As the year winds down, we look back with a mixture of nostalgia and queasiness on the major Health Insurance Portability and Accountability Act (HIPAA) events that defined 2015. Incredibly large data breaches became disturbingly routine, calling into question the ability of insurers and providers to protect their increasingly large troves of sensitive health information. We also saw the release of an Office of Inspector General (OIG) report that was highly critical of the Federal government’s ability to effectively enforce HIPAA, followed almost immediately by signs of more aggressive enforcement from the Office for Civil Rights (OCR), perhaps in response. We waited for commencement of the second round of HITECH-mandated audits, but it never came. As regulated entities prepare for a new year of regulatory challenges, we review the highlights — and lowlights — of HIPAA 2015, and prepare for what’s to come in 2016.
Massive Data Breaches
The year began inauspiciously, with one of the largest data breaches to ever hit the U.S. health care industry. We are, of course, referring to the theft of approximately 80 million personal records from health insurer Anthem Inc. The theft spanned over 14 states, and included names, birthdates, email addresses, Social Security numbers, and other personal data. The Anthem breach, however, was not an isolated incident. There were at least four other multi-million record data breaches affecting the health care industry in 2015, including:
Premera Blue Cross (11 million individuals affected)
Carefirst BlueCross BlueShield (1.1 million individuals affected)
UCLA Health (4.5 million individuals affected)
Excellus (10 million individuals affected)
One common thread throughout these breaches, beyond their sheer magnitude, is the inability of the entities to quickly identify and report the breach. For example, Excellus hired a security firm to conduct a forensic analysis of its computer system. The analysts concluded that their breach had occurred as early as December of 2013. UCLA Health faced similar delays in identifying their breach. One reason for this may be a result of another common thread: the advanced nature of the attacks. While not independently verified, a number of the affected entities have reported that the acts were “very sophisticated.” While the culprits of these mega-breaches have not been identified by name, many suspect state sponsorship of the attacks by China.
Unprecedented Criminal Charges under HIPAA
As we have previously discussed, the U.S. Department of Justice has taken a more aggressive position on prosecuting individuals for corporate misconduct. This development appears to have found its way into the health care privacy space. In November, the US Attorney’s Office in Boston announced that drug company Warner Chilcott agreed to plead guilty to health care fraud and pay $125 million to resolve criminal and civil liability arising out of allegations involving the promotion of the company’s drugs. In addition to announcing the settlement against the company, the DOJ also announced that it would be bringing criminal charges under HIPAA against company employees and a physician practice owner involved in the illegal conduct, for related, impermissible uses and disclosures of protected health information (PHI) which we discussed in more detail here.
Settlements for Alleged Breaches
2015 saw a number of settlements related to potential HIPAA violations. The first settlement was the result of a report by a local Denver news outlet. The outlet reported to the Department of Health and Human Services (HHS) that Cornell Prescription Pharmacy was disposing of PHI in a dumpster that was accessible to the public. The pharmacy ended up settling with HHS’s Office for Civil Rights (OCR) for $125,000 and agreed to enter into a corrective action plan. We also saw a number of settlements arising from breaches of electronic information. In September, Cancer Care Group, a radiation oncology practice in Indiana, agreed to pay $750,000 to settle potential violations of HIPAA stemming from the theft of a laptop that contained unencrypted PHI. This settlement is notable for two reasons. First, it underscores the continued importance of encrypting all data placed on laptops and other moveable devices. Second, the settlement figure is quite high when considering that the entity was a relatively small medical practice. Nevertheless, these two settlements have been dwarfed by a settlement that HHS recently announced with Triple-S Management Corporation. The $3.5 million settlement was the culmination of multiple breaches of PHI by Triple-S and its subsidiaries over an extended number of years. The breaches ranged from improper access by former employees whose computer credentials were not revoked to the mailing of member ID cards to incorrect individuals.
We would expect to see more settlements in 2016, particularly given the pressure on OCR to more effectively enforce HIPAA, which we discuss below.
Criticism of OCR’s Enforcement; Phase 2 Audits
Earlier this year, the OIG issued a report critical of the OCR’s enforcement of HIPAA.
The report, released in September, examines whether OCR is sufficiently exercising its oversight responsibilities. As we previously discussed here, the OIG focused on whether OCR is adequately overseeing covered entities’ compliance with HIPAA’s Privacy Rule. The OIG found a number of areas where OCR’s oversight is lacking. Based on its findings, the OIG recommended that OCR should:
Fully implement a permanent audit program;
Maintain complete documentation of corrective action;
Develop an efficient method in its case-tracking system to search for and track covered entities;
Develop a policy requiring OCR staff to check whether covered entities have been previously investigated; and
Continue to expand outreach and education efforts to covered entities.
In a letter from OCR to the OIG (attached as an appendix to the OIG report), OCR acknowledged the OIG’s findings and concurred with their recommendations. In its response, OCR stated that it will launch Phase 2 of its audit program in early 2016. According to OCR, Phase 2 will test the efficacy of the combination of desk reviews of policies as well as on-site reviews, target specific common areas of noncompliance, and include HIPAA business associates in its audit process.
Covered entities and business associates who may have let their guard down during the 2015 audit delay should be preparing now for these audits, especially as OCR may feel that it has “something to prove.”
New Guidance and Tools
Thankfully, in the midst of all of the breaches and handwringing about audits, we saw the introduction of tools and guidance to help covered entities and business associates comply with HIPAA. In April, the Office of the National Coordinator for Health Information Technology (ONC) published the second version of its Guide to Privacy and Security of Electronic Health Information. As we explained in an earlier post, the guide provides advice on various topics at the intersection of HIPAA and HIT, including:
How to identify whether a contractor is a Business Associate under HIPAA;
When patient authorizations are and are not required to disclose protected health information (“PHI”);
Questions to ask EHR health IT developers about security; and
How to implement a security management process to address the security requirements of the EHR Incentive Programs.
As we discussed in October, the OCR released an online forum where developers can pose privacy-related questions unique to the burgeoning healthcare mobile app landscape. In addition to providing a means to ask general questions, OCR hopes that developers will use the portal to submit recommendations for future guidance. As of the date of this post, it appears that the use of this tool is slowly increasing and many of the posted questions are receiving comments from other community members.
With new OCR teaching tools in hand, and an increasing wariness of “sophisticated hackers,” we look forward to 2016 and whatever is to come for HIPAA-regulated entities. Happy holidays and happy new year to all!
Originally posted in Mintz Levin's award-winning Health Law & Policy Matters blog.