|
| Sample Newsletters | MarketPlace AIS Products & Services |
|
AIS's Health Business Daily
Featured Story August 21, 2008 Corrective Action Plan and $100,000 Fine Illustrate Tougher HHS Stance on HIPAA Enforcement Reprinted from REPORT ON PATIENT PRIVACY, the industry's most practical source of news on HIPAA patient privacy provisions. For the first time, a covered entity (CE) under the privacy and security rules has made a $100,000 payment to Uncle Sam and agreed to subject itself to three years of monitoring by HHS for losing unencrypted laptop computers and backup data more than two years ago. Government officials, who announced the payment and corrective action plan (CAP) imposed on a Seattle-based health plan and home health agency on July 17, say the payment was not a "fine" and the organization did not admit any wrongdoing. But the news sent a chill through the privacy and security compliance community. "This is a significant warning sign for covered entities, mainly a heads up that the government is getting more aggressive and [the CAP provides] a checklist of items that companies should be paying particular attention to in their security efforts," says Kirk Nahra, a partner with Washington, D.C.-based law firm Wiley Rein, LLP. Adds Chris Apgar, a health care privacy and security consultant, "covered entities need to prepare for the potential that a privacy complaint could lead to financial costs associated with a corrective action plan and the imposition of a 'fine.'" The CAP and payment are part of a "resolution agreement" between HHS and Providence Health & Services "to settle potential violations" of HIPAA privacy and security rules, HHS officials said in a news release. The agreement was developed jointly by the Office for Civil Rights, which enforces the privacy rule, and CMS, which enforces the security rule. In comments to RPP, Susan McAndrew, OCR's deputy director for health information privacy, described HHS's actions with Providence as one step beyond what OCR typically does when it responds to allegations of privacy rule violations. HHS officials selected McAndrew to respond to RPP for both OCR and CMS. "Usually privacy rule investigations that find indications of potential violations are concluded to the satisfaction of OCR when the entity completes certain voluntary compliance actions, and OCR notifies the person who filed the complaint and the covered entity in writing of the resolution result," she says. McAndrew says that OCR and CMS have "successfully resolved" more than 6,700 privacy and security rule cases by requiring the entities to make systemic changes to their health information privacy and security practices. But this marks "the first time HHS has required a resolution agreement from a covered entity" and the first time a payment is being made. "A resolution agreement with a corrective action plan is the next level of OCR's enforcement process," she explains. "This written agreement is negotiated in those cases when OCR has not been able to reach a satisfactory resolution of a complaint through the covered entity's demonstrated compliance and/or corrective action through other informal means." Resolution agreements are contracts signed by the CE and HHS, in which the CE agrees to perform certain obligations, such as staff training, and report back to HHS, "generally for a period of three years," she says. McAndrew says the law gave HHS the authority to impose a resolution agreement. It is provided for under 45 CFR 160.312(a): "Informal means may include demonstrated compliance or a completed corrective action plan or other agreement." "A resolution agreement will include a corrective action plan," she adds. Despite how the $100,000 is being viewed in the compliance community, OCR's McAndrew says it is not technically a civil monetary penalty (CMP). Because Providence cooperated with OCR and CMS, "formal enforcement proceedings [were] unnecessary, as this issue was resolved through informal resolution and voluntary compliance," she says. However, McAndrew does acknowledge that the amount "was based upon the potential civil money penalties had this case proceeded with formal enforcement." Only one other CE is known to have made a payment to an enforcement agency for actions related to a violation of the privacy and security rules. In October 2006, Humana agreed to pay the North Dakota Department of Insurance $50,000 in connection with a breach that occurred in Minnesota but involved the protected health information (PHI) of 126 North Dakotans who had signed up for Medicare's drug benefit. Their information also was contained in a laptop that was stolen. The money was technically not a fine, but was to "offset costs and expenses" the commissioner's office said were spent in connection with its investigation. Some have speculated that HHS also might put the $100,000 back in its coffers, perhaps to pay itself back for costs incurred in investigating and resolving the case. Not so, says McAndrew. "The resolution amount is deposited in the General Fund of the U.S. Treasury," she tells RPP, adding that it has already been paid. HHS: Policies Were Not Enforced Many organizations have also suffered the loss of unencrypted laptops, and, in fact, encryption isn't even required by the privacy or security rule. But Providence's case seems more egregious than most. The investigation was triggered by a series of incidents that took place between September 2005 and March 2006, "in which electronic information that was not encrypted or otherwise properly safeguarded was lost or stolen," McAndrew says. "Over five separate dates, backup tapes, optical disks and laptops, all containing unencrypted electronic protected health information, were removed from the Providence premises and were left unattended," McAndrew says. "The media and laptops were subsequently lost or stolen, compromising the protected health information of over 386,000 patients." McAndrew says OCR's and CMS's investigation found that "in some cases" Providence had policies requiring encryption and a ban on taking information home or leaving it unattended, but that these policies were not enforced. In addition, "managers knew that employees were taking unencrypted disks and tapes