In a refrain that should sound familiar, the HHS Office for Civil Rights (OCR) last month announced a new settlement agreement with a covered entity (CE) that it said failed to complete an acceptable security risk analysis and to encrypt its mobile devices.
OCR’s attempts to collect $4.358 million from the University of Texas MD Anderson Cancer Center is its most notable action related to lack of encryption, with the fine still the subject of ongoing litigation.[1] OCR pinned the new settlement[2] with the University of Rochester Medical Center (URMC) on incidents that occurred in 2013 and 2017—but also which harkened back to one from 2010. Legally, the 2010 loss is too old to be factored into a penalty as the statute of limitations is six years.
The agency said URMC notified it on May 6, 2013, that an unencrypted flash drive was “lost” on Feb. 15, 2013. In the settlement documents, OCR did not say how many patients were affected by this breach. However, according to an entry on OCR’s breach notification website, an incident on that date involved electronic protected health information (ePHI) for 537 patients, and URMC’s public breach notice at the time provided more details.
URMC said that a “resident physician misplaced a USB computer flash drive that carried PHI. The flash drive was used to transport information used to study and continuously improve surgical results. The information was copied from other files and so its loss will not affect follow-up care for any patients.”[3]
The PHI consisted of “names, gender, age, date of birth, weight, telephone number, medical record number, orthopaedic physician’s name, date of service, diagnosis, diagnostic study, procedure, and complications, if any.” URMC added that no addresses, Social Security number or insurance information was on the flash drive.
URMC said in 2013 that the flash drive “is believed to have been lost at a URMC outpatient orthopaedic facility. After an exhaustive but unproductive search, hospital leaders believe that the drive likely was destroyed in the laundry. A search of the laundry service, which works exclusively with hospital/medical facilities, also failed to locate the drive,” it said.
OCR told URMC two months after receiving the breach notification that it was “initiating an investigation” regarding its HIPAA compliance. It is not clear whether that investigation was ever concluded or if it was still ongoing by 2017, when URMC made a second, unrelated breach report.
As OCR stated, on Jan. 26, 2017, “URMC reported that an unencrypted personal laptop of one of its resident surgeons containing URMC ePHI was stolen from a treatment facility.” The laptop contained PHI for just 43 patients, and again, OCR launched an investigation into compliance, it said in the settlement. No additional information publicly is available about this incident.
OCR’s 2010 breach is only mentioned in broad outlines, but it was apparently pivotal to the agency’s new $3 million settlement and CAP. “Of note, in 2010, OCR investigated URMC concerning a similar breach involving a lost unencrypted flash drive and provided technical assistance to URMC,” the agency said in announcing the enforcement action.
“Despite the previous OCR investigation, and URMC’s own identification of a lack of encryption as a high risk to ePHI, URMC permitted the continued use of unencrypted mobile devices,” OCR alleged.
“Because theft and loss are constant threats, failing to encrypt mobile devices needlessly puts patient health information at risk,” said OCR Director Roger Severino. He added that when CEs “are warned of their deficiencies, but fail to fix the problem, they will be held fully responsible for their neglect.”
Failure to Complete Risk Analysis Cited
OCR provided no information as to how it arrived at the $3 million amount, but the mention of “neglect” by Severino could indicate OCR levied penalties based on the higher tier amount of willful neglect versus a lower level called reasonable cause.
OCR’s penalty structure, which is worded as if it applies to a person, changed in April. Previously all tiers were subject to a cap of $1.5 million per year. As of now they are as follows:
-
The person did not know (and, by exercising reasonable diligence, would not have known) that the person violated the provision: $100 minimum, $25,000 per year;
-
The violation was due to reasonable cause, and not willful neglect: $1,000 minimum, $100,000 per year;
-
The violation was due to willful neglect that is timely corrected: $10,000 minimum, $250,000 per year;
-
The violation was due to willful neglect that is not timely corrected: $50,000 minimum, $1.5 million per year.
OCR identified five infractions, saying that URMC:
-
“Impermissibly disclosed the ePHI of 43 patients when an unencrypted personally-owned laptop used in the course of treatment at URMC containing URMC ePHI was stolen from a treatment facility. See 45 C.F.R. § 164.502(a) .
