HHS issued a press release on May 7, 2014 announcing settlements with two healthcare organizations. Following submission of a joint breach report by New York and Presbyterian Hospital (NYP) and Columbia University (CU), the HHS Office of Civil Rights (“OCR”) investigated the disclosure of ePHI of 6,800 individuals, which included patient status, vital signs, medications, and laboratory results. NYP and CU are separate covered entities that participate in a joint arrangement in which CU faculty members serve as attending physicians at NYP. The investigation revealed that the breach was caused when a physician employed by CU who developed applications for both NYP and CU attempted to deactivate a personally-owned computer server on the network containing NYP patient ePHI. Because of a lack of technical safeguards, deactivation of the server resulted in ePHI being accessible on internet search engines.
In addition to the disclosure of ePHI, OCR’s investigation found that neither NYP or CU made efforts prior to the breach to assure that the server was secure and that it contained appropriate software protections; and neither entity had conducted a thorough risk analysis or had an adequate risk management plan.
NYP has paid $3.3 million and CU has paid $1.5 million, with both entities agreeing to a substantive corrective action plan.
On August 14, 2013, HHS announced a settlement with Affinity Health Plan, Inc. after investigating the finding of sensitive health data stored on copier hard drives.
Affinity Health Plan, a not-for-profit managed care plan serving the New York metropolitan area, was informed by CBS Evening News that CBS had purchased a photocopier previously used by Affinity that contained confidential medical information on the hard drive. Affinity turned around and reported this breach to the HHS Office for Civil Rights on April 15, 2010. Affinity estimated that up to 344,579 individuals may have been affected by the breach.
OCR reports that its investigation revealed that Affinity impermissibly disclosed the protected health information of these individuals when it returned multiple photocopiers to leasing agents without erasing the data contained on the copier hard drives. Affinity and OCR negotiated a settlement, which included a $1.2 million payment and “a corrective action plan requiring Affinity to use its best efforts to retrieve all hard drives that were contained on photocopiers previously leased by the plan that remain in the possession of the leasing agent, and to take certain measures to safeguard all ePHI.”
On January 17, 2013, the U.S. Department of Health and Human Services (HHS) issued a press release announcing the modifications to the HIPAA Privacy and Security rules. The HHS issued the final rule to:
-modify the HIPAA Privacy, Security and Enforcement Rules to implement statutory amendments under HITECH to strengthen privacy and security protection for individuals’ health information (applying Security Rule standards, certain Privacy Rules directly to business associates);
-modify the rule for Breach Notification for Unsecured Protected Health Information (Breach Notification Rule) under HITECH Act (access/disclosure of PHI not permitted is presumed a breach);
-modify the HIPAA Privacy Rule to strengthen the privacy protections for genetic information by implementing GINA provision (Genetic Information Nondiscrimination Act of 2008);
-make certain other modifications to the HIPAA Rules in order to improve effectiveness, flexibility.
The final rule is effective March 26, 2013 and covered entities and business associates must comply with the applicable requirements of the final rule by September 23, 2013.
The regulations transform the relationship between covered entities and business associates, and, for the first time, regulates a new type of HIPAA entity: “subcontractors.” The rule replaces the “harm” standard in breach notification rules with a four-step determination as to whether notification is required.
The rule clarifies when breaches of information must be reported to the Office for Civil Rights, sets new rules on the use of patient-identifiable information for marketing and fundraising, and expands direct liability under the law to the so-called “business associates” of hospitals and physicians and other “HIPAA-covered entities.” Those associates might include a provider’s healthcare data-miners and health information technology service providers.
Final modifications to the Privacy, Security and Enforcement Rules (per HITECH) include:
• Make business associates of covered entities directly liable for compliance with certain of the HIPAA Privacy and Security Rules’ requirements.
• Strengthen the limitations on the use and disclosure of protected health information without individual authorization.
• Adopt the additional HITECH Act enhancements to the Enforcement Rule not previously adopted in the October 30, 2009 interim final rule, such as the provisions addressing enforcement of noncompliance with the HIPAA Rules due to willful neglect.
The final rule adopts the tiered civil money penalty structure. This included the modified “reasonable cause” definition, i.e., the second tier of the penalties (knew/should have known with reasonable diligence of violation but not willful neglect). The HITECH tiered penalty scheme is as follows:
(1) for violations in which it is established that the covered entity did not know and, by exercising reasonable diligence, would not have known that the covered entity violated a provision, anamount not less than $100 or more than $50,000 for each violation;
(2) for a violation in which it is established that the violation was due to reasonable cause and not to willful neglect, an amount not less than $1000 or more than $50,000 for each violation;
(3) for a violation in which it is established that the violation was due to willful neglect and was timely corrected, an amount not less than $10,000 or more than $50,000 for each violation; and
(4) for a violation in which it is established that the violation was due to willful neglect and was not timely corrected, an amount not less than $50,000 for each violation; except that a penalty for violations of the same requirement or prohibition under any of these categories may not exceed $1,500,000 in a calendar year.
In applying these amounts, HHS says it will not impose the maximum penalty amount in all cases but rather will determine the penalty amounts as required by the statute (i.e., based on the nature and extent of the violation, the nature and extent of the resulting harm, and the other factors).
The final rule adopts the language that expressly designates as business associates: (1) a Health Information Organization, E-prescribing Gateway, or other person that provides data transmission services with respect to protected health information to a covered entity and that requires routine access to such protected health information; and (2) a person who offers a personal health record to one or more individuals on behalf of a covered entity.
HHS declined to provide a definition for Health Information Organization.
Data transmission organizations that do not require access to protected health information on a routine basis would not be treated as business associates.
The official publication for the new rule is scheduled for January 25, 2013.