HHS Announces Significant Settlement Agreements for Noncompliance
On December 4 and December 11, 2018, the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) issued press releases announcing two settlements with health care providers for violation of the Health Insurance Portability and Accountability Act’s (HIPAA) privacy and security rules. Specifically, the releases reported data breaches and failures to have Business Associate Agreements (BAs) in place with contractors having access to personal health information (PHI).
The first involved an entity called Advanced Care Hospitalists PL (ACH), which agreed to pay a $500,000 penalty for contracting with a fraudulent billing company and not entering into a Business Associate Agreement with the contractor. In 2014, a hospital notified ACH that its patient information was viewable on the contractor’s (First Choice) website. ACH filed a breach report with OCR reporting 400 affected patients. Later it was determined that an additional 8,855 patients could have had data revealed. In addition to the penalty, ACH agreed to implement privacy and security procedures and Business Associate Agreements with all contracting entities with access to patient data.
On December 11, 2018, OCR issued a second press release concerning Pagosa Springs Medical Center (PSMC), which agreed to pay a $111,400 penalty when it was discovered that a former PSMC employee, after termination, continued to have remote access to PSMC’s web-based scheduling calendar, which contained patients’ electronic protected information (ePHI). Failing to revoke the former employee’s access was found to be a violation of the privacy and security rules, and failure to have a Business Associate Agreement with the software company sponsoring the calendaring system (Google) was also deemed a violation.
These violations were brought to the attention of the OCR based upon the reporting requirements of the discovered data breaches. This reporting triggered additional HHS auditing for compliance with the HIPAA rules. The Employee Benefit Security Administration (EBSA) also examines HIPAA compliance during its investigation of employer sponsored health plans. These cases provide a reminder for covered entities to be diligent about keeping privacy and securities policies and procedures up to date and ensure that they are followed. As these examples demonstrate, the penalties for noncompliance with the Business Associate Agreement and privacy and security rules can lead to significant penalties.