OCR started 2013 with a bang by announcing that it had reached “the first settlement involving a breach of unprotected electronic protected health information (ePHI) affecting fewer than 500 individuals” with the Hospice of North Idaho (“HONI”). Under the resolution agreement, HONI has agreed to pay $50,000 and enter a two-year Corrective Action Plan to settle potential violations of the HIPAA Security Rule stemming from the June 2010 theft of an unencrypted laptop containing the ePHI of 441 HONI patients. As HITECH does not require covered entities to immediately report breaches involving fewer than 500 individuals to OCR so long as they are reported annually, HONI properly reported the theft to OCR in its annual breach report. OCR nonetheless launched an investigation that concluded the following:
- HONI did not conduct an appropriate risk assessment regarding the confidentiality of ePHI stored and transmitted using portable electronic devices; and
- HONI did not have in place policies and procedures to address mobile device security as required under the HIPAA Security Rule.
In addition to the $50,000 settlement payment, HONI also agreed to enter into a two-year Corrective Action Plan—perhaps the most onerous aspect of the resolution agreement. The Plan includes the following obligations:
- HONI must notify OCR in writing within thirty days of discovering that a workforce member may have failed to comply with Privacy and Security policies and procedures. The notice must include:
- a complete description of the event, including the relevant facts, the persons involved, and the Privacy and Security policies implicated; and
- a description of the actions taken and further steps HONI plans to take to address the matter, mitigate harm, and prevent it from recurring, including the application of sanctions against workforce members who fail to comply with Privacy and Security policies and procedures.
- If no reportable events occur within the two year compliance period, HONI must inform OCR in writing within thirty days of expiration of the corrective action plan; and
- HONI must maintain all documents and records relating to compliance with the Corrective Action Plan for six years from the effective date of the agreement.
Should HONI breach the Corrective Action Plan, it would be subject to civil monetary penalties.
According to the OCR Press Release, HONI has “taken extensive additional steps” since the June 2010 theft to improve their HIPAA Privacy and Security compliance program. Nonetheless, OCR Director Leon Rodriguez emphasized that the action “sends a strong message to the healthcare industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ information.” Mr. Rodriguez also stressed the importance of encryption, calling it “an easy method for making lost information unusable, unreadable, and indecipherable.” Based on these comments, this settlement could be just the beginning of a busy enforcement year for OCR.
The Press Release also announced a new educational initiative intended to offer healthcare providers and organizations practical tips on ways to protect their patients’ health information when using mobile devices such as laptops, tablets, and smartphones. Of the past five HITECH related resolution agreements published by OCR, all five have involved unencrypted portable electronic devices. To address this problem, OCR has partnered with the Office of the National Coordinator for Health Information Technology to provide a new website with videos and other information regarding how to secure and maintain mobile devices.
Here are some observations regarding the importance of this settlement:
Now is the time, no matter the size of your organization.
This settlement is a shot across the bow to all covered entities that have yet to implement a HIPAA compliance plan. Retroactive implementation of policies and procedures, such as the “extensive steps” HONI had taken since the June 2010 theft, is simply not enough to mitigate the impact of a resolution agreement. This settlement also demonstrates that size doesn’t matter when it comes to OCR enforcement. Covered entities of all sizes are officially on notice—if you haven’t implemented an effective compliance plan, now is the time.
Expect an investigation following a breach involving a portable electronic device:
All of the resolution agreements published by OCR in 2012 were the product of investigations stemming from breaches involving portable electronic devices. HONI is no exception, and there is no indication that OCR will deviate from this enforcement pattern any time soon.
Encrypt if you can. If you can’t, document why.
Mr. Rodriguez’s comments and the language of the HONI resolution agreement could indicate an even stronger focus on encryption in the coming year. Encryption is an “addressable” implementation specification for several technical safeguards under the HIPAA Security Rule, meaning a covered entity is not required to implement encryption technology if it determines that implementation is not reasonable and appropriate. If a covered entity makes such a determination, it must document why implementation would not be reasonable and appropriate and implement an equivalent alternative measure if that measure is reasonable and appropriate. According to the HONI resolution agreement, HONI did not document its determination that encryption was not reasonable and appropriate. Prior resolution agreements have included similar language. In addition, Mr. Rodriguez’s description of encryption as an “easy” method of protecting ePHI may indicate that OCR will be focusing on a covered entity’s documentation of valid reasons for choosing not to encrypt portable electronic devices in the coming year.