HIPAA Update: Recent Enforcement Actions Highlight Need to Implement Policies and Procedures and Oversee Your Organization’s HIPAA Compliance Program

CardioNet $2.5M Settlement

On April 24, 2017, CardioNet agreed to pay $2.5 million to the Department of Health & Human Services (HHS) to settle potential violations of HIPAA Privacy and Security Rules. The company also agreed to implement a corrective action plan. This settlement is the first involving a wireless health services provider, as CardioNet provides remote mobile monitoring of and rapid response to patients at risk for cardiac arrhythmias.  The enforcement action resulted from a January 2012 report by CardioNet to the Office for Civil Rights (OCR) regarding a laptop that was stolen from an employee’s vehicle.   The laptop contained the electronic protected health information (ePHI) of 1,391 individuals. During the subsequent investigation, OCR discovered that the risk analysis and risk management processes CardioNet had in place at the time of the theft were insufficient. Additionally, the organization’s policies and procedures regarding the implementation of the standards of the HIPAA Security Rule were in draft form and had not been implemented.   In fact, CardioNet could not produce any final policies or procedures regarding the implementation of safeguards for ePHI, including those for mobile devices.

Takeaway for Covered Entities and Business Associates: It is critical that covered entities and business associates have sufficient risk analysis (performed on a periodic and ongoing basis) and management processes (updated on a periodic and ongoing basis) in place and all policies and procedures implementing standards of HIPAA are final, approved, and implemented – including those for mobile devices.

Center for Children’s Digestive Health $31,000 Settlement

On April 17, 2017, the Center for Children’s Digestive Health (CCDH) agreed to pay HHS $31,000 to settle potential violations of the HIPAA Privacy Rule and implement a corrective action plan.  The corrective action plan requires CCDH to develop, maintain and revise written policies and procedures to comply with federal standards that govern the privacy and security of protected health information (PHI).  CCDH is also required to distribute these policies and procedures to all members of its workforce and assess and update them as appropriate, but at least annually.

The enforcement action is a result of an August 2015 compliance review of CCDH initiated by the OCR following an investigation of CCDH’s business associate, FileFax, Inc.  During the investigation, OCR learned FileFax stored records for CCDH containing PHI.  However, neither CCDH nor FileFax could produce a signed Business Associate Agreement (BAA) prior to Oct. 12, 2015, despite the fact that CCDH began disclosing PHI to FileFax in 2003.

Takeaway for Covered Entities and Business Associates:  If a Covered Entity discloses PHI to a Business Associate, both parties must have a current, updated and executed BAA in place at all times.

Metro Community Provider Network $400,000 Settlement

On April 12, 2017, MCPN, a federally-qualified health center of Denver, Colorado, agreed to settle potential noncompliance with the HIPAA rules by paying $400,000to HHS and implementing a corrective action plan.  The settlement is based on the lack of a security management process to safeguard ePHI.  On January 27, 2012, MCPN filed a breach report informing OCR that a hacker gained access to employees’ email accounts and obtained 3,200 individuals’ ePHI through a phishing incident. OCR subsequently investigated and learned that although MCPN took necessary corrective action related to the incident, the organization failed to conduct a risk analysis until mid-February 2012. OCR also learned that prior to the phishing incident, MCPN failed to conduct a risk analysis to assess the risks and vulnerabilities in its ePHI environment and had not implemented any corresponding risk management plan to address those identified risks and vulnerabilities, as required by HIPAA.