Health care providers are learning firsthand the dangers of limited HIPAA risk analyses. For those who fail to heed the warning sounded by the Director of the Office for Civil Rights, HHS (OCR) in December 2015, enforcement beckons. The OCR Director Jocelyn Samuels cautioned: “All too often we see covered entities with a limited risk analysis that focuses on a specific system such as the electronic medical record or that fails to provide appropriate oversight and accountability for all parts of the enterprise.” Recent OCR enforcement activities highlight the necessity of a comprehensive, agency-wide risk analysis to ensure that risks to patient data are identified and addressed before the government comes knocking. The following cases that illustrate underscore this point.
ALJ Upheld $239,800 Penalty Against Lincare Inc.
On January 13, 2016, an Administrative Law Judge upheld the $239,800 penalty against Lincare, an in-home respiratory care, infusion therapy, and medical equipment provider, for failing to implement appropriate safeguards with respect to employees removing patients Protected Health Information (PHI) from the office. Without the appropriate policies in place or an agency-wide risk analysis, Lincare failed to identify missing files containing patients’ PHI that were left in the back of an employee’s car for months. The ALJ upheld the OCR’s imposition of $239,000 in penalties against Lincare for violating HIPAA.
$750,000 Penalty for Failure to Implement Appropriate HIPAA Policies
On December 14, 2015, the University of Washington Medicine (UWM) agreed to settle charges that it potentially violated HIPAA’s Security Rule by failing to implement policies and procedures to prevent, detect, contain, and correct security violations. The OCR investigated after receiving a breach report that approximately 90,000 individuals’ Protected Health Information (ePHI) was accessed when an employee downloaded an email attachment containing malicious malware. OCR’s investigation indicated UWM did not adequately ensure that all of its affiliated entities were properly conducting risk assessments and appropriately responding to the potential risks and vulnerabilities in their respective environments.
$750,000 HIPAA Settlement Against Cancer Care Group, P.C.
The OCR recently announced a $750,000 penalty against the Cancer Care Group (comprised of only 13 physicians) (CCG) after a CCG laptop and unencrypted backup media with approximately 55,000 patients’ ePHI was stolen from an employee’s car. The investigation indicated that CCG never conducted an enterprise-wide risk analysis prior to the breach and, despite regularly transporting ePHI, never established or implemented written policies regulating the removal of hardware and electronic media containing ePHI. CCG’s Corrective Action Plan (CAP) emphasized the importance of: (1) Conducting security risk analyses at regular or as-needed intervals, (2) Implementing responsive risk management plans, and (3) Updating training materials and policies and procedures.
The moral of the story is clear—Adopt and implement comprehensive and effective organization-wide risk analysis policies and procedures to ensure compliance with the HIPAA Security Rule.