Insights About Future Use of Protected Health Information Under HIPAA

How will Protected Health Information (PHI) be used in the future? Reed Smith partner Brad Rostolsky strives to answer this question in “HIPAA Enforcement: The Next Step,” an interview and accompanying article that appeared on HealthcareInfoSecurity on October 14th. The article discusses a number of trends predicted for the near future stemming from the HIPAA Omnibus Rule introduced last year, such as an increase in the number of investigations by the Department of Health and Human Services’ Office for Civil Rights regarding the illegal use, disclosure, and sale of PHI without patient authorization, particularly when used for marketing and fundraising purposes. The article also provides recommendations for companies preparing for HIPAA compliance audits, privacy concerns related to the use of consumer health information on social media, and potential HIPAA privacy issues involving wearable consumer health devices.

To listen to the interview and read the article, click here.

Recent OCR Enforcement Activities Cause Serious Case of Déjà Vu: Theft of Unencrypted Laptops Leads to Two Separate HIPAA Settlements

This post was written by Brad Rostolsky, Nan Bonifant and Jillian Riley

We have heard this story before: unencrypted laptop containing electronic protected health information (ePHI) is stolen. The covered entity’s subsequent breach self-report triggers not only an incident investigation by the Department of Health and Human Services, Office for Civil Rights (OCR), but a de facto HIPAA compliance audit as well. While the covered entities involved change, the consequences and enforcement message remain the same.

Now, two more covered entities have settled potential violations of the HIPAA Privacy and Security Rules arising from the theft of unencrypted laptops by paying a total of $1,975,220, and agreeing to continued oversight by OCR through Corrective Action Plans (CAPs). In both instances, the breaches were self-reported and the settlements resulted from OCR’s subsequent investigations.

On December 28, 2011, Concentra Health Services (Concentra), a national health care provider and subsidiary of Humana Inc., reported to OCR that an unencrypted laptop was stolen from one of its facilities. OCR’s subsequent investigation revealed that while Concentra previously recognized that a lack of encryption on laptops, desktops, medical equipment, and tablets presented a critical risk to ePHI, Concentra failed to fully implement necessary steps to address those vulnerabilities. OCR’s investigation further found that Concentra had insufficient security management processes in place to ensure proper safeguarding of patient information. Concentra paid OCR $1,725,220 to resolve these alleged HIPAA violations and will adopt a CAP to evidence their remediation efforts.

The second settlement, which resulted in a $250,000 payment to OCR, stemmed from the theft of an unencrypted, stolen laptop from an employee’s car on October 8, 2011. The laptop, belonging to a workforce member of QCA Health Plan, Inc. of Arkansas (QCA), contained the ePHI of 148 individuals. While QCA instituted company-wide device encryption following discovery of the breach, OCR’s subsequent investigation revealed that QCA had failed to comply with multiple requirements of the HIPAA Security Rule, beginning from the Rule’s compliance date in April 2005. In addition to the monetary settlement amount, QCA agreed to provide HHS with an updated risk analysis and corresponding risk management plan that includes specific security measures to reduce risks to vulnerabilities of its ePHI. QCA also agreed to retrain its workforce and document its ongoing compliance efforts.

Unfortunately, as the proliferation of portable devices in the health care industry increases, the question for most covered entities is not if a laptop or mobile device will be stolen, but when. Encryption not only provides a safe harbor under the Breach Notification Rule, but it has also become a practical necessity to HIPAA compliance. Failure to address encryption of portable devices in Security Rule risk analyses and, in most cases, failure to implement some form of encryption, will continue to expose covered entities (as well as business associates) to significant compliance risk.

Additional information about OCR’s enforcement activities can be found at

County Governments Not Immune From HIPAA Enforcement: OCR Announces $215,000 Settlement with Skagit County, Washington

This post was written by Brad Rostolsky, Nan Bonifant, and Jen Pike

On March 7, 2014, the HHS Office for Civil Rights (“OCR”) announced its first settlement and corrective action plan with a county government. Skagit County in northwest Washington State has agreed to pay $215,000 to settle potential violations of the HIPAA Privacy, Security and Breach Notification Rules.

