There have been a number of recent developments related to compliance with the privacy and security rules under the Health Insurance Portability and Accountability Act (HIPAA). The Office for Civil Rights (OCR) within the Department of Health and Human Services (HHS) has provided guidance on a number of subjects and announced a large number of settlements with covered entities and, for the first time, with a business associate.
OCR has provided additional guidance about the audits that are part of the phase 2 audits it is conducting. OCR is conducting audits of 167 covered entities; however, the audits are not uniform. Some covered entities have been asked about privacy policies and procedures, others are being audited on security rules, such as risk analyses, and others on breach notifications. Most of the audits will be desk audits, meaning that the covered entities and business associates being audited will simply have to provide documents; a smaller number of audits will be more comprehensive.
OCR has also released a fact sheet providing guidance on ransomware as it relates to HIPAA. OCR says that the presence of ransomware (or any malware) on a covered entity’s or business associate’s computer systems is a security incident. OCR has explained that ransomware attacks must be presumed to be breaches under HIPAA, unless investigation reveals otherwise. If a HIPAA breach analysis shows that there is a low probability that protected health information (PHI) has been compromised, then no breach notification is required. No breach notifications are required for encrypted electronic PHI (ePHI).
OCR has issued an answer to a frequently asked question explaining that a flat fee of $6.50 is not the maximum amount that can ever be charged participants for making electronic copies of PHI, but is an option available to covered entities that do not want to calculate actual or average costs. Earlier guidance described three permissible methods for calculating costs: actual, average or $6.50.
OCR has also suggested that covered entities consider adding requirements to their business associate agreements to ensure that they are adequately notified of any security breach or cyberattack affecting ePHI.
For the first time, a business associate, Catholic Health Care Services, has settled a direct enforcement action under HIPAA. The theft of a smartphone compromised the PHI of hundreds of people.
Advocate Health Care Network has agreed to a settlement of $5.55 million with HHS for multiple potential violations.
Banner Health revealed that hackers may have accessed the health care payment and health plan information of up to 3.7 million patients.
Personal information for 3.3 million people with health insurance was compromised when a server for Newkirk Products, a company that creates ID cards for insurance companies, was accessed without authorization.
OCR has announced that a resolution agreement for $2.75 million followed an investigation into a missing laptop computer likely stolen by a visitor to the University of Mississippi Medical Center who had asked to borrow a laptop. OCR’s investigation revealed that ePHI on a network drive was vulnerable to unauthorized access through a wireless network, which was protected only by a generic user name and password.
OCR has announced that it has reached a $2.7 million settlement with Oregon Health & Science University (OHSU) to resolve potential violations of the HIPAA Security Rule. OCR found widespread and diverse problems at OHSU that will be addressed through a comprehensive three-year corrective action plan. The corrective measures include a risk management plan that emphasizes encryption. OCR opened its investigation after receiving multiple breach reports from OHSU, including two reports involving unencrypted laptops and a large breach involving an unencrypted thumb drive.
New York Presbyterian Hospital has agreed to a settlement for $2.2 million and two years of monitoring for the impermissible disclosure of PHI of two patients due to the lack of appropriate safeguards.
All of these developments should serve as a reminder to all covered entities (including employer-sponsored health plans) of the importance of having HIPAA privacy and security policies and procedures and of following those procedures.