-
“Failed to conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all of the ePHI held by URMC, including the ePHI on the aforementioned flash drive and laptop computer. See 45 C.F.R. § 164.308(a)(1)(ii)(A) .
-
“Failed to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with § 164.306(a). See 45 C.F.R. §164.308(a)(l)(ii)(B) .
-
“Failed to implement sufficient policies and procedures that govern receipt and removal of hardware and electronic media that contain ePHI into and out of a facility, and the movement of these items within the facility. See 45 C.F.R. § 164.310(d) .
-
“Failed to implement sufficient mechanisms to encrypt and decrypt ePHI or, alternatively, document why encryption was not reasonable and appropriate and implement an equivalent alternative measure to encryption to safeguard ePHI. See 45 C.F.R. § 164.312(a)(2)(iv) .”
The CAP requires URMC to address these and related issues.[4]
URMC: ‘Deeply Committed’ to Privacy
URMC officials did not answer any of RPP’s questions. Instead, they provided the following statement, which noted there was no harm from the breaches at the heart of the settlement.
“URMC has agreed to pay $3 million to [HHS] to settle alleged past violations of security requirements for protecting the health information of our patients.
The settlement agreement concludes an investigation into IT security practices at URMC, following two unrelated incidents that the medical center voluntarily reported in 2013 and 2017. Potentially affected patients were notified at the time both of these incidents occurred, and we have no reason to believe that any patient’s personal health information was misused.
The medical center is deeply committed to protecting patient privacy, and we continuously improve our IT security safeguards and staff training to reduce the risk of a privacy breach. As part of the settlement with HHS, we will undertake a comprehensive audit of security practices and implement any corrective actions needed to ensure our safeguards are as strong as possible.”
Breach History Includes NY AG Payment
URMC previously reported[5] to OCR two unrelated paper-based breaches that appear on the agency notice website (only those affecting 500 or more individuals are posted); these do not seem to have figured into OCR’s calculations as they are not mentioned.
The first was reported on May 20, 2010, and involved 2,628 individuals. The website indicates OCR did perform some oversight in this case. Interestingly, OCR said at the time that it reviewed URMC’s risk assessment—one of the things it found so lacking years later.
The breach at issue occurred on April 19, 2010, and involved 2,628 patient billing statements for Strong Memorial Hospital that were misdelivered.
The PHI that was inappropriately disclosed included “patients’ names, addresses, guarantors’ names, guarantors’ addresses, dollar amounts owed, health insurance plans, subscriber numbers, social security numbers, general descriptions of services rendered (such as inpatient room charge, outpatient visit charge, physical therapy, laboratory, pharmacy, radiology, etc.) and dates of service,” according to the entry on the website.
OCR reported on the website that URMC’s corrective actions included establishing a “numerical counter to ensure that the numbers of statements that run through the folding machine are matching the numbers of statements that are printing”; adding a report to the “statement bundles distributed by the printing center that identifies the number of pages printed for each statement run”; and instituting “a quality control process…where a second staff member manually inspects stuffed envelopes on a random basis to ensure that the correct number of pages are inserted as well as verifying that the contents are all for the same patient.”
The agency added that, “As a result of OCR investigation, OCR reviewed a copy of the CE’s risk assessment and policies and procedures relating to uses and disclosures of [PHI] and safeguarding PHI.”
The other breach, while not the subject of OCR action, did trigger a settlement agreement and a fine with the New York attorney general. In fact, that state settlement obligated URMC to follow a three-year CAP that was scheduled to have ended in November of last year.
On May 22, 2015, URMC notified OCR that 3,404 individuals were affected by an “unauthorized access/disclosure” related to “paper/films,” according to the OCR website. What actually happened was a URMC neurology nurse practitioner took a spread sheet of patient information to a new employer she intended to join, and those patients were contacted by that provider group—a HIPAA violation because the PHI was being used for marketing and no patients had consented.
In November of that same year, URMC and the New York attorney general’s office reached a $15,000 settlement and CAP[6] that, like OCR’s, called for new policies and procedures as well as enhanced workforce training.