Stolen Pen Drive Results in $2.2 Million HIPAA Settlement | Practical Law

Stolen Pen Drive Results in $2.2 Million HIPAA Settlement | Practical Law

The Department of Health and Human Services (HHS) announced a settlement of potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) involving the subsidiary of a multinational insurance company. The subsidiary will pay $2.2 million to settle the potential HIPAA violations and must satisfy numerous requirements under the related corrective action plan (CAP).

Stolen Pen Drive Results in $2.2 Million HIPAA Settlement

Practical Law Legal Update w-005-4740 (Approx. 5 pages)

Stolen Pen Drive Results in $2.2 Million HIPAA Settlement

by Practical Law Employee Benefits & Executive Compensation
Published on 20 Jan 2017USA (National/Federal)
The Department of Health and Human Services (HHS) announced a settlement of potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) involving the subsidiary of a multinational insurance company. The subsidiary will pay $2.2 million to settle the potential HIPAA violations and must satisfy numerous requirements under the related corrective action plan (CAP).
On January 18, 2017, HHS announced a $2.2 million settlement with the Puerto Rico-based subsidiary of a multinational insurance company for potential HIPAA violations (see HIPAA Privacy, Security, and Breach Notification Toolkit). HHS investigated the subsidiary, which is a HIPAA covered entity (CE) and underwriter of life and disability insurance and group health insurance plans, after the subsidiary notified the government of the theft of a pen drive containing electronic protected health information (ePHI).

Scope of HIPAA Compliance Failures

In September 2011, the CE informed HHS that a USB data storage device (pen drive) was stolen a month earlier from its IT department, where the device was left without safeguards overnight (see Practice Note, HIPAA Breach Notification Rules for Group Health Plans). The device contained the ePHI of 2,209 individuals, including their complete names, dates of birth, and Social Security numbers.
An HHS investigation indicated that the CE:
  • Impermissibly disclosed the ePHI of the 2,209 individuals as a result of the theft of the pen drive.
  • Failed to:
    • conduct an appropriate assessment of the potential risks and vulnerabilities to the ePHI in its possession;
    • implement security measures to reduce risks and vulnerabilities to a reasonable level;
    • implement a security awareness and training program for its workforce members;
    • deploy encryption or an equivalent alternative measure on its laptops and removable storage media until September 1, 2014; and
    • establish appropriate policies and procedures to comply with HIPAA's requirements for safeguarding ePHI.

Corrective Action Plan

In addition to the $2,204,182 payment, the CE must adhere to a corrective action plan (CAP) that includes:
  • Conducting a thorough enterprise-wide analysis of ePHI security risks and vulnerabilities, and submitting that analysis to HHS for its approval.
  • Developing a risk management plan to address and mitigate ePHI security risks identified in the risk analysis, and submitting that plan to HHS for its approval.
  • Conducting an annual ePHI risk assessment.
  • Developing a process to evaluate environmental or operational changes affecting the security of the CE's ePHI.
  • Reviewing and, if necessary, revising its current privacy and security policies and procedures based on findings of its risk analysis and the remedial actions identified in the HHS-approved risk management plan.
  • Distributing the policies and procedures to all the CE's workforce members with access to ePHI. The policies and procedures must be reviewed annually and satisfy specified minimum content requirements set out in the CAP.
  • Promptly investigating possible breaches of the CE's privacy and security policies and procedures by any workforce member or business associate, and reporting breaches to HHS.
  • Forwarding to the government its proposed training materials on its policies and procedures, as revised to reflect HHS's comments, and providing training to workforce members (see Standard Document, HIPAA Training for Group Health Plans: Presentation Materials), and annual retraining for the CAP's duration.

Practical Impact

This is not the first stolen removable drive to result in a costly HIPAA settlement with HHS (see, for example, the Legal Update, Theft of USB Flash Drive Results in $1.7 Million HIPAA Security Settlement), and it underscores the unique security challenges presented by such drives – which are small and may be relatively inexpensive.
In its press release for this settlement, HHS indicated that the CE either failed to implement, or delayed implementing, certain corrective measures it had informed HHS that it would undertake – presumably prior to the final settlement agreement. That may have resulted in certain obligations under this CAP that are more onerous than the obligations in other recent HIPAA settlements. These include a requirement to perform an annual assessment of risks to the CE's ePHI and a lengthy list of minimum content requirements for the CE's revised policies and procedures. There is also a suggestion in HHS's press release that the settlement might have been more, but for the CE's current financial standing.