The last time this blog presented an overview of key HIPAA settlement agreements at the Office for Civil Rights in the U.S. Department of Health and Human Services was a review of 2014. The number of complaints that year had spiked up compared to 2013: around a 25% increase. This post will examine key cases from 2015 and 2016. While the number of complaints in 2015 was relatively steady with 2014, it appears, based on preliminary numbers, that 2016 was the busiest year ever for the Office.
HHS has data through November 2016 currently posted on its website, but no data for December 2016. There it notes that, from April 14, 2003 through November 2016, it has received 144,662 complaints. Elsewhere, the agency has the number of complaints received by year, from 2003 through 2015: 125,641. Thus, even without the data for December 2016, it appears that in 2016 the Office received 19,021 complaints. The previous highest year, 2014, saw 18,015 complaints.
Here’s a brief summary of some key agreements from 2015 and 2016:
Cancer Care Group, P.C. is 13-doctor radiation oncology practice in Indiana. In September 2015, Cancer Care agreed to a $750,000 settlement with OCR. This grew out of, initially, the discovery that a laptop was stolen from a Cancer Care employee’s car. The laptop contained unencrypted names, dates of birth, SSNs, insurance information, and clinical information on around 55,000 current and former Cancer Care patients. A subsequent investigation revealed that Cancer Care “was in widespread non-compliance with the HIPAA Security Rule.” Proper encryption must be a part of an organization’s approach to data management.
In November 2015, OCR reached an $850,000 settlement with Lahey Hospital and Medical Center, a teaching hospital in Burlington, Massachusetts. Similar to Cancer Care, Lahey’s troubles started with a stolen laptop. In this case, it contained the protected health information of 599 individuals. But the trouble for Lahey did not end there. Following a subsequent investigation, OCR uncovered widespread non-compliance with HIPAA rules. For example, Lahey failed to physically safeguard a workstation that accessed ePHI. It also failed to implement procedures that recorded and examined activity in the workstation at issue. As a result, Lahey’s stolen laptop, with fewer affected individuals then Cancer Care, ultimately resulted in a larger fine.
Then days later, OCR announced a whopping $3.5 million settlement with Puerto Rico-based insurance holding company TRIPLE-S. OCR received multiple breach notifications from TRIPLE-S involving unsecured PHI. After an investigation, OCR identified significant problems. Notably, TRIPLE-S had impermissibly disclosed its beneficiaries’ PHI to an outside vendor without an appropriate business associate agreement and also used or disclosed more PHI than necessary to carry out certain mailings.
Just before the end of 2015, OCR announced an $850,000 settlement with the University of Washington Medicine. This investigation began following a breach report in November 2013, when an employee of UWM downloaded an email attachment containing malicious malware. The malware compromised UWM’s IT system, affecting approximately 90,000 individuals. Not all of the same information was compromised for all 90,000, but for many included names, dates of birth, SSNs, insurance information, and dates of service. A subsequent investigation revealed that UWM did not ensure that all of its affiliated entities were properly conducting risk assessments and appropriately responding to vulnerabilities in their respective environments.
OCR has shown no signs of letting up in 2016. In March last year, OCR announced a $1.55 million settlement with North Memorial Health Care of Minnesota. The investigation began after a too-familiar breach report: an unencrypted, password-protected laptop was stolen from a locked vehicle, impacting the ePHI of 9,497 individuals. The subsequent investigation uncovered unacceptable behavior. For example, North Memorial failed to have in place a business associate agreement, as required by HIPAA. Nonetheless, it gave its business associate access to a database with the ePHI of 289,904 patients.
The day following the North Memorial announcement, OCR announced a staggering $3.9 million settlement with the Feinstein Institute for Medical Research. The tale, all too familiar, began with a laptop stolen from an employee’s car. It contained the ePHI of around 13,000 people, including names, dates of birth, addresses, SSNs, diagnoses, laboratory results, and medications. The subsequent investigation uncovered numerous additional problems, including a lack of policies and procedures in place to address potential risks to ePHI. For example, for electronic equipment purchased outside of the standard process, there was no mechanism in place for safeguarding ePHI as required by HIPAA.
In April, OCR reached a $2.2 million settlement with New York Presbyterian Hospital arising out of a very different set of facts. NYP allowed the disclosure of PHI to film crews and staff filming a television show for ABC. Specifically, NYP allowed ABC to film someone who was dying and another person in significant distress, even after a medical professional urged the crew to stop.
OCR entered into several additional multi-million dollar settlements in 2016. One, a $2.7 million settlement with Oregon Health & Science University, began after breach reports impacting thousands of people, including unencrypted laptops and a stolen, unencrypted thumb drive. The subsequent investigation uncovered troubling facts, notably that OHSU was storing ePHI for over 3,000 people on a cloud-based server without a business associate agreement. Another settlement, for $2.75 million with the University of Mississippi Medical Center, began when, you guessed it, a password-protected laptop was stolen from the intensive care unit. The subsequent investigation revealed that UMMC was aware of risks and vulnerabilities to its systems as far back as April 2005, but took no significant action until after the breach.
Finally, one of OCR’s last settlements of the year was the largest to date against a single entity: a $5.55 million settlement with Advocate Health Care Network. The investigation began after Advocate submitted three breach notification reports, which, when combined, affected the ePHI of around 4 million people. The large fine resulted in part from the findings of the subsequent investigation, which revealed a stunning “extent and duration of the alleged noncompliance (dating back to the inception of the [HIPAA] Security Rule in some instances).”
There are many things a company can do right now to avoid being caught up on this list. Fundamentally, it is imperative to understand the legal landscape and have company-wide policies and procedures in place. Ignorance is never an excuse, and can be costly.
Richard B. Caplan,richard.caplan@leclairryan.com