End of Year HIPAA Fines Underscore Compliance

Three recent Office for Civil Rights (OCR) settlements highlight the continued need for HIPAA and HITECH compliance.

Just as the last quarter of 2015 comes to a close, OCR appears to have doled out a few fines related to HIPAA violations. For physicians, this should serve as a reminder to budget for the required risk assessment and risk analysis, as well as highlight the importance of technical, administrative, and physical (“TAP”) aspects of HIPAA compliance. Doing adequate due diligence on business associates, which can included covered entities and hybrid covered entities, is crucial to avoiding additional liability.

On Nov. 30, Triple-S Management Corporation (“Triple S”), San Juan, Puerto Rico,and its three wholly owned subsidiary companies were fined $3.5 million and adopted a corrective action plan. According to OCR Director Jocelyn Samuels, “[t]his case sends an important message for HIPAA Covered Entities not only about compliance with the requirements of the Security Rule, including risk analysis, but compliance with the requirements of the Privacy Rule, including those addressing business associate agreements and the minimum necessary use of protected health information.”  Failing to comply with HIPAA could have even greater ramifications, like the repayment of meaningful use payments.

A week prior to the Triple-S announcement, OCR fined Lahey Hospital and Medical Center in Burlington, Mass., $850,000 for a breach of 599 patients that resulted from a stolen laptop. This action is of particular significant because of the emphasis on medical devices, including diagnostic or laboratory equipment. Here, the laptop was left in a docking station in an unlocked room. “Evidence obtained through OCR’s subsequent investigation indicated widespread non-compliance with the HIPAA rules, including:

• Failure to conduct a thorough risk analysis of all of its ePHI;

• Failure to physically safeguard a workstation that accessed ePHI;

• Failure to implement and maintain policies and procedures regarding the safeguarding of • ePHI maintained on workstations utilized in connection with diagnostic/laboratory equipment;

• Lack of a unique user name for identifying and tracking user identity with respect to the workstation at issue in this incident;

• Failure to implement procedures that recorded and examined activity in the workstation at issue in this incident; and

• Impermissible disclosure of 599 individuals’ PHI.”

On the state front, NY Attorney General Eric Schneiderman fined the University of Rochester Medical Center $15,000 and required, in keeping with HIPAA requirements, that all staff be trained on HIPAA privacy and security requirements. The fine was the result of an employee sharing patient information of 3,403 individuals with a new employer, who subsequently sent the individuals letters. Reinforcing his stance, Attorney General Schneiderman indicated, “[m]y office is committed to protecting patients’ private health information. Other medical centers, hospitals, health care providers, and health care entities should view this settlement as a warning, and take the time now to review and amend, as needed, their own policies and procedures to better protect private patient information.”

All of these actions underscore that fines can come from different government entities and that HIPAA compliance is on their radar.