HIPAA Wake-Up Call for Financial Institutions: First HIPAA Settlement with Business Associate

It’s a HIPAA first. A business associate has settled a direct enforcement action over allegations that it potentially violated the Health Insurance Portability and Accountability Act (HIPAA). This settlement portends future HIPAA enforcement actions against business associates.

What Happened? It all started with the theft of a smart phone.

On June 24, 2016, the U.S. Department of Health & Human Services Office for Civil Rights (OCR) entered into a resolution agreement with Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS), a non-profit organization that provides, as a business associate, management and information technology services to its six nursing homes. The theft of an employee’s CHCS-issued smartphone triggered the investigation.

Specifically, the smartphone – which was not password protected or encrypted – contained information on 412 nursing home residents, including Social Security numbers, diagnosis and treatment information, and medical procedures. Additionally, CHCS allegedly did not have policies addressing the removal of mobile devices that contain electronic protected health information (ePHI), had not undertaken a risk analysis, and did not have a risk management plan in place at time of the theft.

What Was the Settlement?

As part of the settlement, CHCS agreed to pay $650,000 and adhere to a two-year corrective action plan. The corrective action plan requires the business associate to: conduct a risk analysis on an annual basis; develop, maintain, and revise its policies and procedures to address a number of HIPAA security requirements, including encryption of ePHI, audit controls, integrity controls, log-in monitoring, and password management; provide training for all workforce with access to ePHI; and submit annual compliance reports to OCR, among other provisions.

Isn’t that a Small Settlement Amount?

HIPAA settlement amounts take in numerous considerations, but the size and services of the business associate seem to be a significant factor. Through June 10, 2016, the average settlement amount was about $1 million. This settlement was significantly less at $650,000. The press release suggests that this may have been because of the business associate’s non-profit status, with a higher settlement amount potentially interfering with CHCS’ ability to continue to serve vulnerable and underserved populations. CHCS’ corrective action plan timeline is consistent with the average plan length of two years that we have seen previously. It seems likely that the settlement would have been at or more than the average if the business associate was a large financial institution.

Why Now?

It seemed only a matter of time for a business associate to be targeted for a HIPAA settlement. OCR settlement agreements tend to arise two to three years after the incident that caught OCR’s attention, providing time for agency investigation and negotiations. Since OCR first began holding business associates directly liable under HIPAA--starting in September 2013-- it seemed likely that the first settlement agreement with a business associate would come around this time close to three years later. OCR already has taken enforcement actions against covered entities related to their business associates, usually related to a lack of a business associate contract. It is safe to say that we will begin to see settlements with business associates interspersed with covered entity settlements in the coming years.

What Does this Mean for Financial Institutions that are Business Associates?

A current phase of HIPAA audits of covered entities is under way. OCR soon will be conducting audits of business associates. As part of the audit process, OCR requested information about these entities’ business associates. This will provide OCR with the information necessary to develop a pool of potential business associate auditees.

Additionally, at a little more than the halfway point of the year, 2016 already has seen more enforcement actions than all of 2015.

Accordingly, financial institutions that are business associates should view the CHCS settlement – particularly when combined with the current HIPAA audits and the increased enforcement actions – as a wake-up call.

What are some Lessons Learned?

Whether it is to avoid HIPAA trouble for themselves or their clients, business associates should note the following takeaways from the CHCS settlement:

• This settlement case focused on the absence of risk analysis and risk management. Once again, OCR is sounding the alarm for the need for periodic risk analysis. From the press release’s description and the corrective action plan requirements, OCR likely could have alleged other categories of violations, but chose to focus on the risk analysis. Although financial institutions tend to have appropriate security measures in place, a HIPAA risk analysis may require special attention.
• Verifying HIPAA compliance now will help business associates put their best foot forward should they become subject to an audit or a HIPAA investigation. As part of this verification, financial institutions acting as business associates should review whether they have an up-to-date HIPAA compliance program in place and fine-tune existing policies and procedures based on experience. A business associate’s HIPAA compliance plan should cover at least the following requirements:
• Limit uses and disclosures of protected health information, and address minimum necessary obligations;
• Perform and document risk analysis and risk management processes—and revisit these regularly, particularly in response to changes in the organization, and/or its services and operations, or in light of new security threats;
• Implement reasonable and appropriate administrative, physical, and technical safeguards for protected health information (PHI) in any form or format;
• Don’t forget about portable media and devices—theft and loss of portable devices, such as cell phones and laptops, have triggered a large percentage of HIPAA settlements, including this one;
• Formalize privacy and security efforts through policies and procedures;
• Appoint a security officer (and perhaps a privacy officer);
• Verify compliance with existing business associate agreements – failure to comply may result in increased liability beyond breach of contract; and
• Train workforce members and promote ongoing security awareness.
• Follow-up after a breach. A financial institution that suffers a breach involving unsecured PHI must investigate the breach, take corrective action, notify its covered entity customer, and document the event as required under HIPAA (and as required by applicable state law). Usually, the customer will notify affected individuals and OCR. OCR regularly investigates breaches and could follow-up with the business associate.