On March 24, 2017, the Office for Civil Rights (OCR) announced the first settlement and corrective action plan involving a wireless health services provider when it announced a $2.5 million settlement with CardioNet – a provider of “remote mobile monitoring of and rapid response to patients at risk for cardiac arrhythmias.” According to the Resolution Agreement and Corrective Action Plan, CardioNet sustained breaches of unsecured electronic protected health information (ePHI) resulting from lost laptops. And, given that the lost laptops in question were unencrypted, CardioNet’s Corrective Action Plan required that CardioNet provide HHS with a certification that “all laptops, flashdrives, SD cards, and other portable media devices are encrypted, together with a description of the encryption methods used.”
In keeping with OCR’s apparent practice of announcing resolutions in groups – with a distinctive lesson to be made with each resolution, there was another settlement announced on April 20, 2017. This time a fine of $31,000 was levied against the Center for Children’s Digestive Health (“CCDH”) after it could not produce a business associate agreement. According to the negotiated Resolution Agreement and Corrective Action Plan, protected health information (PHI) was released to a third-party vendor who stored inactive paper medical records for patients of CCDH without satisfactory assurances in the form of a written business associate agreement that the vendor would appropriately safeguard the PHI in the vendor’s possession or control. As done in the past when it came to the need for properly-worded business associate agreements, OCR made the point that business associate agreements are a necessary component of the HIPAA framework and the failure to have one when necessary would be a costly error. See 45 C.F.R § 164.502(e).
And finally, on April 12, 2017, OCR announced a settlement and corrective action plan based on a covered entity’s failure to have an adequate risk management plan in place. Specifically, on January 27, 2012, Metro Community Provider Network (“MCPN”), a federally-qualified health center filed a breach report with OCR indicating that a hacker accessed employees’ email accounts and obtained 3,200 individuals’ ePHI through a phishing incident.
OCR’s investigation revealed that MCPN took necessary corrective action related to the phishing incident; however, the investigation also revealed that MCPN failed to conduct a risk analysis until mid-February 2012. Prior to the breach incident, MCPN had not conducted a risk analysis to assess the risks and vulnerabilities in its ePHI environment, and, consequently, had not implemented any corresponding risk management plans to address the risks and vulnerabilities identified in a risk analysis. When MCPN finally conducted a risk analysis, that risk analysis, as well as all subsequent risk analyses, were insufficient to meet the requirements of the Security Rule.
Despite being a non-profit that provides primary medical care, dental care, pharmacies, social work, and behavioral care services “to approximately 43,000 patients per year, a large majority of who have incomes at or below the poverty level”, MCPN was hit with a $400,000 fine for its lack of an adequate risk management plan.
To sum up, this most recent grouping of OCR settlements highlights yet again the need for encryption, business associate agreements, and a working risk management plan. Given that OCR settlements often take years to mature, investigative costs and legal expenses should also be factored into the mix when weighing the benefits of initial compliance. With this latest round of settlements, it, however, appears clearer and clearer that an ounce of prevention is worth a pound of cure.