According to Susan McAndrew, deputy director of health information privacy at OCR, “this case marks the first settlement with a county government and sends a strong message about the importance of HIPAA compliance to local and county governments, regardless of size.” Generally, local and county governments are subject to HIPAA because certain departments within the government are involved in the provision of or payment for health care services. The Skagit County Public Health Department provides essential services to many individuals who would otherwise not be able to afford health care. Importantly, a single legal entity whose business activities include both HIPAA covered and non-covered services (like a county government) may designate itself as a “hybrid entity” by identifying its “health care components.” This designation, however, must be formally documented in the entity’s policies and procedures. Most of the requirements of the Privacy, Security and Breach Notification Rules apply only to the hybrid entity’s health care components.

OCR began investigating Skagit County following a breach self-report notifying OCR that the electronic protected health information (“ePHI”) of seven individuals receiving services from the Skagit County Public Health Department was posted on a publicly available server maintained by the county and accessed by unknown parties. The investigation revealed that the ePHI of not just seven – but 1,581 – individuals, was made available on the public server. The ePHI, which could be accessed through a simple Google search, included highly sensitive information, such as the testing and treatment of infectious diseases. OCR’s investigation further revealed Skagit County’s general and widespread non-compliance with the HIPAA Privacy, Security and Breach Notification Rules, including the implementation of sufficient policies and procedures.

In addition to the $215,000 settlement, the Resolution Agreement between Skagit County and OCR included a corrective action plan (“CAP”) that requires Skagit County to, among other things, (1) provide substitute breach notification to affected individuals not previously notified; (2) create and revise written policies and procedures to comply with HIPAA; and (3) submit for OCR’s review and approval hybrid entity documents designating the county’s covered health care components. The CAP also requires Skagit County to provide regular status updates to OCR, which will work closely with the county to correct deficiencies.

While OCR marks this settlement as the first with a county government, it is not the first for a public entity. In June 2012, the Alaska Department of Health and Social Services agreed to pay $1.7 million to settle possible violations of the Security Rule. Notably, both of these enforcement actions, and most actions since 2012, have resulted from a breach self-report used by OCR as an opportunity to conduct a de-facto audit of the entity’s general HIPAA compliance. Whether this enforcement trend will continue will likely depend upon the scope (and perhaps more importantly, the funding), of OCR’s second round of statutorily required audits of covered entities and business associates. Regardless, given the environment of increased OCR enforcement, regulated entities should ensure, at a minimum, that they have implemented the basic elements of HIPAA compliance—performance of a Security Rule risk analysis, implementation of sufficient policies and procedures (including documentation of any hybrid entity designation), and adequate training of workforce members.

Additional information about OCR’s enforcement activities can be found at

Final Rule Gives Patients a New Right under HIPAA to Access Completed Test Reports Directly from Labs

This post was written by Nan Bonifant, Brad Rostolsky, and John Wyand

On February 6, 2014, the U.S. Department of Health & Human Services’ (HHS) Centers for Medicare & Medicaid Services (CMS), Centers for Disease Control and Prevention (CDC), and Office for Civil Rights jointly published a final rule amending the HIPAA Privacy Rule and the Clinical Laboratory Improvement Amendments of 1988 (CLIA) regulations to provide patients with direct access to laboratory test reports. HHS believes that a right to access these test reports under HIPAA is crucial to provide patients with vital information to empower them to better manage their health and take action to prevent and control disease. The amendments to both regulations become effective April 7, 2014, and HIPAA-covered laboratories must comply with the new right by October 6, 2014.

