The U.S. Department of
Health and Human Services ("HHS") recently announced that a
HIPAA "covered entity" has agreed to pay $1.5 million and
enter into a three-year Corrective Action Plan ("CAP") to
settle alleged violations of the HIPAA Security Rule.
Under HIPAA, covered
entities include group health plans, insurers and health care
providers. The Security Rule protects health information in
electronic form ("ePHI") by requiring covered entities to
adopt and implement physical, technical and administrative safeguards
to ensure that ePHI remains private and secure.
The violation occurred when
an unencrypted personal laptop that belonged to one of the covered
entity's employees was stolen. The laptop contained ePHI for
approximately 3,500 patients and research subjects, including names,
e-mail addresses, dates of birth, prescriptions and medical
histories. As required by the HITECH Breach Notification Rule, the
covered entity reported the breach to the affected patients and
research subjects, as well as to HHS.
HHS's Office of Civil Rights
("OCR") proceeded to investigate the breach and found that
the covered entity had failed to comply with certain Security Rule
requirements. OCR concluded that the covered entity had failed to:
(i) implement security measures to ensure that ePHI stored on
portable devices was kept confidential; (ii) conduct a thorough risk
assessment analysis of the vulnerabilities of ePHI stored on portable
devices; and (iii) adopt and implement policies and procedures to
address identification, reporting, and response to "security
incidents." OCR also said these failures had continued over an
extended period of time, thus demonstrating the covered entity's
long-term organizational disregard for the Security Rule.
The CAP requires the covered
entity to review, revise and maintain policies and procedures to
ensure compliance with the Security Rule. Moreover, an independent
monitor will verify the covered entity's compliance with the CAP
through unannounced site visits and report its findings to HHS
semi-annually for a period of three years.
The use of portable devices
is becoming increasingly commonplace in the health care industry.
Therefore, covered entities (and their business associates) must be
vigilant in monitoring potential risks to their ePHI and, when
appropriate, update their policies and procedures for securing ePHI.
To ensure complete compliance with the highly technical and complex
requirements of the HIPAA Privacy and Security Rules, covered
entities should also consult with qualified counsel.