HHS recently entered into a $3.5 million settlement agreement with a health care provider (the ?Ç£Provider?Ç¥) on behalf of five entities under its common ownership and control for violations of the HIPAA privacy and security rules. Each of the five entities constituted a ?Ç£covered entity?Ç¥ under HIPAA. In 2013, the Provider filed five breach reports with HHS, each of which pertained to a separate incident that implicated the ?Ç£electronic protected health information?Ç¥ (?Ç£EPHI“) of one of those covered entities. HHS?ÇÖs subsequent investigation of the breaches revealed a number of violations of the HIPAA privacy and security rules, including that certain of the covered entities:
- Failed to conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of EPHI;
- Provided unauthorized access to EPHI for a purpose not permitted by the HIPAA privacy rules;
- Failed to implement policies and procedures to address security incidents; and
- Failed to implement a mechanism to encrypt and decrypt EPHI when it was reasonable and appropriate to do so under the circumstances.
In addition to the $3.5 million monetary settlement, the settlement agreement imposed a two-year corrective action plan on the covered entities which requires them to complete a risk analysis and risk management plans, revise policies and procedures on certain controls related to EPHI, develop encryption reports, educate their workforces on HIPAA policies and procedures, and provide interim reporting to HHS throughout the corrective action plan?ÇÖs two-year term. In light of the high-dollar settlement amount and the extensive remedial measures involved in the Provider?ÇÖs settlement, it is noteworthy that all five of the breach incidents involved the EPHI of relatively few individuals (no incident involved more than 250 individuals and three of the five incidents involved fewer than 40 individuals). Employers that sponsor group health plans, which are also HIPAA covered entities subject to HIPAA?ÇÖs privacy and security rules, must ensure compliance with these rules to avoid penalty assessments by HHS, even if the amount of EPHI that the covered entity maintains is minimal.