Under the currently enforced Privacy Rule, a patient’s right to access his or her protected health information (PHI) is limited with respect to PHI maintained by a CLIA laboratory or a CLIA-exempt laboratory. This limitation was included in the Privacy Rule because the existing CLIA regulations may prohibit such laboratories from disclosing this information. Currently, a CLIA laboratory may only disclose laboratory test results to three categories of individuals or entities: (1) the “authorized person,” (2) the health care provider who will use the test results for treatment purposes, and (3) the laboratory that initially requested the test. An “authorized person” is the individual authorized under state law to order or receive test results. If a state does not authorize patients to receive their test results, the patients must receive this information from their health care providers.

The final rule modifies the CLIA regulations to allow laboratories subject to CLIA, upon the request of a patient (or the patient’s personal representative), to provide access to completed test reports that – using the laboratory’s authentication process – can be identified as belonging to that patient. With respect to the Privacy Rule, the final rule removes the exceptions to a patient’s right of access related to CLIA and CLIA-exempt laboratories. Therefore, as of October 6, 2014, HIPAA-covered laboratories will be required to provide a patient or his or her personal representative with access, upon request, to the patient’s completed test reports, as well as to other PHI maintained in a designated record set. For purposes of the final rule, test reports are not part of a designated record set until they are “complete.” A test report is considered complete when all results associated with an ordered test are finalized and ready for release. These changes to the Privacy Rule preempt any contrary state laws that prohibit a HIPAA-covered laboratory from providing patients direct access to their completed test results.

In order to comply with the amended Privacy Rule, HIPAA-covered laboratories should develop and implement a policy and procedure to receive and respond to patient requests. Processing a request for a test report, either manually or electronically, will require completion of the following steps: (1) receipt of the request from the individual; (2) authentication of the identification of the individual; (3) retrieval of test reports; (4) verification of how and where the individual wants the test report to be delivered and provision of the report by mail, fax, email or other electronic means; and (5) documentation of test report issuance. Additionally, HIPAA-covered laboratories must revise their notice of privacy practices to inform patients of their right to access completed test reports, including a brief description of how to exercise the right, and removing any statements to the contrary.

This amendment to the regulations is consistent with OCR’s focus on improving patients’ rights under the Privacy Rule, and represents another important aspect of policy change and documentation efforts for HIPAA-covered entity providers.

ONC Tiger Team Takes a Bite Out of the Proposed Access Report Rule

This post was written by Jennifer Pike and Brad Rostolsky

The Privacy and Security Tiger Team (“Tiger Team”), a subcommittee of the Office of the National Coordinator for Health IT’s HIT Policy Committee, has recommended that the Office for Civil Rights of U.S. Department of Health and Human Services (“OCR”) abandon its May 2011 proposed rule to require covered entities to provide patients with a list of workforce members who have accessed protected health information (“PHI”) contained in an electronic designated record set (“access reports”). The proposed rule was meant by OCR to implement a provision of the 2009 HITECH Act requiring HHS to expand the existing accounting of disclosures requirement to include disclosures of PHI for treatment, payment and health care operations through an electronic health record.

After months of study and a day-long hearing in September 2013, the Tiger Team concluded that the proposal, which was widely unpopular from its inception, is overbroad and lacks value. In a meeting held December 4, 2013, the Tiger Team stated that it “does not believe the proposed access report meets the requirements of HITECH to take into account the interests of the patient and administration burden on covered entities.”

The Tiger Team proposed an alternative for implementing the HITECH Act’s accounting of disclosure mandate, urging OCR “to pursue a more focused approach that prioritizes quality over quantity, where the scope of disclosures and related details to be reported to patients provide information that is useful to patients, without overwhelming them or placing undue burden on [covered entities].” The Team further recommended that OCR take a “step-wise” approach to implementing the HITECH Act, and focus on data disclosed outside of a covered entity or organized health care arrangement.

In the December 4 meeting, the Tiger Team also recommended that OCR add two new “addressable” standards to the HIPAA Security Rule related to audit controls:

  1. Audit controls must record PHI-access activities to the granularity of (i) the individual user (e.g., human) accessing PHI and (ii) the individual whose PHI is accessed.
  2. Information recorded by the audit controls must be sufficient to support the information system activity review required by section 164.308(a)(1)(ii)(D) and the investigation of potential inappropriate accesses of PHI.

