At the end of June 2016, the Office for Civil Rights of the U.S. Department of Health and Human Services announced what appears to be the first monetary settlement of a health information security complaint against a contractor, or “business associate,” which provided management and information technology services to skilled nursing facilities. The OCR press release is here.
The settlement resulted from the theft of a company iPhone from an employee. The iPhone was neither encrypted nor password protected, and contained patient social security numbers, health information, and the names of family members. The investigation revealed that the contractor had no policies addressing the removal of mobile devices containing PHI from its facilities or what to do in the event of a security incident, and had no risk analysis or risk management plan. The contractor paid a settlement of $650,000, and entered into a corrective action plan with HHS. The corrective action plan – available at the same link as the press release – contains a useful list of security policies that OCR wants to see in the corrective action plan.
This settlement follows one in March and another in April in which health care providers settled claims that they failed to have business associate agreements with contractors. In the March settlement, a Minnesota hospital paid $1,150,000 to settle a complaint that it failed to have a business associate agreement with a contractor that lost a password protected but unencrypted laptop, stolen from an employee’s locked car. The laptop contained health information of some 9,000 individuals. The press release is here. OCR’s investigation found that the provider gave the contractor access to its entire hospital patient database without a business associate agreement. It also found that the provider had failed to complete a risk analysis to address vulnerabilities of electronic health information across its entire technology infrastructure – suggesting that its risk analysis did not include this contractor’s access.
In the subsequent settlement, an orthopedic clinic in North Carolina paid $750,000 to settle charges that it handed over x-ray films of some 17,000 patients to a potential business partner without a business associate agreement. The recipient was to transfer the images to electronic media in exchange for the silver in the x-rays. In the HHS press release, the Director of OCR is quoted as saying, “HIPAA’s obligation on covered entities to obtain business associate agreements is more than a mere check-the-box paperwork exercise. It is critical for entities to know to whom they are handing PHI and to obtain assurances that the information will be protected.” The press release is here.
It is not surprising that OCR should have taken aim at a business associate: Business associates have been subject to the HIPAA Security Rule since the enactment of the Health Information Technology for Economic and Clinical Health Act (the HITECH Act) in 2009, and the adoption of implementing regulations (the so-called HITECH “Omnibus Rule”) in 2013. It is a little surprising that OCR would levy heavy penalties on providers for not having business associate agreements: these agreements were originally a mechanism to enforce compliance on contractors, which were not subject to direct regulation under HIPAA. As the most recent settlement shows, the HITECH Act now gives OCR the ability to sanction business associates directly, and business associate contracts are by comparison a weak – and arguably unnecessary - means of enforcement.
There are several settlements on record concerning lost laptops; the lost iPhone appears to be the first of its kind. In response to the government’s request for help with the investigation of the San Bernardino attack, Apple stated that devices using iOS 8 are so well encrypted that even it does not have the ability to access data on a locked device without the user’s passcode; older versions of the operating system are apparently less secure. In the recent OCR case, the iPhone was apparently not protected by a passcode. This most recent settlement suggests that providers that allow use of iPhones to access health information should ensure that they are running an up-do-date operating system, and that they are passcode protected and set to lock out quickly.
As this and the several stolen-laptop settlements illustrate, portable devices continue to present unusual risks, and require particular attention. Almost ten years ago HHS issued a guidance on security implementation for laptops, smart phones and other portable devices. Although technology – and the means of protecting it – have advanced, the guidance is still relevant in its focus on risk analysis and risk management – the neglect of which is a theme that runs through the narrative of almost all OCR settlements.
Hooper, Lundy & Bookman assists clients with a range of HIPAA compliance activities, including compliance counseling, policies and procedures, workforce training and managing data breaches.