by Daniel J. Solove
Recently, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) publicized its resolution agreement in its HIPAA enforcement action against St. Elizabeth’s Medical Center (SEMC). SEMC agreed to pay $218,000.
The case began with a complaint filed with OCR back in 2012 that employees were sharing PHI of nearly 500 patients via an online sharing application without a risk analysis on such activities being undertaken. OCR investigation found that the medical center “failed to timely identify and respond to the known security incident, mitigate the harmful effects of the security incident and document the security incident and its outcome.”
In another incident in 2014, SEMC had a breach of unsecured ePHI on a laptop and USB drive involving about 600 patients.
The facts OCR provides in these cases continue to be rather skeletal. It would be nice to see a little more flesh on the bones so more can be learned about these incidents and what went wrong.
The corrective action plan in the resolution agreement includes conducting a self-assessment of employees’ familiarity with policies and procedures regarding how ePHI is transmitted and stored and to revise employee training.
I think it is important to look at each resolution agreement to understand why is singling out particular incidents for monetary penalties. Thus far, only a miniscule fraction of cases have been singled out for this harsh treatment. The vast majority of cases are resolved without penalty. So it is worth exploring what OCR is particularly interested in when it is choosing its cases.
Here are some lessons to be learned from this latest enforcement action:
1. Multiple incidents are a problem.
As Adam Greene (Davis, Wright, & Tremaine LLP) has observed: “The settlement highlights that OCR will look at multiple HIPAA incidents together, as it is not clear that OCR would have entered into a settlement agreement if there had only been the incident involving online file sharing software, but took action after an unrelated second incident involving PHI ending up on personal devices.”
2. Simple equation: portable devices + unencrypted ePHI = bad.
So many incidents involve unencrypted ePHI on portable electronic devices such as laptops and USB drives. These portable devices seem to always get lost or stolen. So either (1) don’t put PHI on portable electronic devices; or (2) encrypt, encrypt, encrypt!
3. Be responsive after an incident.
I believe a major reason why OCR chose this case for a penalty was the lack of responsiveness after the 2012 incident. There’s a well-known saying: “It’s not the crime, it’s the cover up.” I think this can be adapted for HIPAA: “It’s not the incident, it’s the follow up.”
4. Have a cloud computing strategy.
Another good tip from Adam Greene is that organizations should address cloud computing with policies, procedures, and training. Cloud computing can bring great benefits but there are some risks, so it must be done responsibly.
5. Have good training.
As I noted above, OCR’s facts about incidents in its resolution agreements are often very sparse, but a lot can be inferred by looking at the corrective action plans. These indicate what OCR most thinks is worth fixing. In the SEMC case, one of the things included in the corrective action plan is training. If employees do something bad and the organization didn’t have good enough training to teach them that what they did was troublesome, then full force of the blame will go to the organization. Of course, organizations will be held to answer for their employees’ actions, but the level of blame will be much higher if there wasn’t training on the issues that caused incidents.
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of awareness training on privacy and security topics.
Professor Solove is the organizer, along with Paul Schwartz of the Privacy + Security Forum (Oct. 21-23 in Washington, DC), an event that aims to bridge the silos between privacy and security.