How HHS will respond to the Tiger Team’s recommendations, and when a final rule will be released, remains to be seen.

HHS Seeks to Reduce Gun Violence Via Modifications to the HIPAA Privacy Rule

This post was written by Nancy E. Bonifant and Jennifer L. Pike

After receiving more than 2,000 comments to its April 2013 Advance Notice of Proposed Rulemaking, the Department of Health & Human Services (“HHS”) has proposed to amend the HIPAA Privacy Rule to expressly permit certain covered entities to report to the National Instant Criminal Background Check System (“NICS”) the identities of individuals who are prohibited by federal law, for mental health reasons, from possessing firearms (commonly referred to as the “mental health prohibitor”).

The NICS is the system used to determine whether a potential firearms recipient is statutorily prohibited from possessing or receiving a firearm. The mental health prohibitor applies to individuals who have been (1) involuntarily committed to a mental institution; (2) found incompetent to stand trial or not guilty for reason of insanity; or (3) otherwise determined, through formal adjudication process, to have a severe mental condition that results in the individuals presenting a danger to themselves or others, or being incapable of managing their own affairs.

While most records related to involuntary commitments and mental health adjudications originate in entities affiliated with the criminal justice system (which are generally not subject to HIPAA), state entities outside the criminal justice system may also be involved. If these state entities are HIPAA-covered entities, or if a HIPAA-covered entity is the state repository for such records, then these records are subject to HIPAA.

Under the existing HIPAA Privacy Rule, there are circumstances where records subject to HIPAA may be reported to the NICS. For example, the Privacy Rule permits any covered entity to disclose information to the NICS to the extent such reporting is required by state law. In the absence of a state law requirement, however, reporting to the NICS is only permissible to the extent a covered entity designates itself as a hybrid-covered entity, and the relevant information is maintained and reported through the non-HIPAA regulated portion of that entity. As a result, OCR has cited concerns that the existing HIPAA Privacy Rule may be preventing some state entities (which likely perform both HIPAA-covered and non-covered functions) from reporting to the NICS the identities of individuals subject to the mental health prohibitor. Therefore, HHS has proposed to add to the Privacy Rule new provisions at 45 CFR § 164.512(k)(7), which would permit certain covered entities to disclose the minimum necessary demographic and other information for NICS reporting purposes.

Notably, this new permission would apply only to covered entities that function as repositories of information relevant to the federal mental health prohibitor on behalf of a state, or that are responsible for ordering the involuntary commitments or other adjudications that make an individual subject to the federal mental health prohibitor. Further, the new permission would strictly limit the information used or disclosed for NICS reporting purposes to the minimum necessary—HHS considers the minimum necessary information to include: (1) an individual’s name; (2) an individual’s date of birth; (3) an individual’s sex; (4) a code or notation indicating that the individual is subject to the federal mental health prohibitor; (5) a code or notation representing the reporting entity; and (6) a code identifying the agency record supporting the prohibition. The new permission would not permit the use or disclosure of clinical or diagnostic information.

HHS is seeking comments related to the proposed rule. Comments may be submitted in writing, or electronically at, on or before March 10, 2014.

OCR OUT OF COMPLIANCE? OIG Report Concludes OCR Slow To Enforce HIPAA Security Rule and To Comply with Federal Cybersecurity Requirements

This post was written Nancy E. Bonifant and Brad M. Rostolsky

According to a report published by the Office of the Inspector General (OIG) on November 21, 2013, the Department of Health & Human Services (HHS) Office for Civil Rights (OCR) is not adequately overseeing and enforcing the HIPAA Security Rule.

