HHS continues to show it is serious about investigating and enforcing breaches of the HIPAA privacy and security rules. It recently announced a $1.5 million settlement with two non-profit medical service and research organizations in Massachusetts stemming from the theft of an unencrypted laptop that contained electronic PHI. The two organizations reported the theft to HHS, as required by the HITECH breach-notification rule.
In its news release, HHS had particularly stringent things to say about the covered entities' security practices.
- "[HHS's] investigation indicated that [the covered entities] failed to take necessary steps to comply with certain requirements of the Security Rule, such as conducting a thorough analysis of the risk to the confidentiality of ePHI maintained on portable devices . . . ."
- "[HHS's] investigation indicated that these failures continued over an extended period of time, demonstrating a long-term, organizational disregard for the requirements of the Security Rule."
- "This enforcement action emphasizes that compliance with the HIPAA Privacy and Security Rules must be prioritized by management and implemented throughout an organization, from top to bottom."
As in other recent cases, HHS entered into a resolution agreement with the covered entities that not only required payment of the $1.5 million "resolution amount," but also outlined the terms of a corrective action plan to be followed by the covered entities over the next three years.
A few takeaways:
- This case happened to involve a medical provider and a research organization, but nothing about the outcome was unique to that status. Any covered entity - including a group health plan - could easily face the same problem (loss of an electronic storage device) and resolution (stiff penalty and corrective action plan).
- The security rule is sometimes treated as an afterthought in comparison to the privacy rule, but violation of the security rule will be dealt with just as harshly - if not more so - than violation of the privacy rule.
- The breach-notification rule amplifies the effect of the privacy and security rules by highlighting violations that result in security breaches. Once a breach occurs, it's too late to repair the damage, because the breach itself must be reported, even if it is corrected. Breaches simply must be avoided if at all possible.
For prior coverage regarding HIPAA enforcement activity, see here and here.
I'll be discussing HIPAA privacy and security compliance for group health plans on November 13 as part of our HR Box Lunch Fall Series. See here for more details.