Resolve 1st OCR Enforcement Action Prompted By HITECH Act Breach Report; and, HIPAA Heats Up: HITECH Act Changes Take Effect & OCR Begins Posting Names, Other Details Of Unsecured PHI Breach Reports On Website. Covered entities are urged to heed these warnings by strengthening their HIPAA compliance and adopting other suitable safeguards to minimize HIPAA exposures.

Office of Civil Rights Director Leon Rodriguez, in OCR’s announcement of the Hospice of North Idaho settlement, reiterated the Office of Civil Rights’ expectation that covered entities will properly encrypt ePHI on mobile or other devices. “This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information.” said Rodriguez. “Encryption is an easy method for making lost information unusable, unreadable and undecipherable.”

In the face of rising enforcement and fines, the Office of Civil Rights’ initiation of HIPAA audits and other recent developments, covered entities and their business associates should tighten privacy policies, breach and other monitoring, training and other practices to reduce potential HIPAA exposures in light of recently tightened requirements and new enforcement risks.

In response to these expanding exposures, all covered entities and their business associates should review critically and carefully the adequacy of their current HIPAA Privacy and Security compliance policies, monitoring, training, breach notification and other practices taking into consideration the Office of Civil Rights’ investigation and enforcement actions, emerging litigation and other enforcement data, their own and reports of other security and privacy breaches and near misses, and other developments to determine if additional steps are necessary or advisable.

New Office Of Civil Rights HIPAA Mobile Device Educational Tool
While the Office of Civil Rights’ enforcement of HIPAA has significantly increased, compliance and enforcement of the encryption and other Security Rule requirements of HIPAA are a special focus of the Office of Civil Rights.

To further promote compliance with the Breach Notification Rule as it relates to ePHI on mobile devices, the Office of Civil Rights and the HHS Office of the National Coordinator for Health Information Technology (ONC) recently kicked off a new educational initiative, Mobile Devices: Know the RISKS. Take the STEPS. PROTECT and SECURE Health Information. The program offers health care providers and organizations practical tips on ways to protect their patients’ health information when using mobile devices such as laptops, tablets, and smartphones. For more information, see here.

For more information on HIPAA compliance and risk management tips, see here.