The OIG’s report, which followed an assessment of OCR’s Security Rule oversight and enforcement activities from July 2009 through May 2011, concluded that:

  • OCR failed to provide for periodic audits, as mandated by HITECH, to ensure that covered entities were in compliance with the Security Rule, and instead continued to follow the complaint-driven approach to assess the status of Security Rule compliance
  • OCR failed to consistently follow its investigation procedures and maintain documentation needed to support key decisions made during investigations conducted in response to reported violations of the Security Rule

To address these findings, the OIG recommended that OCR: (i) assess the risks, establish priorities, and implement controls for its HITECH auditing requirements; (ii) provide for periodic audits in accordance with HITECH to ensure Security Rule compliance at covered entities; and (iii) implement sufficient controls, such as supervisory reviews and documentation retention, to ensure policies and procedures for Security Rule investigations are followed.

Separately, the OIG also assessed OCR’s computer systems as of May 2011, and concluded that OCR had not fully complied with the cybersecurity requirements included in the National Institute of Standards and Technology (NIST) Risk Management Framework for its information systems used to process and store investigation data, because it focused on system operability to the detriment of system and data security. As a result, the OIG recommended that OCR implement the NIST Risk Management Framework for systems used to oversee and enforce the Security Rule.

In response, OCR generally concurred with the recommendations and described the actions it has taken to address the OIG’s concerns since May 2011. Notably, while OCR did initiate a pilot audit program in November 2011 and has subsequently audited 115 covered entities, OCR also explained that the funds used to support those audit activities are no longer available, and no funds have been appropriated for it to maintain a permanent audit program.

In consideration of the OIG’s report and OCR’s response, the looming questions that remain are how OCR will fund its statutorily required enforcement and compliance activities, and whether covered entities and business associates should expect increased enforcement to help subsidize OCR’s compliance going forward.

Physician Practice Caught in OCR Crossfire Following Theft of Unencrypted Flash Drive

This post was written by Brad M. Rostolsky and John E. Wyand

The theft of an unencrypted flash drive has led to an agreement by Adult & Pediatric Dermatology, P.C., of Concord, Mass. (APDerm), to pay $150,000 to the Department of Health and Human Services’ Office for Civil Rights (OCR) to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Breach Notification Rules. APDerm will also be required to implement a corrective action plan to correct deficiencies in its HIPAA compliance program. APDerm is a private practice that delivers dermatology services in four locations in Massachusetts and two in New Hampshire.

This case marks the first settlement with a covered entity for not having policies and procedures in place to address the breach notification provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, passed as part of the American Recovery and Reinvestment Act of 2009. Significantly, it also marks one of the few instances where OCR has taken enforcement action against a smaller covered entity provider.

OCR opened an investigation of APDerm upon receiving a report that an unencrypted flash drive containing the electronic protected health information (ePHI) of approximately 2,200 individuals was stolen from a vehicle of one its staff members. The flash drive was never recovered, and the investigation revealed that APDerm had not conducted “an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality of ePHI” as part of its security management process. In other words, OCR continues to target the failure of covered entities to conduct a risk assessment under the Security Rule. Furthermore, OCR focused on APDerm’s failure to maintain appropriate policies and procedures, as well as the associated training, pursuant to the requirements of the Breach Notification Rule.

In addition to a $150,000 settlement, OCR imposed a corrective action plan requiring APDerm to develop a risk analysis and risk management plan to address and mitigate any security risks and vulnerabilities, as well as to provide an implementation report to OCR.

A copy of the Resolution Agreement and Corrective Action Plan may be found here.

If Your Old Photocopier Could Talk, What Would It Say? Health Plan's Used Photocopier Linked to $1.2 Million HIPAA Settlement

This post was written by Brad M. Rostolsky, Nancy E. Bonifant and Jennifer L. Pike.

Who knew that photocopiers stored information? Apparently "CBS Evening News" did, and now an April 2010 investigative report has led to a million-dollar HIPAA settlement.

Affinity Health Plan, Inc. (Affinity), a New York-based, not-for-profit health plan, agreed to pay the Office for Civil Rights (OCR) $1,215,780 to settle potential violations of the Health Information Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules. The settlement resulted from a breach self-report by Affinity, which first learned of the electronic protected health information (PHI) stored on its formerly leased photocopier’s hard drive from "CBS Evening News" (CBS).

