2013 brought a flurry of enforcement actions with federal agencies investigating failures by healthcare providers, treatment facilities, and health insurance plans to have appropriate safeguards in place to protect sensitive health information. Resolution agreements between HIPAA [Health Insurance Portability and Accountability Act] covered entities and the Department of Health & Human Services' (HHS) Office for Civil Rights (OCR) settling violations of the HIPAA Privac, and Security Rules netted over $3.8 million in penalties.
In addition, most of the agreements include corrective action plans in which organizations are under the government’s microscope as they conduct information privacy and security risk assessments and put into place appropriate physical, technical or administrative safeguards. However, 2013’s most costly enforcement action could well be the year-end settlement between the Federal Trade Commission (FTC) and a HIPAA business associate that did not incur a financial penalty, but puts into place a corrective action plan that includes 20 years of mandatory, government supervised bi-annual security risk assessments.
Accretive Health, Inc. is a Chicago-based company that provides medical billing and revenue management services to hospitals around the country. With employees assigned onsite at hospitals, the company provides end-to-end accounting, management and collection of a hospital’s practice management services related to registration, transcription, coding, billing, strategic pricing, and collection of past due accounts. In July 2011, (after passage of the HITECH Act but before HHS expanded the HIPAA requirements to business associates) an Accretive employee’s laptop computer, containing the healthcare treatment, Social Security numbers, and other financial information of 23,000 patients was stolen from the passenger compartment of the employee’s car in Minneapolis. Accretive agreed to settle FTC charges that its inadequate data security measures exposed sensitive consumer information.
FTC’s complaint alleged the failures to provide reasonable and appropriate security measures and procedures to protect consumers’ personal information, including sensitive personal health information. Accretive had access to a wealth of personal information about the patients of its hospital clients, including names, dates of birth, Social Security numbers, billing information, and medical diagnostic information. The FTC’s investigation found that Accretive created unnecessary risks by transporting laptops that contained sensitive personal information in a way that left them vulnerable to theft. The data on the laptop that was stolen was not encrypted and was left on the car’s front seat by the employee.
The FTC’s investigation was brought on by the incident with the missing laptop, but the allegations that are included in the settlement with Accretive document much broader concerns about how the company failed to safeguard sensitive patient treatment and financial data. A look at the lapses alleged by the FTC is illustrative in its comparison with the requirements of the HIPAA/HITECH Omnibus Rule that took effect in 2013. Specifically, the complaint charged that the company created unnecessary risks to the confidentiality or security of consumers’ health and financial data:
Transporting laptops containing personal information in a way that made them vulnerable to theft or misappropriation; Failing to limit access to consumers’ personal information to employees who really needed it to do their jobs; Failing to see to it that employees securely remove sensitive information from their computers once there’s no longer a business need; and Failing to remove consumers’ personal information from employees’ computers after it was used for staff training sessions.
To settle the case, Accretive agreed to put a comprehensive information security program in place that includes bi-annual risk assessments for compliance with Federal privacy and security requirements by an independent monitor who will report their findings to the FTC for the next 20 years. The HIPAA covered entities whose data was stored on the laptop computer were not cited in the action brought by the FTC.
Reading the allegations brought by the FTC against the recently enacted HIPAA/HITECH Omnibus Rule brings home clear parallels to the steps business associates of HIPAA covered entities must put into place. Under the Omnibus Rule, business associates are responsible for compliance with the full HIPAA Security Rule and those portions of the Privacy Rule that apply to what they are doing on behalf of the covered entity. Meaning the responsibilities of the vendor once they take possession of the information goes well beyond access alone. This makes it an imperative to understand exactly what the covered entity’s expectations are regarding security starting with what constitutes minimal necessary for this contract to disposition of any data and/or access at contract termination.
If there is a breach involving a vendor OCR is likely to investigate the relationship between the covered entity and the business associate first to understand what is involved. One of things that they may look at is whether the information involved in the incident should have been in the vendor’s possession to begin with, whether or not there is an agreement that lays out expectations, whether any due diligence was performed and whether the covered entity knew of any situation that gave cause for concern.
David S. Holtzman, JD, CIPP