|April 16, 2014|
Previously published on April 10, 2014
HIPAA covered entities (healthcare providers, health plans and healthcare clearinghouses) and business associates (various contractors or vendors who perform services or functions for covered entities and have access to patient information) face an expanding universe of potential enforcers ready to pounce on any data breach or apparent failure to comply with HIPAA standards. In recent months, the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services, the Federal Trade Commission (FTC), the California Attorney General, the Puerto Rico Health Insurance Administration, and class action plaintiffs’ attorneys have flexed their muscles to impose fines or settlements on covered entities and business associates for data security and privacy practices. These recent developments, as well as some action steps for covered entities and business associates, are discussed below.
HIPAA fines, settlements and audits
OCR investigations of possible HIPAA violations are commonly triggered by data breach reports but can also arise from other sources, such as complaints or audits. OCR, which administers and enforces the HIPAA Security, Privacy, Breach Notification and Enforcement Rules (the “HIPAA Rules”), has entered into HIPAA resolution agreements with covered entities in 17 cases for HIPAA noncompliance since 2008. The two most recent examples involved payments of $215,000 by Skagit County, Washington in March 2014, and $150,000 by a New England dermatology practice in December 2013. The settlement with Adult & Pediatric Dermatology, P.C. for failure to perform risk analysis and implement breach notification policies and procedures is discussed in our Alert, A Surge in Healthcare Data Breaches.
OCR has announced plans to implement a HIPAA audit program this year, and in preparation for the audits, to survey up to 1,200 covered entities and business associates to determine which of the covered entities and business associates are suitable for OCR’s audit program. The audits will target business associates as well as covered entities, although it is uncertain whether business associates will be included within the initial round of audits. Findings of possible noncompliance during an audit could trigger compliance reviews and perhaps civil monetary penalties if the investigation reveals significant HIPAA violations.
With the HIPAA Omnibus Rule firmly in place, OCR is expected to become more aggressive in enforcing the HIPAA Rules and in imposing civil monetary penalties against business associates as well as covered entities. Although OCR has historically focused its enforcement activities on covered entities, business associates share the enforcement spotlight now that Security and Privacy Rule obligations have been extended to business associates. Scrutiny will increase further with the implementation of the upcoming HIPAA audit program.
FTC emerges as another healthcare data security enforcer
The FTC has made it clear that it is willing and able to extend its enforcement authority to covered entities and business associates based on FTC allegations of inadequate data security. The FTC’s recent healthcare data security enforcement actions have been based on the theory that failure to employ reasonable and appropriate measures to protect electronic protected health information (ePHI) or other sensitive personal information against unauthorized access is an unfair or deceptive act or practice in violation of Section 5(a) of the FTC Act.
On Jan. 31, 2014, the FTC announced its agreement with GMR Transcription Services, Inc. (GMR) and its two principal owners resolving allegations that GMR failed to adequately monitor compliance by its contractor and to require the contractor to implement security measures. The FTC’s Jan. 31, 2014 press release and related documents are available here.
GMR acted in the role of a business associate to its covered entity customers. As the conduct referenced in the complaint occurred prior to the Sept. 23, 2013 compliance date for the HIPAA Omnibus Rule that extended the Security Rule to business associates, GMR was not subject to enforcement by OCR for violations of the Security Rule, so the FTC’s role in the GMR case could be viewed as plugging a gap in HIPAA enforcement.
Two other recent cases, however, suggest a more expansive FTC role in regulating healthcare data privacy and security practices. The FTC announced the GMR settlement just 15 days after asserting authority to regulate data security practices of HIPAA covered entities in a case against LabMD, Inc., and a month after the FTC and Accretive Health, Inc. settled FTC charges of inadequate security. The primary issue in the Jan. 16, 2014 LabMD decision was whether the FTC has authority to regulate the data security practices of a covered entity that is also subject to the HIPAA Rules. While acknowledging that it does not have authority to enforce the HIPAA Rules, the FTC found that it has broad authority to define and proscribe unfair acts or practices, including those involving data security activities, and that HIPAA does not strip the FTC of this authority over covered entities. LabMD subsequently filed a lawsuit in federal court on March 20, 2014 challenging the FTC’s authority and alleging abuse of power. On April 7, 2014, less than three months after the LabMD decision, a federal judge in New Jersey upheld the authority of the FTC to regulate data security, rejecting arguments by Wyndham Hotel companies that the FTC does not have authority to sue the hotel chain for failure to protect sensitive personal information.
Data breaches and failures to protect personal information can often subject a covered entity or business associate to a challenge for violations of state law. Recent actions in California and Puerto Rico provide examples.
Kaiser Foundation Health Plan (KFHP) agreed in February 2014 to pay $150,000 to resolve allegations by the California Attorney General that KFHP waited too long to notify individuals that their personal information had been breached. For a discussion of this settlement, see our Alert, First-of-its-kind lawsuit for unnecessary delay in data breach notices.
Also in February 2014, the Puerto Rico Health Insurance Administration imposed a $6.8 million fine and administrative sanctions against Triple-S Salud, Inc., a health insurer, for failure to appropriately respond to a breach involving the display of Medicare Health Insurance Claim Numbers in mailings to Medicare Advantage beneficiaries.
Recent class action settlements in Florida and California illustrate the growing exposure to class action lawsuits for healthcare data breaches.
On Feb. 28, 2014, a federal court in Florida approved a $3 million class action data breach settlement by health insurer AvMed relating to the theft of unencrypted laptops containing patient records. Customers whose personal information was on the stolen computers are entitled to payment under the settlement even if they were not victims of identity theft.
Stanford Hospital and Clinics, its business associate (Multi-Specialty Collection Services, LLC) and the business associate’s subcontractor (Corcino & Associates) agreed in March 2014 to pay a combined $4.1 million to settle a class action lawsuit arising out of the subcontractor’s posting of patient information on a student website. The action was filed under the California Confidentiality of Medical Information Act, which allows patients to sue healthcare providers and others for the negligent release of individually identifiable medical information.
Compliance with the HIPAA Rules is a challenge for covered entities and business associates alike. The convergence of enforcement by OCR, the FTC, state agencies, and attorneys general, as well as plaintiffs’ attorneys, expands the potential exposure of covered entities and business associates for data breaches and failure to comply with the myriad requirements of the HIPAA Rules or with other laws and regulations relating to the privacy or security of protected health information (PHI) or other personal information. This also increases uncertainties for covered entities and business associates by subjecting them to second-guessing from a plethora of potential enforcers. For example, compliance with the HIPAA Rules might not protect a covered entity or business associate from challenges by the FTC, plaintiffs’ attorneys or by a state attorney general.
While some risks cannot be eliminated, covered entities and business associates should take appropriate steps to ensure that their systems, policies and procedures satisfy all requirements of the HIPAA Rules as well as state law, adequately protect the privacy and security of all PHI and other sensitive personal information, and minimize the likelihood of a data breach. Action steps of particular importance include:
- Review and update written HIPAA privacy, security and breach notification policies and procedures;
- Identify and review all business associate relationships and ensure that appropriate business associate agreements are in place;
- Perform risk analysis to assess potential risks and vulnerabilities to the confidentiality, integrity and availability of all ePHI;
- Take action on security gaps (risk management) and promptly correct identified HIPAA violations or other vulnerabilities;
- Document HIPAA-related determinations and actions;
- Train members of the workforce to comply with the HIPAA Rules and to promptly identify, investigate and respond to possible data breaches;
- Encrypt ePHI to the extent feasible;
- Avoid unnecessary disclosures of PHI; and
- Obtain (or at least determine the feasibility of) cyber insurance.