In almost the first three quarters of 2020, the U.S. Department of Health and Human Services, Office for Civil Rights (“OCR”) has settled three cases related to alleged violations of the Health Insurance Portability and Accountability Act (“HIPAA”), totaling $1,165,000. These settlements underscore OCR’s continued focus on enforcement of the HIPAA Security Rule.
Most recently, on July 27, 2020, Lifespan Health System (“Lifespan”) agreed to pay $1.04 million to OCR to settle potential violations of the HIPAA Privacy and Security Rules related to the theft of an unencrypted hospital employee laptop, which compromised the electronic protected health information (“ePHI”) of over 20,000 individuals. OCR’s investigation concluded that Lifespan had systematic noncompliance with HIPAA requirements, including failure to encrypt its ePHI after having determined it was reasonable and appropriate to do so.
On July 23, 2020, Metropolitan Community Health Services (“Metro”) agreed to pay $25,000 and entered into a corrective action plan after a compromised email account revealed the ePHI of over 1,200 patients. OCR noted in its press release that the OCR investigation determined that Metro had longstanding, systemic noncompliance with the HIPAA Security Rule. These included purported failures to prepare a HIPAA risk assessment, adopt HIPAA policies and procedures, and adequately train employees.
On March 3, 2020, Steven A. Porter, whose medical practice provides gastroenterological services to approximately 3,000 patients annually, agreed to pay $100,000 to resolve allegations of sustained failure to have in place a sufficient security management process. These included failures to conduct a risk analysis at the time of a data security breach, or to implement security measures to reduce vulnerabilities and risks in the wake of the incident.
In each of the three resolution agreements it has entered into with Covered Entities in 2020, alleged non-compliance with the administrative and technical safeguards of the HIPAA Security Rule have been a central focus. In particular, OCR has focused on the following elements the Security Rule:
- Encryption practices designed to protect ePHI
- Conducting accurate and thorough risk analyses to determine vulnerabilities in security of ePHI
- Creating a risk management plan that corrects for weaknesses in security policies and procedures discovered in a risk analysis or internal audit of security policies and procedures
- Developing business associate agreements that ensure Business Associates will appropriately safeguard ePHI
- Conducting appropriate training for employees who come into contact with ePHI as part of their professional duties
The first three HIPAA settlements of 2020 highlight that compliance with the Security Rule remains a top priority for OCR in its investigations. In all three investigations, OCR scrutinized the Covered Entities’ alleged sustained failure to implement appropriate safeguards in accordance with the HIPAA Security Rule standards, at times knowingly. These settlements emphasize the importance of regular internal checks, including security risk assessments, system audits, tracking procedures, and other safeguards to ensure Covered Entities are consistently in compliance with the Security Rule.