Two HIPAA Mistakes Lead to Fines from OCR
It was a busy April for the Office for Civil Rights (“OCR”) (see our prior post on a settlement from earlier in April). On April 20, OCR announced a Resolution Agreement with Center for Children’s Digestive Health, S.C. (“CCDH”) related to CCHD’s failure to enter into a business associate agreement with a paper medical records storage vendor. The cost of that missing agreement? $31,000. Then, on April 24, OCR announced a settlement with CardioNet, a remote monitoring company for cardiac arrhythmias, related to CardioNet’s failure to implement compliant HIPAA policies and procedures and failure to conduct a sufficient risk assessment. The price of those failures? $2.5 million!
The CardioNet settlement is the first HIPAA settlement involving a wireless health services provider. The settlement arose from a breach investigation involving the theft of a CardioNet employee’s laptop from a car. That laptop contained the electronic protected health information (“ePHI”) of almost 1,400 individuals. As is typical in these HIPAA settlements, the stolen laptop was just the beginning of CardioNet’s woes. OCR’s investigation of the breach indicated that CardioNet has not finalized its HIPAA security policies and procedures and had not conducted a sufficient risk analysis and risk management process.
Though the underlying facts of the CardioNet breach aren’t new (see the very similar facts of a 2014 settlement involving QCA Health Plan, Inc.), the settlement does indicate OCR’s interest in the HIPAA compliance of mobile health technology companies. Though these companies do not interact face-to-face with patients, if they meet the definition of a covered entity under HIPAA, they have the same compliance obligations as a hospital, physician, or health plan. Additionally, certain health technology companies may be business associates of covered entities. OCR previously published guidance on use scenarios under which a technology company would be a business associate, and therefore be subject to HIPAA compliance obligations.
Center for Children’s Digestive Health
The CCHD settlement arose from an investigation of CCHD’s business associate, FileFax, Inc. Filefax came under scrutiny from OCR and the Illinois Attorney General in 2015 after allegations that it had disposed of paper medical records of a health care provider client in a dumpster. In connection with the Filefax investigation, OCR initiated a compliance review of CCHD. Although CCHD had been disclosing protected health information (“PHI”) to FileFax since 2003, the two companies did not enter into a business associate agreement until October 2015. All told, CCHD disclosed the PHI of nearly 11,000 individuals without having the appropriate safeguards in place.
The main takeaway from both settlements is that covered entities must ensure that their HIPAA programs are compliant, robust, and well-documented. In both instances, the underlying breach may have been avoided by having an appropriate HIPAA compliance program in place. However, even if the covered entities’ compliance programs hadn’t avoided the laptop theft or the bad conduct of a vendor, their real trouble began when OCR looked at broader non-compliance issues within the organization.