Hogan Lovells 2024 Election Impact and Congressional Outlook Report
The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is taking an aggressive stand on HIPAA enforcement and targeting violations related to security risk assessments and business associate agreements. Three resolution agreements posted in the last month make clear that the agency expects entities subject to HIPAA to take appropriate steps to secure their data, regardless of the size or type of the entity.
OCR announced on June 29 that the Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) agreed to a $650,000 settlement and corrective action plan for potential HIPAA violations after the theft of an iPhone compromised the health information of more than 400 nursing home residents. This resolution agreement marked the first time that OCR entered into a settlement with a business associate directly.
CHCS operated as a business associate to six skilled nursing facilities, providing management and information technology services. The iPhone stolen from CHCS was unencrypted and not password protected, even though it stored extensive information including social security numbers and detailed medical information. OCR highlighted in its press release that CHSH had not completed a risk analysis or risk management plan, had no policy for the removal of mobile devices containing PHI from its facility, and had no security incident response plan. In the settlement, CHCS agreed to develop and implement the necessary policies and procedures to secure personal health information, including on mobile phones, as part of its two-year corrective action plan.
OCR announced on July 18 a $2.7 million settlement and three-year corrective action plan with Oregon Health and Science University (OHSU), after the public university reported several breaches involving unencrypted laptops and a stolen unencrypted thumb drive. Upon investigating these incidents, OCR discovered that OHSU was storing the ePHI, including sensitive health information, of more than 3,000 individuals on a cloud-based server without a business associate agreement. OCR also found that though OHSU had performed security risk analyses in the past, those analyses did not cover all ePHI in OHSU’s enterprise, and OHSU did not act in a timely manner to address the risks identified. In announcing the agreement, OCR Director Jocelyn Samuels stated, “OHSU should have addressed the lack of a business associate agreement before allowing a vendor to store ePHI,” As part of the corrective action plan, OHSU will implement encryption for all mobile devices with access to PHI and develop a comprehensive risk management plan covering all systems, networks, and devices engaging with PHI.
Shortly thereafter, OCR announced on July 21 a $2.75 million settlement and a three-year corrective action plan with the University of Mississippi Medical Center (UMMC) after a stolen laptop was reported to OCR as a breach. OCR’s investigation of that incident revealed that UMMC maintained an unsecured network drive accessible by generic username and password to UMMC wireless network users. That drive contained the ePHI of an estimated 10,000 individuals. In its resolution agreement, OCR focused on UMMC’s alleged failure to implement safeguards against known risks and vulnerabilities in the systems storing ePHI. OCR highlighted in its press release that the generic username and password used by UMMC was insufficient security for a wireless network containing ePHI; UMMC should have implemented a unique user ID system so it could track which specific users accessed ePHI. Under its corrective action plan, UMMC is required to draft an enterprise-wide risk analysis and risk management plan to reduce the risks and vulnerabilities to ePHI in its systems.
These three resolution agreements provide the following insights into OCRs focus and approach to HIPAA investigations and enforcement:
Appropriate security risk analysis and management are critical to HIPAA compliance for covered entities and business associates and the failure to document compliance efforts can result in significant penalties.
Entities should ensure that a comprehensive risk management plan covers everywhere ePHI is maintained—including mobile phones, wireless networks, laptops, thumb drives, and cloud storage centers—and ensure appropriate safeguards are in place for its protection.
Though business associates have been subject to the requirements of the HIPAA Security Rule for years, they are officially on notice that breaches and investigations of their compliance can result in significant settlement amounts and corrective action plans.
A single breach or incident can lead to a much more extensive OCR investigation. Many of the alleged findings on which settlement amounts and corrective action plans are based relate not to the incident initially investigated, but to unrelated non-compliance identified through further investigation. Many incidents now lead to a comprehensive HIPAA compliance investigation, and entities reporting breaches should be prepared to provide information and documentation related to their entire HIPAA compliance program OCR breach investigations.
Riane Harper, a summer associate in the Washington, D.C. office, contributed to this entry.
Authored by Madeline Gitomer