- With 2016 winding down, covered entities and their business associates cannot ease up when it comes to protecting PHI. As the OCR HIPAA settlements from the year have shown, there has been a strong focus on healthcare organizations conducting regular and comprehensive risk analyses, as well as ensuring that proper business associates are in place.
As of this publication date, there have been 13 OCR settlements posted throughout the year, totalling $23,505,300.
Both covered entities and business associates have faced OCR’s scrutiny, and the settlement agreements ranged from $25,000 to over $5 million.
By reviewing past cases, healthcare organizations will hopefully take the time to ensure that they remain fully HIPAA compliant, even as they implement new technologies into daily operations. PHI security must always remain a top priority, with physical, technical, and administrative safeguards carefully considered.
The University of Massachusetts Amherst agreed to a $650,000 OCR HIPAA settlement after allegations that it had violated HIPAA in 2013. A malware infection had potentially exposed the ePHI of 1,670 individuals, according to OCR, including names, addresses, Social Security numbers, dates of birth, health insurance information, diagnoses and procedure codes.
The malware was discovered at a workstation in the UMass Center for Language, Speech, and Hearing (the Center). The university reported the incident on June 18, 2013, and “determined that the malware was a generic remote access Trojan that infiltrated their system, providing impermissible access to ePHI, because UMass did not have a firewall in place.”
St. Joseph Health (SJH) agreed to an OCR HIPAA settlement following reports that it had publicly accessible files containing ePHI from 2011 to 2012. SJH was to pay a settlement fine of $2,140,500 and adhere to a corrective action plan.
SJH notified OCR on February 14, 2012 that certain files containing ePHI were publicly accessible on the internet from February 1, 2011, until February 13, 2012, via Google and possibly other internet search engines.
In a case important for business associates to take note of, Care New England Health System (CNE) agreed to a $400,000 OCR HIPAA settlement because an investigation found that it had not had a current business associate agreement in place to keep PHI secure.
OCR found that Woman & Infants Hospital of Rhode Island (WIH) was a CNE covered entity, and had lost unencrypted backup tapes that held the ultrasound studies of approximately 14,000 individuals. While there had been a BAA, it was not updated until August 28, 2015 and “did not incorporate revisions required under the HIPAA Omnibus Final Rule.”
Advocate Health Care Network (Advocate) had the largest OCR HIPAA settlement to date at the time of publication, with a $5.55 million agreement.
The Illinois-based healthcare system faced multiple alleged HIPAA violations and noncompliance issues. Advocate submitted three data breach notification reports to HHS between August 23, 2013 and November 1, 2013.
We hope this settlement sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals’ ePHI is secure,” OCR Director Jocelyn Samuels said in a statement. “This includes implementing physical, technical, and administrative security measures sufficient to reduce the risks to ePHI in all physical locations and on all portable devices to a reasonable and appropriate level.”
The University of Mississippi Medical Center (UMMC) was also found to not have adequate risk management security measures, according to the OCR investigation, even after UMMC was aware of certain risks and vulnerabilities to its system.
UMMC and OCR agreed to a $2.75 million settlement in July 2016. OCR investigated the university because of a health data breach that reportedly affected 10,000 individuals. A missing laptop contained ePHI, which was “stored on a UMMC network drive was vulnerable to unauthorized access via UMMC’s wireless network because users could access an active directory containing 67,000 files after entering a generic username and password,” according to OCR.
Physical safeguards had also not been implemented for all workstations with ePHI access, OCR said.
Oregon Health and Science University (OHSU) signed a resolution agreement with OCR for $2.7 million in July 2016.
OHSU had two reported health data breaches from 2013. One involved an unencrypted laptop that was stolen, and the other occurred when OHSU allegedly stored data using a non-business associate in internet-based service provider Google.
OHSU used Google Mail and Google Drive, which do have have security features in place, such as password protection. Google was also not an official business associate, so there was no contractual agreement in place to use or store OHSU patient health information.