In April 2010, CBS conducted an investigative report on the security risks associated with digital photocopiers, which, since 2002, typically contain hard drives that can store an image of every document copied, scanned, or emailed from the machine. As part of the investigation, CBS purchased four randomly selected used photocopiers, including one previously leased by Affinity. On the machine's hard drive, CBS found 300 pages of individuals' medical records.

Following Affinity's breach self-report, OCR found that Affinity impermissibly disclosed PHI of up to 344,579 individuals when it returned multiple photocopiers to leasing agents without erasing the data contained on the machines’ hard drives. OCR further determined that Affinity (1) failed to include electronic PHI stored on photocopiers’ hard drives in its required Security Rule risk analysis, and (2) failed to implement its existing policies and procedures when returning photocopiers to its leasing agents.

In addition to the $1.2 million settlement, the Resolution Agreement between OCR and Affinity included a corrective action plan (CAP). The CAP requires Affinity to use its best efforts to retrieve all hard drives that were contained on photocopiers previously leased by Affinity and that remain in the possession of the leasing agent. Affinity must also (1) conduct a comprehensive risk analysis that incorporates all electronic equipment and systems controlled, owned, or leased by Affinity; (2) develop a plan to address and mitigate security risks and vulnerabilities found in its analysis; and (3) if necessary, revise its current policies and procedures accordingly.

The global take-away from this latest enforcement action is that an entity's failure to comply with the obligation to conduct a comprehensive Security Rule risk analysis remains OCR’s primary, and most often used, trigger to take significant enforcement action. Since almost every business uses photocopiers, Affinity serves as a reminder that all covered entities and business associates should implement policies and procedures to ensure that all hard drives are scrubbed of PHI before leaving their possession. More information on safeguarding sensitive data stored in the hard drives of digital photocopiers can be found here.

For additional information on OCR’s enforcement activities, visit the U.S. Department of Health and Human Services website.  

OCR Continues to Use Breach Self-Reports as an Invitation to Audit General HIPAA Compliance

Massachusetts Provider Becomes Third Seven-Figure Settlement Since March

This post was written by Nancy E. Bonifant and Brad M. Rostolsky.

On September 17, 2012, the HHS Office of Civil Rights ("OCR") announced another settlement and corrective action plan following an entity’s breach self-report required by HITECH’s Breach Notification Rule. Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc. (collectively "MEEI") have agreed to pay $1.5 million to settle potential violations of the HIPAA Security Rule following the theft of a physician’s unencrypted, but protected, laptop, providing additional evidence that: (1) OCR will likely view any breach notification as an opportunity to conduct a de facto audit of an entity’s general HIPAA compliance; and (2) encryption of all portable devices containing electronic protected health information ("ePHI"), though not technically "required," is a critical compliance consideration.

The information contained on the laptop, which was stolen while the physician was lecturing in South Korea in 2010, included prescriptions and clinical information for approximately 3,600 patients and research subjects. According to MEEI, although unencrypted, the laptop was password protected and contained a tracking device commonly referred to as "LoJack." Using LoJack, MEEI determined that a new operating system was installed on the computer and that the software needed to access the ePHI was not reinstalled. After concluding that retrieval of the laptop was unlikely, MEEI remotely permanently disabled the hard drive and rendered any ePHI unreadable.

Although OCR’s subsequent investigation revealed no patient harm as a result of the breach, the agency did find that the breach indicated a long-term, organizational disregard for the requirements of the Security Rule. More specifically, over an extended period of time, MEEI failed to:

  • Conduct a thorough analysis of the risk to the confidentiality of ePHI maintained on portable devices;
  • Implement security measures sufficient to ensure the confidentiality of ePHI that MEEI created, maintained, and transmitted using portable devices;
  • Adopt and implement policies, and procedures to restrict access to ePHI to authorized users of portable devices; and
  • Adopt and implement policies and procedures to address security incident identification, reporting, and response.

