HHS Imposes $3.2 Million in Civil Money Penalties for Failure to Encrypt
The Department of Health and Human Services (HHS) has announced the imposition of $3.2 million in civil money penalties against a large pediatric health care provider (a HIPAA covered entity) resulting in part from the provider's failure to take appropriate remedial measures in response to the impermissible disclosure of protected health information (PHI). The provider failed to request a hearing regarding HHS's proposed penalty determination, which the government has now finalized.
On February 1, 2017, HHS issued a press release announcing a final determination imposing $3.2 million in civil money penalties against a large health care provider (a covered entity under the Health Insurance Portability and Accountability Act (HIPAA)) resulting from the impermissible disclosure of individuals' protected health information (PHI) (see Legal Update, For the Second Time Ever, HIPAA Privacy Violations Result in Civil Money Penalties ( www.practicallaw.com/w-001-4079) ).
The provider, which operates several hospitals and clinics, submitted a HIPAA breach notification to HHS in 2010 reporting the loss of an unencrypted, non-password protected Blackberry containing the electronic PHI of 3,800 individuals (see Practice Note, HIPAA Breach Notification Rules for Group Health Plans ( www.practicallaw.com/1-532-2085) and HIPAA Toolkit ( www.practicallaw.com/7-502-6708) ). During the ensuing HHS investigation, the provider disclosed that two third parties had conducted analyses of its HIPAA compliance, both of which recommended the use of encryption to avoid the loss of PHI going forward. According to HHS, the provider continued to issue unencrypted Blackberry devices, laptops, and other devices to its workforce – despite its knowledge of the analyses' recommendations. The provider also lacked:
Sufficient policies and procedures regarding the receipt and removal of hardware and electronic media containing electronic PHI from its facility.
A comprehensive inventory of devices subject to its device and media control policies.
In 2011 and 2013, two additional disclosures of electronic PHI involving the provider's personnel occurred, the latter of which:
Involved the theft of an unencrypted laptop (likely by the provider's janitorial staff, who were not authorized to access electronic PHI) from an operating room storage area.
Resulted in the disclosure of electronic PHI of more than 2,460 individuals.
HHS attempted to informally resolve its investigation of HIPAA noncompliance with the provider during 2015 and 2016. After those efforts failed, HHS issued a proposed determination of civil money penalties to the provider, along with fact findings addressing the basis for the penalties. The proposal informed the provider of its right to request a hearing within 90 days, which the provider failed to invoke. Following expiration of that period, HHS finalized the $3.2 million penalty determination against the provider.
Grounds for Civil Money Penalties
The provider's liability for penalties is based on its:
Failure to implement access controls (encryption and decryption), and a related failure not to document this decision and the rationale underlying it.
Failure to implement adequate policies and procedures for the receipt and removal of hardware and electronic media containing electronic PHI into and out of its facility (and the movement of these items within its facility).
Impermissible disclosure of individuals' PHI.
HHS cited several "aggravating factors" that weighed in its penalties determination, including:
The amount of time the provider continued to use unencrypted devices after it knew that encryption was necessary to ensure the electronic PHI's security.
The third-party analysis that cited the need for encryption and characterized this (and related) HIPAA noncompliance as high risk.
The provider's history of noncompliance with HIPAA's privacy and security rules, which included ongoing risk to the security of electronic PHI spanning several years (see Practice Note, HIPAA Security Rule ( www.practicallaw.com/5-502-1269) ).
Practical Impact: Updated HHS Civil Monetary Penalties
Although HHS resolution agreements involving HIPAA noncompliance have become fairly routine over the past few years, this enforcement action illustrates a less common civil money penalties process at HHS's disposal when more informal settlement efforts are unsuccessful (45 C.F.R. § 160.416; see Legal Update, Stolen Pen Drive Results in $2.2 Million HIPAA Settlement ( www.practicallaw.com/w-005-4740) ). One of the takeaways in this case is that it is not enough for a HIPAA covered entity to simply retain a third party to conduct a risk/gap analysis and propose recommendations. Rather, the covered entity should either follow through in implementing recommendations from any such analysis or document why it decided not to do so.
In a related HHS development, the government finalized regulations to reflect required annual inflation-related increases to civil monetary penalties under the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015 (see Legal Update, DOL Increases Civil Money Penalties for 2017, Effective January 13, 2017 ( www.practicallaw.com/w-005-4334) ). The adjusted civil penalty amounts apply to civil penalties assessed on or after February 3, 2017 (that is, the date the final regulations were published in the Federal Register), if the violation occurred after November 2, 2015. If the violation occurred before November 2, 2015 (or a penalty was assessed before September 6, 2016) the pre-adjustment civil penalty amounts in effect before September 6, 2016 apply.