The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) continues to pick up the pace on enforcement for lax health information security. Following a flurry of three settlements in late 2015 (see our alert OCR strikes again with 3 recent HIPAA settlements) the OCR announced multi-million dollar settlements this week with a Minnesota health system and a New York biomedical research institute to resolve potential Health Insurance Portability and Accountability Act (HIPAA) violations.
North Memorial Health Care of Minnesota agreed to pay $1.55 million and enter into a corrective action plan to settle OCR’s charges that it violated the HIPAA Privacy and Security Rules by allowing a business associate (Accretive Health) to access North Memorial’s protected health information (PHI) without first executing a business associate agreement, and also by failing to conduct an accurate and thorough risk analysis.
North Memorial and Accretive each paid a steep price for their failure to properly document their business associate relationship. Accretive agreed in 2013 to pay $2.5 million and cease its Minnesota operations in settlement of a Minnesota Attorney General lawsuit for lax security (including accessing PHI from North Memorial before entering into a business associate agreement) and abusive collection tactics. The incidents occurred prior to the issuance of the 2013 HIPAA Omnibus Rule, so Accretive was not subject to enforcement under the HIPAA rules, although the Federal Trade Commission and Accretive agreed to a consent order in part for inadequate laptop security.
On March 17, 2016, the OCR announced that Feinstein Institute for Medical Research (FIMR) agreed to pay $3.9 million to resolve OCR findings that it failed to conduct an accurate and thorough risk analysis and that it failed to encrypt electronic PHI (ePHI) and to implement other safeguards as required under the HIPAA Security Rule. OCR Director Jocelyn Samuels warned that “Research institutions subject to HIPAA must be held to the same compliance standards as all other HIPAA-covered entities.”
The North Memorial and FIMR settlements followed OCR investigations of the theft of unencrypted laptops from the cars of employees of Accretive (North Medical’s business associate) in 2011 and of FIMR in 2012. This long lag time between the start of each investigation and this week’s settlement date suggests that there may be a large backlog of potentially large settlements in the pipeline.
An underlying theme of the OCR’s recent enforcement activities is the need for each covered entity and each business associate to conduct and document accurate and thorough risk analyses to assess potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI and to do so on an enterprise-wide basis. It is then essential to implement security measures to reduce the identified risks and vulnerabilities to a reasonable and appropriate level through risk management. Encryption is particularly important and a security measure that the OCR continues to focus on.
The North Memorial settlement also provides an emphatic reminder that covered entities (as well as business associates) should ensure that an appropriate business associate agreement is in place with respect to each business associate relationship. It is important to keep in mind while the Privacy and Security Rules set forth various requirements for business associate agreements, some significant terms (such as insurance, indemnification and accelerated breach notification standards) are negotiable. Nevertheless, if a business associate contributed to a breach, you can count on OCR requesting to see (and scrutinizing) the covered entity's business associate agreement during its investigation.