Actually, it was “only” a potential violation of privacy and data security rules imposed by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) for which North Memorial Health Care of Minnesota (“NMHC”) agreed to pay $1.55 million.
The violation alleged by the Department of Health and Human Services Office for Civil Rights (“OCR”) arose from the theft of a laptop from a locked vehicle owned by a contractor’s employee. The laptop, which was password protected, contained the individually identifiable personal health information (“PHI”) of 9,497 individuals.
The contractor also was given access to the PHI of 289,904 individuals while performing its on-site consulting services relating to bill collection and health care operations.
There is no indication in the public record that any individual was actually damaged by the claimed data security breach.
What NMHC was cited for was not having a Business Associate (“BA”) agreement with the contractor and not conducting an adequate analysis of security threats to the PHI maintained, accessed and transmitted across NMHC’s IT network.
A BA agreement is required to impose privacy restrictions on contractors and other third parties who have access to electronic PHI in their dealings with a “covered entity.”
Covered entities include most medical service providers such as physicians, hospitals, clinics and medical laboratories. Self-funded group health plans (but not employers) are also covered entities. So, self-funded group health plans (those that are not fully insured) also need to be mindful of entering into BA agreements with their contract administrators (TPAs) and other third parties involved in plan administration.
Takeaways
Here are three key takeaways you should consider:
First, lost and stolen laptops have cost hospitals and other medical service providers many millions of dollars in OCR fines. It seems unlikely that such liability can be prevented by physical security measures alone. Covered entities need to consider maintaining PHI in an encrypted format in order to provide an across the board defense to claimed HIPAA violations and associated big dollar OCR files. Password protection by itself will not afford adequate security for electronic PHI.
Second, a properly drafted BA in frequently overlooked by covered entities in their dealings with contract administrators, consultants, collection agencies and others with access to PHI. A BA also can afford the covered entity (medical service provider or self-funded group health plan) additional contract protection in the event of a data breach involving PHI accessed by a contractor/consultant.
Third, an IT security assessment can help not only with HIPAA compliance but also with state laws mandating the confidentiality of personal information. No one wants to pay millions for a lost laptop, but compliance with state law privacy breach notice requirements, providing security monitoring services for affected individuals, and possible civil liability also can prove to be a substantial burden.
Need more compliance encouragement from the OCR? You can follow OCR on Twitter for updates on its HIPAA enforcement activities.
About the Author: Andrew S. Williams has practiced in the employee benefits and ERISA arena since ERISA was passed in 1974. He has been recognized by his peers through a survey conducted by Leading Lawyers Network as among the top 5 percent of Illinois lawyers in Small, Closely and Privately Held Business Law and Employee Benefit Law. He maintains a website, Benefits Law Group of Chicago, with additional updates, commentary and analysis on benefits and employment topics.
The above material is intended for general information purposes and should not be relied on or construed as professional advice. Under the applicable Illinois Rules of Professional Conduct, the contents of this e-mail may be considered to be attorney advertising. The transmission of this information is not intended to create, and receipt of it does not create a lawyer-client relationship.