Enforcement activity under the HIPAA Security Rule has picked up steam in recent years. HIPAA establishes various privacy, information security, and breach notification requirements for healthcare providers and other covered entities. In its early HIPAA enforcement days, the Office for Civil Rights of the Department of Health and Human Services (OCR) generally focused on the HIPAA Privacy Rule, but in recent years it has placed growing emphasis on Security Rule enforcement as well. This article offers some brief thoughts on the Security Rule-related settlement agreements that the OCR has entered into recently, and what they might indicate for the future of HIPAA enforcement.
Since January 2016, the OCR has entered into resolution agreements with, and imposed Corrective Action Plans (CAPs) on, providers and others in at least 12 matters involving the Security Rule. It has also imposed a Civil Monetary Penalty on one entity. Most of these cases involve stolen, unencrypted laptop computers (at least six cases), mobile devices such as iPads or iPhones, office computers, or portable storage devices.
A smaller number of these cases involve unauthorized access to information networks by third parties or employees, malware infections, the loss of backup tapes, or reports containing medical information being publicly accessible on the internet. (Some of these cases involve more than one breach.) The entities involved include hospitals, academic medical centers, a wireless health service provider, a life insurance company, and a federally qualified health center. The fines imposed range from $400,000 to $5.55 million, with the more modest fines often being levied on entities of limited financial means.
Notably, while the underlying facts of these cases vary somewhat, their CAPs do not. All 12 of the CAPs hone in on the obligation under the Security Rule to perform an annual Risk Analysis and Risk Management Plan. The CAP typically describes this obligation in expansive terms. It could include a requirement to perform a “comprehensive and thorough Risk Analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of” electronic Protected Health Information (ePHI) on all electronic equipment, data systems, and applications controlled, administered, or owned by the entity that contains, stores, transmits, or receives ePHI.
The CAP generally requires that the entity develops “a complete inventory of all of its facilities, electronic equipment, data systems, and applications that contain or store ePHI that will then be incorporated into” the Risk Analysis. It further instructs the entity to either perform a Risk Analysis or improve the existing (inadequate) one, typically pursuant to some timeline and always subject to HHS’ review and approval. Likewise, all 12 CAPs require the entity to develop and implement, or to enhance, an enterprise-wide Risk Management Plan to address and mitigate any security vulnerabilities found in the Risk Analysis, again subject to HHS’ review and approval. The Risk Analysis and Risk Mitigation Plan are typically required to be reviewed annually and updated in response to any “environmental or operational” changes that affect the security of the ePHI.
It is telling that not a single Risk Analysis or Risk Mitigation Plan reviewed in these cases was found to pass regulatory muster. This certainly underscores the OCR’s observation that it considers the Risk Analysis and Risk Mitigation Plan to be the “cornerstones of the HIPAA Security Rule.” It also signals that all providers, even smaller ones, should be thinking closely about their Risk Analyses and Risk Management Plans; conducting them regularly and in a meaningful, not cursory, way; and documenting them appropriately.
A Deep-dive Into Specialty Pharma
A specialty drug is a class of prescription medications used to treat complex, chronic or rare medical conditions. Although this classification was originally intended to define the treatment of rare, also termed “orphan” diseases, affecting fewer than 200,000 people in the US, more recently, specialty drugs have emerged as the cornerstone of treatment for chronic and complex diseases such as cancer, autoimmune conditions, diabetes, hepatitis C, and HIV/AIDS.
Policy revision
Another recurrent theme in these CAPs is policy revision. All 12 CAPs require the entity to either develop new policies or revise existing (inadequate) ones. Many also expressly instruct the entity to distribute and upload the policies, train employees on them, and regularly review them. In some cases the requirement is worded broadly, though in others the OCR sets forth numerous specific subject areas (in one case, 15!) in which the entity must review or develop policies.
This focus on policies is also noteworthy. It signals that the OCR places weight on HIPAA’s numerous policy and procedure requirements, on carefully implementing and training staff on them, and ensuring and documenting compliance with them. In addition, and like the emphasis on Risk Analyses and Risk Mitigation plans, it suggests that, once the OCR undertakes a Security Rule-related investigation, it “pops the hood open” and looks around widely, investigating and imposing remediation with respect to a broad range of Security Rule requirements, even where the technical cause of the security incident at issue may be narrow.
Photo: turk_stock_photographer, Getty Images
