Failure to Encrypt Mobile Devices Leads to $3 Million HIPAA Settlement


Blog# 1272020HIPAA

Heidi Macomber reads November 7, 2019 news update from the Department of Health and Human Services, Office of Civil Rights re URMC $3 million settlement for failure to encrypt mobile devices.

Today I am adding HIPAA as a topic to my blog posts. Whether or not you work in healthcare, you come in contact with it as customers and patients of healthcare products and services. HIPAA is a topic in which we should all have some knowledge.

I like to learn through case studies because this is where all the rules of policy and procedure, compliance and risk become real and understandable. They are story and reality all wrapped up in one long, tightly detailed document that most people don’t care to read.

Don’t worry, I’m going to do some of that reading for both of us. I’ll try to keep the summary at the beginning and then go into more detailed reading for anyone that likes to dig into all the pieces for a deeper understanding.

This first HIPAA post covers a November 5, 2019 news update from the US Department of Health and Human Services website and concerns a highly regarded organization located in Rochester, NY (near my home town of Canandaigua). HHS OCR reported that a surgeon’s personal unencrypted laptop was stolen from a facility and it allegedly contained ePHI belonging to 43 patients. The incident was reported to HHS and subsequent investigations revealed that the organization “…failed to conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all of the ePHI held…”. They also failed to implement adequate security measures to reduce risk, policy, and procedure to govern ePHI and ultimately mechanisms to encrypt or decrypt ePHI. Both parties entered a Resolution Agreement requiring URMC to accept a Corrective Action Plan, committed to curing the breach and submitting to two years of OCR HIPAA compliance monitoring.

In case you did not know, the Office of Civil Rights (OCR), a division of the US Department of Health and Human Services is charged with enforcing the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules (along with other Federal standards protecting our rights to nondiscrimination, conscience, religious freedom, and health information privacy).

The following is a word for word reading of the November 5, 2019, HHS OCR news update.

The University of Rochester Medical Center (URMC) has agreed to pay $3 million to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS), and take substantial corrective action to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. URMC includes healthcare components such as the School of Medicine and Dentistry and Strong Memorial Hospital. URMC is one of the largest health systems in New York State with over 26,000 employees.

URMC filed breach reports with OCR in 2013 and 2017 following its discovery that protected health information (PHI) had been impermissibly disclosed through the loss of an unencrypted flash drive and theft of an unencrypted laptop, respectively. OCR’s investigation revealed that URMC failed to conduct an enterprise-wide risk analysis; implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level; utilize device and media controls; and employ a mechanism to encrypt and decrypt electronic protected health information (ePHI) when it was reasonable and appropriate to do so. Of note, in 2010, OCR investigated URMC concerning a similar breach involving a lost unencrypted flash drive and provided technical assistance to URMC. Despite the previous OCR investigation, and URMC’s own identification of a lack of encryption as a high risk to ePHI, URMC permitted the continued use of unencrypted mobile devices.

“Because theft and loss are constant threats, failing to encrypt mobile devices needlessly puts patient health information at risk,” said Roger Severino, OCR Director. “When covered entities are warned of their deficiencies, but fail to fix the problem, they will be held fully responsible for their neglect.”

In addition to the monetary settlement, URMC will undertake a corrective action plan that includes two years of monitoring their compliance with the HIPAA Rules. The resolution agreement and corrective action plan may be found at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/urmc/index.html.

HHS’ investigation indicated that the following conduct occurred (“Covered Conduct”):

  • (i) URMC impermissibly disclosed the ePHI of 43 patients when an unencrypted personally-owned laptop used in the course of treatment at UR.MC containing URMC ePHI was stolen from a treatment facility. See 45 C.F.R. §164.502(a).
  • (ii) URMC failed to conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all of the ePHI held by URlvlC, including the ePHI on the aforementioned flash drive and laptop computer. See 45 C.F.R. § 164.308(a)(1)(ii)(A).
  • (iii) URMC failed to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with §164.306(a). See 45 C.F.R. §164.308(a)(l)(ii)(B).
  • (iv) URMC failed to implement sufficient policies and procedures that govern receipt and removal of hardware and electronic media that contain ePHI into and out o f a facility, and the movement of these items within the facility. See 45 C.F.R. § 163.310(d).
  • (v) URMC failed to implement sufficient mechanisms to encrypt and decrypt ePHI or, alternatively, document why encryption was not reasonable and appropriate and implement an equivalent alternative measu1·e to encryption to safeguard ePHI. See 45 C.F.R. § 164.31 2(a)(2)(iv).

Privacy and Security Provisions

The policies and procedures shall include measures to address the following Privacy and Security
Rule provisions (Minimum Content of Policies and Procedures):

  1. Uses and Disclosures of PHI- 45 C.F.R. §164.502(a)
  2. Risk Analysis- 45 C.F.R. §164.308(a)(1)(ii)(A)
  3. Risk Management 45 C.F.R. §164.308(a)(1)(ii)(B)
  4. Device and Media Controls- 45 C.F.R. § 164.310(d)
  5. Encryption and Encryption- 45 C.F.R. §164.312(a)(2)(iv)

Summary

The agreement is not an admission of liability by URMC nor a concession by HHS that URMC is not in violation of HIPAA Rules and not liable for civil money penalties.

The agreement is an intention to resolve the matter without formal proceedings according to the following terms and conditions:

  • URMC will pay HHS $3M (“Resolution Amount”) on or before November 1, 2019
  • URMC agrees to comply with the Corrective Action Plan (“CAP”)
  • URMC is released from HIPAA Rules related to the investigations in OCR Transaction Numbers 13-159482, 15-211840, 18-285943, 19-326000, and the Covered Conduct identified in paragraph I.2 of the Agreement.
  • Conduct Risk Analysis, Develop and Implement a Risk Management Plan and Implement a Process for Evaluating Environmental and Operational Changes
  • Review and Revise its current Privacy and Security Rules Policies and Procedures (“Policies and Procedures”)
  • Distribute and Updated its Policies and Procedures to all members of the workforce within 30 days of HHS approval as well as within 30 days to appropriate new workforce members. URMC will obtain signed written or electronic initial compliance certification within 60 days of ditribution of the updated P&P and then assess, update, and revise P&P atleast annually (and distributing significant revisions within 30 days to all members).

URMC will fully restrict access to ePHI to all members of its workforce if they have not signed or provided written or electronic certification. There are exceptions when not feasible for patient safety).

Reportable Events. URMC will promptly investigate P&P compliance failures, and notify HHS within 60 days of any material breaches (“Reportable Events”) including the following:

  1. A description of the event, including the relevant facts, the role(s) of the persons involved, and the provision(s) of the policies and procedures implicated; and
  2. A description of the actions taken and any further steps URMC plans to take to address the matter to mitigate any harm, and to prevent it from recurring, including the application of appropriate sanctions against workforce members who failed to comply with its Policies and Procedures.
  3. If no Reportable Events occur within the Compliance Term, URMC shall so inform HHS in its Annual Report

Resources

HHS Press Release

Resolution Agreement and Corrective Action Plan

45 CFR 160.103

§ 164.502 – Uses and disclosures of protected health information: General rules.

45 CFR 308 (a) – Administrative Safeguards – Covered Entity and Business Associate

45 CFR 164.310 – Physical Safeguards

Public Law 104-191

2013 HIPAA Omnibus Final Rule


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s