In another case highlighting the necessity of updated BAAs, Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) agreed to a $650,000 OCR HIPAA settlement in June 2016.
CHCS provided management and information technology services as a BA to six skilled nursing facilities. OCR received separate notifications in February 2014 from all six of CHCS’ nursing homes that a mobile device had been stolen, potentially compromising 412 individuals’ information.
CHCS had also not conducted “an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality integrity, and availability of e-PHI held by CHCS.”
New York Presbyterian Hospital agreed to a $2.2 million OCR HIPAA settlement after it allowed a media crew to film patients without prior authorization.
OCR investigated data breach allegations after New York Presbyterian reportedly allowed film crews and staff from ABC television to capture two patients on screen without acquiring appropriate authorization. The media crew was filming for the television series “NY Med.”
“In particular, OCR found that NYP allowed the ABC crew to film someone who was dying and another person in significant distress, even after a medical professional urged the crew to stop,” HHS explained.
North Carolina’s Raleigh Orthopaedic Clinic, P.A. agreed to an OCR HIPAA settlement of $750,000 after an alleged healthcare data breach in 2013 involving a business associate.
The healthcare system exposed PHI to a vendor without a proper business associate agreement, OCR found. Raleigh Orthopaedic had been the victim of a scam, and the x-rays it supplied to a vendor were sold to a recycling company in another state.
“HIPAA’s obligation on covered entities to obtain business associate agreements is more than a mere check-the-box paperwork exercise,” OCR Director Jocelyn Samuels said. “It is critical for entities to know to whom they are handing PHI and to obtain assurances that the information will be protected.”
Feinstein Institute for Medical Research agreed to pay $3.9 million in March 2016 for a HIPAA settlement after OCR investigated a health data breach in 2012.
A computer programmer’s laptop was reportedly stolen from a car. The employee was responsible for organizing research data. However, OCR explained that research institutions “must be held to the same compliance standards as all other HIPAA-covered entities.”
OCR reported that 13,000 individuals potentially had their data exposed in the incident.
Minnesota-based North Memorial Health Care failed to identify Accretive Health, Inc. as a business associate, according to an OCR investigation. This led to a $1.55 million HIPAA settlement as Accretive was able to gain access to North Memorial’s databases, containing PHI.
The investigation revealed that North Memorial started sending Accretive PHI on March 21, 2011, but the organizations had not entered into a written agreement until October 14, 2011.
“Organizations must have in place compliant business associate agreements as well as an accurate and thorough risk analysis that addresses their enterprise-wide IT infrastructure,” OCR Director Jocelyn Samuels explained.
Complete P.T., Pool & Land Physical Therapy, Inc. agreed to a $25,000 HIPAA settlement following allegations from 2012 that Complete P.T. had impermissibly disclosed patient PHI.
Complete P.T. had allegedly “posted patient testimonials, including full names and full face photographic images, to its website without obtaining valid, HIPAA-compliant authorizations.”
“With limited exceptions, the Rule requires an individual’s written authorization before a use or disclosure of his or her protected health information can be made for marketing,” OCR Director Jocelyn Samuels said at the time.
There must be “adequate policies and procedures to obtain an individual’s authorization for such purposes.”
An HHS Administrative Law Judge (ALJ) ruled at the beginning of 2016 that Lincare, Inc. would need to pay $239,800 in fines for a HIPAA violation.
OCR had found that Lincare was responsible for the PHI disclosure of 278 patients.
Lincare’s general manager had been found to not have taken appropriate measures under the HIPAA Privacy Rule to adequately safeguard PHI. When the general manager moved out of her home, she had reportedly left the medical files behind.
“The decision in this case validates the findings of our investigation,” OCR explained. “Under the ALJ’s ruling, all covered entities, including home health providers, must ensure that, if their workforce members take protected health information offsite, they have adequate policies and procedures that provide for the reasonable and appropriate safeguarding of that PHI, whether in paper or electronic form.”