Jocelyn Samuels, Director, Office for Civil Rights (OCR)
Over the last 6 months the HHS Office of Civil Rights (OCR) has announced an average of a settlement or other enforcement action per month. While most affected organizations were hospital systems or national companies, one small organization also was included. Here is a quick review of the cases which include a mix of HIPAA Privacy and HIPAA Security issues:
- NY Presbyterian Hospital Settlement of $2.2 Million regarding unauthorized filming for “NY Med”. New York Presbyterian Hospital (NYP), on April 28, 2011, allowed ABC film crews unfettered access to the facilities for filming of their TV series “NY Med.” On that day, among other incidents, the crews filmed someone who was dying and another person who was in significant distress. The OCR released a new FAQ on the subject of allowing media access: Media Access FAQ
- Feinstein Institute for Medical Research (FIMR) settled a case for $3.9 Million regarding the theft of an unencrypted laptop which was stolen from an employee’s car on September 2, 2012. Upon investigation, it emerged that FIMR failed to conduct an appropriate risk analysis, failed to implement appropriate procedures for granting employees access to PHI, failed to implement physical safeguards to the laptop, failed to implement policies and procedures regarding removal from the facilities of hardware and electronic media with PHI, failed to implement encryption on the laptop, and improperly disclosed PHI. FIMR is a wholly-controlled subsidiary of Northwell Health, Inc., formerly known as North Shore Long Island Jewish Health System, headquartered in Manhasset, NY.
- North Memorial Health Care of Minnesota agreed to pay $1.55 million to settle charges that it failed to enter into a Business Associate Agreement with a major contractor and for failing to institute an organization-wide risk analysis. Back in 2012 Eagle wrote about this case (see Wake-up Call for Business Associates – Comply with HIPAA Now) which detailed Minnesota Attorney General Lori Swanson’s enforcement action against the business associate, Accretive Health. Swanson’s action was one of the first cases in which a state attorney general used their newly granted HIPAA enforcement actions, and was the first action against a Business Associate.
- Complete P.T., Pool and Land Physical Therapy, Inc., a small physical therapy clinic in Los Angeles, CA, agreed to pay $25,000 to settle charges that they impermissibly posted patient testimonials, including full names and full face photographic images, to its website without obtaining valid, HIPAA-compliant authorizations. OCR found that the organization failed to reasonably safeguard PHI, impermissibly disclosed PHI without an authorization, and failed to implement policies and procedures designed to comply with HIPAA’s requirements with regard to authorization.
- Lincare, Inc. was fined $239,800 in civil monetary penalties (CMPs) for HIPAA violations, one of only two cases in which CMPs were assessed. Generally, the Office of Civil Rights negotiates settlement agreements. In this case, Lincare fought OCR’s enforcement actions involving a Lincare employee who left behind documents containing information on 278 patients after moving residences. OCR prevailed in the administrative court, which found that Lincare had inadequate policies and procedures to safeguard PHI taken off premises and impermissibly disclosed PHI. To review the details and methodology for imposition of HIPAA fines, review the Notice of Proposed Determination.
- The University of Washington Medicine (UWM) agreed to pay $750,000 to settle charges that it failed to implement appropriate policies and procedures that included comprehensive risk analyses for all of its affiliates. The specific incident which triggered OCR’s investigation was a malware attack that resulted in compromises of two systems, one with approximately 76,000 patients and another with approximately 15,000 patients. UWM is an affiliated covered entity with at least 14 “health care components” including its teaching hospital, outpatient practices and clinics, labs and a medical transportation unit. In its press release, OCR emphasized that compliance efforts must be comprehensive and cover all business entities and all computer systems. In many cases, hospitals will limit the scope of the risk analysis to the electronic health record (which is the requirement for the Meaningful Use requirements). HIPAA requires that the risk analysis and compliance programs include all electronic systems. Read the OCR Press Release and the Resolution Agreement.
Takeaways from these enforcement actions include:
1) OCR continues to stress the importance of a comprehensive security risk analysis
2) OCR looks for comprehensive, written policies and procedures
3) Most enforcement actions result from either a complaint or self-reported data breach
4) Encrypting mobile devices with PHI is a hot-button issue and key security control
5) A comprehensive compliance program is necessary to stay out of trouble.
