First Ever HITECH Act Breach Notification Enforcement Action Settled for $1.5 Million
By: Kelly S. Kuglitsch & Andrew J. Bezouska
Settlement confirms broad spectrum of HHS enforcement activity; Health Care Providers and all employers subject to HIPAA should review sufficiency of HIPAA/HITECH practices.
On March 13, 2012, the Office of Civil Rights (OCR), the HIPAA-enforcement arm of the U.S. Department of Health and Human Services (HHS), announced a $1.5 million settlement with an insurer in resolution of the first enforcement action resulting from a Breach Notification under the Health Information Technology for Economic and Clinical Health Act (HITECH). The $1.5 million penalty is the maximum civil monetary penalty, as revised upwards by HITECH, for HIPAA violations that occur within a single year.
“This settlement sends an important message that OCR expects health plans and health care providers to have in place a carefully designed, delivered, and monitored HIPAA compliance program,” stated OCR Director Leon Rodriguez. “The HITECH Breach Notification Rule is an important enforcement tool and OCR will continue to vigorously protect patients’ right to private and secure health information.”
The settlement relates to the October 2009 theft from a network data closet of 57 unencrypted computer hard drives owned by Blue Cross and Blue Shield of Tennessee (BCBST) and stored at a leased facility. The drives contained audio and video recordings of customer service calls that contained the names, social security numbers, diagnosis codes, and dates of birth of more than 1 million individuals. Upon investigation, HHS determined that BCBST (a HIPAA covered entity), failed to perform a renewed security evaluation in response to a facility relocation and failed to implement appropriate physical safeguards. In addition to paying the $1.5 million penalty, BCBST must enter a 450-day corrective action procedure, under which it will prepare and implement specified revised procedures and substantiate such implementation to HHS.
Under the breach notification rules, a “breach” is the “unauthorized acquisition, access, use or disclosure of protected health information which compromises the security or privacy of such information.” The definition is subject to several qualifications and exceptions that require a detailed case-by-case analysis to determine when a breach has occurred. Once it is determined that a breach has occurred, affected individual(s) must be notified and provided with related information within 60 days of the discovery of the breach. Should it happen that a breach affects more than 500 individuals, HHS and certain prominent media outlets must also be notified.
It should be noted that HHS was first made aware of the breach (and related HIPAA violations) because BCBST properly self-reported the breach to HHS (and to media outlets) as required under HITECH.
One clear take away from the BSCBT settlement agreement is that mere compliance with the HITECH breach notification rules does not limit exposure to HIPAA violation penalties. In this case, the breach notification given to HHS led directly to the investigation that identified additional HIPAA Privacy and Security errors. This is what Rodriguez undoubtedly means when he refers to the breach notification rule as “an important enforcement tool.”
Another fact made clear by the settlement is that HHS is now actively enforcing HIPAA and HITECH compliance on all fronts. Even before setting precedent with this high-dollar breach settlement, HHS had been working to implement a plan to systematically examine the ongoing HIPAA compliance of covered entities and business associates.
As announced by HHS in late 2011, a pilot HIPAA audit initiative is already underway with up to 170 test audits expected to be completed by December 31, 2012. The HITECH legislative mandate that HHS “conduct periodic audits” guarantees that audits can be expected to continue beyond the 2011-2012 pilot audit period.
The odds of being targeted for a HIPAA audit, and/or of ending up in the position of having to self-report a HIPAA violation (i.e., a breach) have never been better. And in light of the enchanced penalty structure, the stakes have never been higher.
To avoid making headlines of their own, privacy and security officers of covered entities (health care providers, group health plan sponsors, and health clearinghouses) and business associates should take the following steps:
- Review HIPAA policies, procedures, and business associate agreements. Have they been updated for HITECH changes?
- Ensure that a breach detection, assessment, and response plan has been created and coordinated with business associate agreement language.
- Document staff HIPAA training; offer refresher courses as appropriate.
- Observe workstations and storage locations and talk with staff to assess whether written policies are properly implemented and enforced.
- Assess physical security measures.The vast majority of reported breaches are based on loss, theft, or improper access to paper files or laptop computers.
- Review electronic health record security and confirm that encryption software is up to date.
- Reevaluate your HIPAA risk security analysis and determine whether it should be revised in light of intervening business changes.
Contact Kelly Kuglitsch (firstname.lastname@example.org) at (414) 225-1417, Andrew Bezouska (email@example.com) at (608) 280-6205, or your Davis & Kuelthau attorney to obtain advice or assistance in connection with your company’s or benefit plan’s HIPAA and HITECH compliance, or to discuss other employee benefits matters.