News & Announcements
Recent Enforcement Activity
Presence Health has agreed to settle potential violations of the HIPAA Breach Notification Rule by paying $475,000 to the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) and implementing a corrective action plan. OCR’s investigation revealed that Presence Health failed to notify, without unreasonable delay and within 60 days of discovering the breach, each of the 836 individuals affected by the breach, prominent media outlets (as required for breaches affecting 500 or more individuals), and OCR. “Covered entities need to have a clear policy and procedures in place to respond to the Breach Notification Rule’s timeliness requirements” said OCR Director Jocelyn Samuels. “Individuals need prompt notice of a breach of their unsecured PHI so they can take action that could help mitigate any potential harm caused by the breach.”
The University of Massachusetts Amherst (UMass) was investigated by HHS following a report that a workstation in the UMass Center for Language, Speech, and Hearing had been infected with a malware program. The malware program resulted in the disclosure of protected health information of 1,670 individuals. The HHS investigation revealed that UMass had failed to implement security measures such as ensuring that firewalls were in place, and that UMass had failed to conduct an accurate and thorough risk analysis until years after the malware infection. The settlement between HHS and UMass will require UMass to conduct an enterprise-wide risk analysis, develop and implement a risk management plan, revise its policies and procedures related to compliance and security, and retrain its staff. The settlement also included a monetary payment of $650,000, which is reflective of the fact that the University operated at a financial loss in 2015.
HHS investigated OHSU after it reported multiple breaches involving thousands of individuals, including breaches related to unencrypted laptops and an unencrypted thumb drive. HHS determined there were wide spread vulnerabilities in the OHSU HIPAA compliance program, even though OHSU had completed a risk anslysis as required under HIPAA in 2003, 2005, 2006, 2008, 2010 and 2013. The HHS investigation revealed that the risk assessments performed by OHSU had not covered all of the PHI in the OHSU enterprise, that it had not entered into a business associate agreement with a cloud storage vendor who was storing the PHI of over 3,000 individuals, that it failed to implement encryption despite identifying lack of encryption as a risk, and other weaknesses. In addition to the monetary payment, OHSU is required to be monitored by and make reports to HHS on a regular basis for the next 3 years.
North Memorial Pays $1.55 Million for Loss of PHI by Business Associate, Failure to Have Business Associate Agreement, and Lack of Risk Assessment
On March 16, 2016, HHS announced that North Memorial Health Care of Minnesota agreed to pay $1.55 million to settle charges that it had potentially violated HIPAA. Accretive Health, Inc., was given access to North Memorial's PHI to perform certain services, although the parties did not enter into a Business Associate Agreement as required under HIPAA. A laptop of an Accretive employee was stolen, which impacted the ePHI of over 9,000 individuals. The laptop was password protected, but not encrypted. Investigation by HHS also revealed that North Memorial had failed to complete a risk assessment of its IT infrastructure.
An orthopaedic clinic in Raleigh, N.C. agreed to pay $750,000 for failing to have a business associate agreement in place with a vendor that received x-rays of over 17,000 of the clinic's patients. The vendor was hired to transfer the x-ray images to electronic media, but there was no business associate agreement in place between the clinic and the vendor. In addition to paying the fine, the clinic was required to establish a process for assessing whether vendors are business associates, designate someone to be responsible for ensuring that business associate agreements are in place before release of PHI to vendors, and update other policies and procedures.
On April 21, 2016, NY Presbyterian Hospital agreed to pay $2.2 million for unauthorized disclosure of patient information to ABC film crews who were filming for the ABC series NY Med. The film crews were on the premises of NY Presbyterian and captured film of one patient who was dying, and another who was in significant distress. Neither patient had authorized the filming. HHS found that NY Presbyterian blatantly violated HIPAA requirements to keep patient information protected, allowing ABC film crews virtually unlimited access to its facility. In addition to the monetary penalty, NY Presbyterian is required to submit reports and be monitored by the Office of Civil Rights for the next 2 years.
Approximately 13,000 research participants and patients were impacted when a laptop containing their names, SSNs, dates of birth, addresses, diagnoses, lab results and medical information was stolen. Feinstein Institute for Medical Research was investigated by HHS following the initial report of the theft. The investigation revealed that Feinstein has a limited security management process which was insufficient to address potential risks and vulnerabilities to PHI. The Office of Civil Rights (the enforcement agency of HHS for HIPAA matters) Director Jocelyn Samuels stated that "for individuals to trust in the research process and for patients to trust in those institutions, they must have some assurance that their information is kept private and secure."
The PHI of 90,000 individuals was accessed after an employee downloaded an e-mail attachment containing malware. HHS conducted an investigation, in which it found that UW had failed to adequately perform risk assessments and implement safeguards to protect against such intrusions. UW agreed to pay $750,000, institute a corrective action plan and submit compliance reports to HHS for the next two years.
A laptop stolen from an unlocked treatment room led to an investigation of Lahey Hospital by HHS. The investigation revealed widespread non-compliance with HIPAA, resulting in a $850,000 settlement.