Written By: Matthew T. Cheeks

Has your practice done a HIPAA Risk Analysis lately?  Indiana provider pays $750,000 settlement for HIPAA violations.

Hacking and data breach incidences are increasingly common and have become a fact of life in modern business.  Regardless of the sector or industry, individuals rarely have to wait long before the next hack or breach grabs national headlines (e.g., government, banking, retail or healthcare).  The constant media attention and an increased awareness of the risks of identity theft have driven healthcare consumers’ concerns about the use and security of their electronic protected health information (ePHI).  This growing concern and the ease of electronically filing a Health Insurance Portability and Accountability Act (HIPAA) complaint via the U.S. Department of Health and Human Services Office for Civil Rights’ (OCR) online Complaint Portal have led to tremendous increases in the number of HIPAA complaints OCR receives.  For instance, there was a 16 percent increase in the number of complaints received between 2011 (9,018) and 2012 (10,457).  The number of complaints increased 24 percent in 2013 (12,974) and jumped 37 percent in 2014 when OCR received 17,779 complaints.  As healthcare consumers’ interest in ePHI has grown, so too has OCR’s enforcement efforts, and OCR publicly maintains that enforcement is a high priority.

The natural result of these factors is the increased risk to healthcare providers of potentially significant liability, particularly growing out of the failure to be proactive in guarding ePHI.  For example, OCR recently announced the $750,000 settlement of potential violations of HIPAA’s Security Rule and Privacy Rule against Cancer Care Group, P.C. (CCG), an Indiana-based group that includes 18 physicians.

CCG self-reported the theft of “computer server backup media” (e.g., back-up tapes) containing the unencrypted ePHI of 55,000 patients from a CCG employee’s vehicle in August 2012.  OCR’s investigation revealed that “CCG failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI help by CCG.”  OCR further found that CCG had “failed to implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain [ePHI] into and out of a facility, and the movement of these items within the facility.”

While the impermissible disclosure of ePHI of 55,000 patients certainly played a role in the outcome of OCR’s investigation, it is clear that CCG’s failure proactively address the security of ePHI was a—if not the—significant factor.  OCR reinforced its emphasis on the Risk Analysis and Risk Management requirements (45 C.F.R. §164.308(a)(1)(ii)(A) and (B)) in the Resolution Agreement and required CCG adopt a “robust corrective action plan” subject to OCR’s review and approval.

Despite OCR’s efforts in recent years, the U.S. Department of Health & Human Services Office of the Inspector General (OIG), Office of Evaluation and Inspections, released two reports in September 2015 (found here and here) calling on OCR to strengthen its enforcement efforts regarding general privacy standards and security breach reporting requirements.  OCR agreed with the OIG’s reports, and indicated that it intends to do just that (the implementation of Phase 2 audits in 2016 will be part of these efforts).

Thus, all signs point to increasing risks for providers with respect to ePHI and the need to be proactive about the security of ePHI.  The unfortunate fact, however, is that policies and procedures—or lack thereof—similar to CCG’s are probably not uncommon.  Providers are too often reactionary, addressing these issues only after a breach for a variety of reasons (e.g., costs of risk analyses, costs of implementing recommended safeguards, or even a general unawareness of the need for the analyses).  Old adages often hit the mark and, when dealing with ePHI, an ounce of prevention is truly worth a pound of cure.

Matthew Cheeks is a trial attorney with Hemmer DeFrank Wessels PLLC.  His practice focuses on helping individuals and businesses solve complex problems through negotiation, mediation, arbitration and trial.  You can reach him at [email protected].

Hemmer DeFrank Wessels, PLLC serves clients throughout Kentucky, Ohio, and New York, including the cities of Cincinnati, Covington, Florence, Ft. Wright, Newport, Erlanger, Independence, Highland Heights, Park Hills; and the communities of Greater Cincinnati, Northern Kentucky, Kenton County, Boone County, Campbell County, Grant County, Hamilton County, Clermont County, Warren County and Butler County.

Hemmer DeFrank (1)