In the last week the Office for Civil Right (OCR) has issued press releases on two enforcement actions which involve very different types of providers but send a consistent message regarding what is expected in terms of HIPAA compliance.
July 23, 2020 – Metropolitan Community Health Services, a Federally Qualified Health Center serving an impoverished community in rural North Carolina, agreed to pay $25,000 to settle potential HIPAA violations. The fact Metro provided discounted medical services to the rural area was considered in determining the settlement amount which means they got a break because of all the good work they do.
Metro filed a breach report that triggered an OCR investigation; during the investigation it was determined there was systemic non-compliance with the HIPAA Security Rule in that Metro had not conducted a security risk analysis, did not have proper policies and procedures in place, and provided very little HIPAA training to staff members.
In addition to the $25,000 settlement payment, Metro entered into a Corrective Action Plan that included two years of monitoring by the OCR.
July 27, 2020 – Lifespan Affiliated Covered Entity, a non-profit health system in Rhode Island, agreed to pay $1,040,000 to settle potential HIPAA violations related to the theft of an unencrypted laptop computer. As a result of the theft, the protected health information (PHI) of 20,431 people was exposed.
In investigating the breach, the OCR determined there was systemic non-compliance with HIPAA rules in that Lifespan failed to encrypt the laptop, even after determining it was reasonable to do so, failed to implement device and media controls, and failed to have proper Business Associate agreements in place.
In addition to the $1,040,000 settlement payment, Lifespan entered into a Corrective Action Plan that included two year of monitoring by the OCR.
So, what is the message these two enforcement actions send? Large or small, every provider is expected to follow the requirements in place to ensure the privacy and security of PHI. Not every provider has to have the same program, but every organization is expected to implement a HIPAA program, according to its means, that meets the requirements of both the Privacy Rule and the Security Rule. In both of these actions the OCR cited systemic non-compliance with HIPAA rules. The events that led to the OCR investigation were not isolated events or the acts of a rogue employee. Rather, the events were the result of the failure of both organizations to have in place the most basic components of a HIPAA program such as policies and procedures, risk analysis, encryption, effective training and Business Associate agreements.
Taking the position of “we are too small to have a real HIPAA program” or “we simply can’t afford it” won’t fly with the OCR should they come knocking as part of a breach investigation. As Roger Severino, OCR Director stated in the Metro press release, “Health care providers owe it to their patients to comply with the HIPAA Rules. When informed of potential HIPAA violations, providers owe it to their patients to quickly address problem areas to safeguard individuals’ health information.”
Every organization is encouraged to take a realistic look at its HIPAA program to determine if the basic requirements of the HIPAA Privacy Rule and Security Rule are being met. Failure to do so could result in a finding of systemic non-compliance, which, as is shown by the Metro and Lifespan cases, can prove to be quite expensive.