HHS Ramps Up Investigation of Small-Scale HIPAA Breaches09.20.16
Following the settlement of a number of comparatively small patient privacy violations, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has directed its regional offices to take a more aggressive approach to breaches involving protected health information (PHI) of fewer than 500 individuals. While most providers are routinely prepared to prevent and respond to investigations, public scrutiny, and enforcement mechanisms related to breaches involving PHI of 500 or more individuals, providers of all sizes should be aware of the agency’s renewed focus on investigating “systematic noncompliance” related to small-scale breaches.
HHS referenced the following recent settlements with various covered entities (including providers and business associates) as a warning to all covered entities under the Health Insurance Portability and Accountability Act (HIPAA):
- Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS): The theft of a mobile device compromised PHI of 412 nursing home residents of facilities to which CHCS provided management and information technology services. The settlement included a monetary payment of $650,000 and a corrective action plan.
- TRIPLE-S: OCR initiated investigations pursuant to multiple potential breach notifications from TRIPLE-S, an insurance company offering products and services to providers. TRIPLE-S, through its wholly-owned subsidiaries, reported small-scale breaches such as disclosure of health plan identification numbers on mailing labels, and delivery of mailings to beneficiaries that included PHI for another member. The settlement included a monetary payment of $3.5 million and a corrective action plan.
- St. Elizabeth’s Medical Center (SEMC): SEMC workforce members used an Internet-based document sharing application to store unsecured documents containing PHI of at least 498 individuals. The settlement included a monetary payment of $218,400 and a corrective action plan.
- QCA Health Plan, Inc.: An unencrypted laptop containing PHI of 148 individuals was stolen from an employee’s car. The settlement included a monetary payment of $250,000 and a requirement to provide HHS with an updated risk analysis and corresponding risk management plan.
- Hospice of North Idaho (HONI): An unencrypted laptop containing the PHI of 441 individuals was stolen, and HONI did not have adequate procedures and policies in place to address mobile device security requirements of HIPAA. The settlement included a monetary payment of $50,000.
In addition to highlighting these recent breach settlements, HHS also emphasized OCR’s commitment to investigating routine compliance issues within organizations and scrutinizing regional trends stemming from underreporting. Providers and business associates of all sizes should ensure that their policies, procedures, and business associate agreements are in compliance with HIPAA standards and that they have implemented adequate corrective action plans sufficient to respond to even minor breaches and investigations by OCR.
Thank you to Aubrey Beckham, Belmont University College of Law, for her help in preparing this article.