Following on the heels of the Alaska Department of Health and Social Services’ $1.7 million settlement in June, which also followed a breach that affected a relatively small number of individuals, OCR’s recent enforcement actions suggest that its focus is on the lack of overall HIPAA compliance that may lead to a breach and not the breach itself. This settlement also reaffirms the practical necessity of encrypting all ePHI on portable devices. According to Leon Rodriguez, Director of OCR,  "[i]n an age when health information is stored and transported on portable devices such as laptops, tablets, and mobile phones, special attention must be paid to safeguarding the information held on these devices."

In addition to the $1.5 million settlement, the Resolution Agreement between MEEI and OCR included a corrective action plan, which requires MEEI to review, revise, and maintain policies and procedures to ensure compliance with the Security Rule, and retain an independent monitor who will conduct assessments of MEEI’s compliance with the corrective action plan and render semi-annual reports to HHS for a 3-year period. MEEI did not admit any liability in the agreement and OCR did not concede that MEEI was not liable for civil monetary penalties.

Additional information about OCR’s enforcement activities can be found at

Massachusetts Attorney General Strikes: South Shore Hospital Settles Data Breach Allegations for $750,000

This post was written by Brad M. Rostolsky and Nancy E. Bonifant.

On May 24, 2012, the Attorney General of Massachusetts announced that South Shore Hospital of South Weymouth, Massachusetts (South Shore) agreed to settle allegations that it failed to protect the personal and protected health information of more than 800,000 individuals.  The settlement resulted from the hospital’s data breach report to the Attorney General in July 2010, which was also reported to the HHS Office of Civil Rights in accordance with the HIPAA Breach Notification Rule.  Although the Attorney General reported a $750,000 settlement, South Shore was credited $275,000 for new security measures taken after the breach, bringing the actual amount to $475,000, of which $250,000 is a civil penalty and $225,000 shall be paid to an education fund to be used by the Attorney General’s Office to promote education concerning the protection of personal and protected health information.  South Shore also agreed to undergo a review and audit of its security measures and report the results to the Attorney General.

In February 2010, South Shore contracted with Archive Data Solutions (Archive Data) to erase and re-sell 473 data tapes.  According to the Attorney General, South Shore did not inform Archive Data that the tapes contained personal and protected health information, including individuals’ names, Social Security numbers, financial account numbers, and medical diagnoses.  The tapes were then shipped to a Texas subcontractor, but in June 2010, South Shore learned that only one of the three boxes of tapes arrived.  The two missing boxes were never recovered and there have been no reports of unauthorized use of the information.

Following its investigation of South Shore’s breach report, the Attorney General filed a lawsuit under the Massachusetts Consumer Protection Act and HIPAA.  State Attorney Generals have the authority to bring civil actions on behalf of state residents for violations of the HIPAA Privacy and Security Rules, which includes obtaining damages and enjoining further violations, pursuant to HITECH, enacted as part of the American Recovery and Reinvestment Act of 2009.  In the lawsuit, the Attorney General alleged that South Shore failed to implement appropriate safeguards, policies, and procedures to protect the information, failed to have a Business Associate Agreement in place with Archive Data, and failed to properly train its workforce.

Small Cardiology Practice to Pay $100,000 to Settle Allegations of HIPAA Violations

This post was written by Nancy E. Bonifant and Brad M. Rostolsky.

On April 17, 2012, the HHS Office of Civil Rights (OCR) announced a settlement and corrective action plan with Phoenix Cardiac Surgery, P.C. (Phoenix), a small cardiology practice based in Phoenix and Prescott, Arizona. More specifically, Phoenix has agreed to pay $100,000 to settle allegations of HIPAA violations arising out of an investigation conducted by OCR.

OCR’s investigation of Phoenix followed a report that Phoenix was posting clinical and surgical appointments for its patients on an Internet-based calendar that was publicly accessible. On further investigation, OCR discovered the following issues:

  • Phoenix failed to implement adequate policies and procedures to appropriately safeguard patient information;
  • Phoenix failed to document that it trained any employees on its policies and procedures on the Privacy and Security Rules;
  • Phoenix failed to identify a security official and conduct a risk analysis; and
  • Phoenix failed to obtain business associate agreements with Internet-based email and calendar services where the provision of the service included storage of and access to its electronic protected health information.

