August 10, 2020

Volume X, Number 223

August 10, 2020

Subscribe to Latest Legal News and Analysis

$750,000 HIPAA Settlement Reinforces Need to Be Proactive

As the Department of Health and Human Services’ (“HHS”) Office of Civil Rights (“OCR”) proceeds with its second round of HIPAA audits, this time covering business associates as well as covered entities, a recent settlement with a physician group providing cancer care services serves as a reminder that failure to take HIPAA security seriously can result in hefty fines and a supervised corrective action plan.

The issue began on July 19, 2012, when a laptop bag was stolen from an employee’s car. Although the laptop itself did not contain any electronic Protected Health Information (“ePHI”), backup media for a computer server was also in the bag. That backup media contained the ePHI of approximately 55,000 individuals and was unencrypted. As required, the covered entity, a cancer care physician group, reported the breach to OCR. OCR conducted an investigation and, as a result of that investigation, alleged that the covered entity had: (1) “failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities” to the PHI; (2) “failed to implement policies and procedures that govern the receipt and removal of [ePHI] into and out of its facility; and (3) “impermissibly disclosed” ePHI by failing “to safeguard unencrypted back-up tapes. . . .” The outcome, three years after the initial breach, was a $750,000 fine and a corrective action plan.

The corrective action plan is in effect for three years and requires the covered entity to submit certain information to HHS for approval by HHS. Specifically, the corrective action plan requires the covered entity to conduct a comprehensive and thorough risk assessment within 90 days after the “effective date” of the agreement. The covered entity must provide a copy of that risk assessment to HHS for review. HHS will then inform the covered entity whether it approves or disapproves of the risk assessment. If HHS disapproves of the risk assessment, the covered entity has 60 days to revise its risk assessment to address HHS’s concerns, and then it must resubmit the assessment. The submission/review process continues until HHS approves the risk assessment submitted.

Once HHS approves the risk assessment, the covered entity then has 90 days to submit a risk management plan for HHS’s approval. Once again, the review and approval process takes place until HHS approves the covered entity’s risk management plan. After the approval of the risk management plan, the covered entity must provide HHS with copies of appropriately revised policies and procedures (to the extent revision is necessary based on the risk management plan). Once again, the review process continues until HHS approves the revised policies. The covered entity must do the same with its training program.

In addition, under the corrective action plan, the covered entity submits reports annually and must notify HHS of “Reportable Events.” A “Reportable Event” is broadly defined as any instance in which a workforce member fails to comply with the covered entity’s privacy and security policies. Notably, any breach of the corrective action plan exposes the covered entity to potential additional civil monetary penalties.

The current action emphasizes OCR’s findings and concerns expressed during Phase 1 of its HIPAA audits. Those audits identified various areas of frequent noncompliance with HIPAA standards, including: risk analysis and risk management, individual access and access control, the reasonable safeguards requirement (including encryption and decryption), device and media controls, transmission security, training, and content and timeliness of breach notifications. OCR indicated that these noncompliance areas would form the foundation of the Phase 2 audits. The alleged deficiencies for which the recent fine was imposed fall squarely within the Phase 2 priorities.

The penalty and corrective action plan serve as a reminder to both covered entities and business associates to ensure that risk assessments and policies are up to date, are well documented, and provide for adequate safeguards for the nature and scope of the business involved.

©2020 Epstein Becker & Green, P.C. All rights reserved.National Law Review, Volume V, Number 257


About this Author

Arthur J. Fried, Health Care, Life Sciences, Attorney, Epstein Becker, Law firm

ARTHUR J. FRIED is a Member of the Firm in the Health Care and Life Sciences practice, in the firm's New York office. He represents all types of health care providers, including academic medical centers, hospitals, and faculty practices.

Mr. Fried:

  • Advises hospitals, academic medical centers, and other providers in such areas as strategic health system development, physician integration, health care reform, medical staff matters, and governance

  • Provides advice on...

Patricia M. Wagner, Epstein becker green, health care, life sciences

PATRICIA M. WAGNER is a Member of the Firm in the Health Care and Life Sciences and Litigation practices, in the firm's Washington, DC, office. In 2014, Ms. Wagner was selected to the Washington DC Super Lawyers list in the area of Health Care.

Ms. Wagner's experience includes the following:

Advising clients on a variety of matters related to federal and state antitrust issues 

Representing clients in antitrust matters in front of the Federal Trade Commission and the United States Department of Justice, and state antitrust authorities 

Advising clients on issues related HIPAA Privacy and security

Advising clients on issues related to state licensure and regulatory requirements