In the last two weeks, the
Office for Civil Rights (OCR) announced two
substantial settlements under HIPAA that together totaled $4.35 million. These
large amounts seem to be driven not by actual harm to individuals, but in
significant part by alleged HIPAA compliance failures identified by OCR
following investigations commenced in response to receipt of data breach
reports. It is a mistake to believe that timely and otherwise compliant
reporting of supposed “no harm, no foul” data breaches will result in minor, if
any, enforcement activity; that is, if the agency believes you have not
satisfactorily complied with the privacy and security standards.
Depending on the circumstances of the breach, an OCR investigation will
look at why the breach occurred, but it likely will go beyond that to examine
compliance with basic HIPAA privacy and security standards, even if indirectly
related to the breach at hand.
Let’s see how this could play
out. In the case of the $3.5 million settlement with
Triple-S Management Corporation, there were a number of breaches reported to
OCR:
·
Former Triple-S employees
while employed by a Triple-S competitor improperly accessed restricted areas of
a Triple-S subsidiary’s database. According to OCR’s announcement, the
individual’s access rights were not terminated upon leaving Triple-S
employment. This allowed the former employees to access names, contract
numbers, home addresses, diagnostic codes and treatment codes of covered
individuals.
·
As we reported, a Triple-S
subsidiary reported to OCR that in September 2013 a vendor disclosed Medicare
Advantage beneficiaries’ protected health information (PHI) on the outside of a
pamphlet mailed to the beneficiaries, about 13,000 of them.
·
In another breach, a Triple-S
subsidiary reported that a former employee of a business associate copied
beneficiary ePHI onto a CD, took it home for an unknown period of time, and
then downloaded it onto a computer at his new employer. The ePHI included beneficiaries
enrollment information, including names, dates of births, contract numbers,
HICN, home addresses’ and Social Security numbers.
·
Another breach involved
enrollment staff who placed the incorrect member ID cards in mailing envelopes,
resulting in beneficiaries receiving the member ID card of another individual.
The PHI included members’ names, identification numbers, benefit packages,
effective dates, contract numbers, co-payments and deductibles.
Note – these are not
sophisticated systems attacks carried out by unnamed international identity
theft rings or by nation states. They are essentially mistakes in the handling
of PHI that can happen at any covered entity or business associate.
Each of the incidents above affected more than 500 individuals, and there
were a handful of other breaches summarized in the resolution agreement
affecting fewer than 500 individuals. But there was no discussion of harm to
any affected individuals in support of the settlement amount. Instead, OCR
itemized a number of alleged compliance failures, not all of which directly led
to the breaches, such as:
·
Not implementing appropriate
administrative, physical, and technical safeguards to protect PHI
·
Disclosing PHI to an outside
vendor without a business associate agreement
·
Using and disclosing more than the minimum necessary PHI
·
Not conducting an accurate and
thorough risk analysis that incorporates all IT
equipment, applications, and data systems
·
Not implementing sufficient
security measures to reduce risk to ePHI to a reasonable and appropriate level.
In addition to paying $3.5 million, Triple-S will need to establish a
comprehensive compliance program satisfactory to OCR that includes a risk
analysis and a risk management plan, policies and procedures for compliance
with HIPAA requirements, training and other measures.
Of course, OCR’s approach makes sense in that its purpose generally is not
to remedy harm to individuals affected by data breaches, but to enforce
compliance with the HIPAA privacy and security standards. Covered entities and
business associates should avoid, therefore, underestimating potential
regulatory exposure because of a “no harm, no foul” view of reported data
breaches. Compliance and steps to prevent breaches are the agency’s focus, not
whether the breach actually harms affected persons, although significant harm
to affected individuals would strengthen the agency’s enforcement position.
Preparedness
is key!
No comments:
Post a Comment