off of the premises. The investigation found that these practices created vulnerabilities that led to massive impermissible disclosures through multiple thefts," she adds. Eric Cowperthwaite, Providence's chief information security officer, said that, since the time of the incidents, Providence has "reinforced our security protocols and implemented new data protection measures. Under the terms of the agreement, we will continue to implement appropriate policies, procedures and training." Resolution Took Years The complexity of the case was apparently part of the reason for the length of time it took HHS to get the resolution in place, but that time frame was also due to the fact that this was the first such agreement HHS has developed. McAndrew says HHS received 31 individual complaints about Providence, which were investigated "as a single case." According to McAndrew, the CAP "reinforces the point that effective compliance means more than just having written policies and procedures. To protect the privacy and security of patient information, covered entities need to continuously monitor the details of their execution, and ensure that these efforts include effective privacy and security staffing, employee training and physical and technical features." But the actions HHS required of Providence don't necessarily fit every CE, she adds. "[E]ach entity needs to make its own assessment of what actions would meet the requirements of the rule in their environment. The privacy and security rules give needed flexibility for providers and plans to create their own privacy and security procedures, tailored to fit their size and needs. The scalability of the rules provides a more efficient and appropriate means of safeguarding protected health information than would any single standard," McAndrew says. The resolution agreement "was carefully crafted to provide a meaningful corrective action plan that achieves the results we are seeking — assurance that the PHI maintained by this covered entity will be safeguarded from unauthorized use or disclosure," she says. McAndrew adds that "we expect that future agreements would be negotiated more expeditiously." Experts always warn that the biggest cost of non-compliance is the black mark on a CE's reputation if a breach becomes public. Since the breaches occurred up to three years ago in Providence's case, the memory had probably faded from the public's mind by the time that HHS announced the settlement, complete with a news release and a full copy of the CAP, putting the organization back in the news again. Based on comments from HHS, other entities may face a similar experience. When asked if HHS would be issuing press releases like this one in the future, McAndrew indicated it might. "[W]e will do it again under appropriate circumstances," she says. "We make these determinations on a case-by-case basis. Other covered entities that are not in compliance with the privacy and security rules may face similar action." Privacy Advocates Praise Outcome Reaction was nearly universal surprise at the payment, and praise from privacy advocates who said that, finally, OCR had taken action. For example, Mark Rothstein, who until June 1 was the chairman of the privacy and confidentiality subcommittee of the National Committee on Vital and Health Statistics, said he was "very pleased" with the payment amount. Rothstein has argued that OCR was too soft on violators and was not doing enough to enforce the privacy rule. And he too views the payment as a CMP. "After 35,000 complaints to OCR and over five years since the compliance date for the privacy rule, there has finally been a CMP," he tells RPP. "Unfortunately, without the threat of enforcement action, some CEs will not take their obligations under the privacy rule seriously, and many patients will believe that their rights are meaningless." Experts also saw a precedent in the release of the CAP. Nahra notes that until now, CAPs also have not been made "public in any sense." He also said he thought the fine was of a "significant" amount. "I do think this is the start of more aggressive enforcement — although I do not expect a flood of cases," he said. He suggests it seems unlikely that HHS would hammer other CEs on the same grounds as Providence because "the relevant violation, involving unencrypted laptops and other portable media, would have been pretty common during the time period in question" — late 2005 and early 2006. "Even today, while encryption is more common, it is not uniform, and the encryption or other stringent protection of tapes and similar items is still uncommon or not at all uniform," Nahra says. For Apgar, president of Apgar & Associates, LLC., the take-home lesson for CEs is that "there is no such thing as privacy without security, and security breaches can and do become privacy breaches that make the headlines in communities and potentially across the country." "What resulted in a privacy breach that led to OCR action actually occurred because of a security breach," Apgar says. " A number of covered entities that do take privacy very seriously overlook the need for sound security programs that protect patient and health plan members' information and, in fact, a number of these covered entities are not in compliance with the HIPAA security rule." Privacy officers should "make a point of reviewing the safeguards that are in place to protect the privacy of patient and health plan member PHI and, if not satisfied with the protections, take action to address noted deficiencies," Apgar says. Donald Holden, hospital security consultant with the Concordant, a Massachusetts-based health care information technology company that establishes systems for hospitals, says HHS is "trying to send a message that past practice is not acceptable." Holden says he didn't see anything "onerous or surprising in the CAP." He contends that hospitals and other CEs should be encrypting data, especially when kept on portable devices. Holden adds that
hospitals are "nervous" about compliance now in light of the
Providence settlement. Many, he says, are taking extra steps to beef
up security, especially as they expand their electronic medical records
systems to connect with doctors. |
| ||||||||
