The Department of Health and Human Services announced a historically large $16 million HIPAA settlement with Anthem, Inc. following its investigation of the equally historic 2014 breach affecting almost 79 million people. Is this an enforcement trend?
The February 2014 cyber attack against Anthem gave the intruders access to members' health care information for more than a year. In addition to impermissible access and disclosure, the Resolution Agreement highlighted failures to (1) perform enterprise-wide risk analysis, (2) implement sufficient procedures to regularly review information system activity, (3) identify and respond to suspected or known security incidents, and (4) implement adequate minimum access controls to prevent cyber-attack access.
This spring, Roger Severino, Director of HHS Office of Civil Rights (OCR), stated that while the majority of its 25,600-plus investigations have been resolved through voluntary cooperation and corrective action, the nature or scope of some breaches warrants enforcement action. OCR's range of 2018 enforcement actions bears witness to this statement.
February 1, 2018
$3.5 million settlement by Fresenius Medical Care North America, a large network of clinics and hospitals, highlighted the:
- Necessity of comprehensive security risk analysis for multi-location organizations
- Need for encryption
- Importance of attention policy and procedure revision and workforce training
February 13, 2018
$100,000 settlement by Filefax. Inc., a business associate in receivership, confirmed HIPAA's continuing obligations and liability after an organization ceases operations.
June 18, 2018
Civil Money Penalty judgment of $4.35 million against MD Anderson Cancer Center emphasized the:
- Necessity for implementing safeguard policies, such as encryption
- Impact of inadequate historical compliance despite policies as far back as 2006
- Reach of HIPAA obligations to all PHI maintained on a network, even if research data not generated by the provider
September 20, 2018
- Settlements with Boston Medical Center ($100,000), Brigham and Women's Hospital ($384,000), and Massachusetts General Hospital ($515,000) following the hospitals' participation in a film documentary reinforced the requirement to obtain patient authorizations prior to granting "strangers" access to clinical areas for filming or other reporting.
What are common HIPAA failures identified by OCR?
- Failure to conduct sufficient enterprise-wide security risk analysis
- Failure to manage identified risks such as an absence of encryption
- Lack of transmission security (encrypted)
- Failure to enter into Business Associate Agreements
- Lack of appropriate auditing
- Failure to patch software
- Insider threats
- Improper disposal of devices and documents
- Insufficient data backup and contingency planning
What can you do?
- Conduct sufficient regular enterprise-wide security risk analysis; OCR has made it clear this is not a "check the box" activity and must be comprehensive
- Integrate a security and risk management plan into business processes to identify, monitor and address identified risks
- Implement security safeguards such as encryption; this is imperative in light of increased cyberattack frequency
- Implement a robust business associate management program to ensure BAAs are in place as appropriate and address breach/security incident obligations
- Properly and timely dispose of PHI on media and paper
- Provide regular workforce training specific to your organization to reinforce workforce members' critical role in protecting privacy and security
Beth Pittman is of counsel with Waller, where she practices health law.