This settlement serves as additional evidence of OCR’s increased focus on enforcement actions for alleged HIPAA violations, following just one month after the first enforcement action resulting from a breach self-report under the Breach Notification Rule. According to Leon Rodriguez, Director of OCR, he “hope[s] that health care providers pay careful attention to this resolution agreement and understand that the HIPAA Privacy and Security Rules have been in place for many years, and OCR expects full compliance no matter the size of a covered entity.” Additionally, the settlement provides further evidence that OCR will likely view any investigation of an alleged Privacy or Security Rule infraction as an opportunity to conduct a de facto audit of the entity’s general compliance with HIPAA.

In addition to the $100,000 settlement, the Resolution Agreement between Phoenix and OCR requires Phoenix to develop and maintain written Privacy and Security policies, which will set forth, at a minimum, administrative safeguards, technical safeguards, and training of all Phoenix’s workforce members. In addition, Phoenix will provide specific training on the Privacy and Security policies within 60 days of OCR’s approval to all workforce members who use or disclose protected health information and will report any violations of those policies and procedures by a workforce member to OCR within 30 days. Phoenix did not admit any liability in the agreement and OCR did not concede that Phoenix was not liable for civil monetary penalties.

Additional information about OCR’s enforcement activities can be found at


OCR Announces First Enforcement Action Resulting From a Breach Self-Report

This post was written by Nancy E. Bonifant and Brad M. Rostolsky.

On March 13, 2012, the HHS Office of Civil Rights (OCR) announced the first enforcement action resulting from a breach self-report required by HITECH’s Breach Notification Rule. Blue Cross Blue Shield of Tennessee (BCBST) has agreed to pay HHS $1,500,000 to settle potential violations of the HIPAA Privacy and Security Rules and has entered into a corrective action plan to address gaps in its HIPAA compliance program.

The HIPAA/HITECH Breach Notification Rule requires covered entities to report a breach (e.g., an impermissible use or disclosure of protected health information that compromises the security or privacy of the protected health information) to the affected individual(s), HHS and, at times, the media. OCR’s investigation of BCBST followed a breach report submitted by BCBST informing HHS that 57 unencrypted computer hard drives were stolen from a leased facility in Tennessee. The hard drives contained the protected health information of more than 1 million individuals, including member names, social security numbers, diagnosis code, dates of birth, and health plan identification numbers.

According to OCR’s investigation, BCBST failed to implement appropriate administrative and physical safeguards as required by the HIPAA Security Rule. More specifically, BCBST failed to perform the required security evaluation in response to operational changes and did not have adequate facility access controls.

In addition to the $1,500,000 settlement, the Resolution Agreement between BCBST and OCR requires BCBST to revise its Privacy and Security policies, conduct robust trainings for all employees, and perform monitor reviews to ensure compliance with the corrective action plan. BCBST did not admit any liability in the agreement and OCR did not concede that BCBST was not liable for civil monetary penalties.

Additional information about OCR’s enforcement activities can be found at

HHS Announces First Ever Civil Money Penalty for Violations of HIPAA Privacy Rule

This post was written by Gina M. Cavalier.

Earlier today the Department of Health and Human Services' (HHS), Office for Civil Rights (OCR) announced the imposition of the first ever civil money penalty for violations of the HIPAA Privacy Rule. The penalty - which is $4.3 million - was assessed against Cignet Health of Prince Georges County, a health insurer. The underlying HIPAA violations include (1) failing to provide patients with access to their medical records, and (2) failing to cooperate with OCR's investigation into the failure to provide access. The HHS press release is available here.

To discuss this or any other HIPAA or data privacy/security issue, please contact Mark S. Melodia or Gina M. Cavalier.