A relatively quiet year for HIPAA enforcement is ending with a small flourish. The Office of Civil Rights of the Department of Health and Human Services (HHS) has announced two settlements with covered entities within the span of eight days.
The first settlement involved Advanced Care Hospitalists (ACH), a company that provides internal medicine physicians to hospitals and nursing homes in Florida. In 2014, ACH received notice from a local hospital that individually identifiable patient information had been posted on the website of a third party billing provider. ACH reported the breach, which ultimately led to an HHS investigation. HHS found that:
- The disclosure affected 9,225 patients.
- ACH failed to enter into a business associate agreement with one or more vendors who had access to protected health information (PHI).
- ACH did not implement privacy, security, or breach notification policies and procedures until after the breach was discovered.
- ACH failed to conduct a security risk analysis until after the breach was discovered.
To settle these matters, ACH agreed to pay a $500,000 penalty and fulfill its obligations under a supervised corrective action plan that focuses on the identified failures.
The second settlement followed from a complaint lodged with HHS against Pagosa Springs Medical Center (PSMC) in Colorado. The ensuing investigation revealed:
- The impermissible disclosure of the PHI of at least 557 individuals to a former employee whose access to PSMC’s information systems was not revoked upon termination of employment.
- The impermissible disclosure of the PHI of at least 557 individuals to a business associate without an appropriate business associate agreement.
The settlement agreement requires PSMC to pay a penalty of $111,400 and meet its obligations under a corrective action plan that addresses the identified failures and additional matters, including a security risk analysis, security management, and training.
The penalties imposed in these two settlements seem small compared to many settlements that we have seen in recent years. The settlement agreements do not present enough facts to explain the settlement amounts. For PSMC, we do not know whether the former employee or the business associate that impermissibly received PHI did anything that further exposed the PHI that they received. The ACH matter is different. It involved many more individuals and a disclosure that clearly went beyond a single individual or entity. In ACH’s favor, it is not clear who would have had access to the website where the PHI was posted, and ACH did, on its own, notify HHS of the breach and take certain corrective actions.
The two settlements remind us that HIPAA compliance beats HIPAA complacence. HIPAA enforcement can have a long life. The two settlements relate to incidents that occurred four or five years ago. It may not be possible to undo errors of the past, but changes after the fact can still protect against future breaches and could help reduce penalties if an investigation of past violations does occur.