UMass settles potential HIPAA violations following malware infection

The following is text sent on November 22, 2016 from the HHS Office for Civil Rights Action.  For more information, contact Jim Hamilton at jhamilton@boselaw.com.

 

The University of Massachusetts Amherst (UMass) has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules. The settlement includes a corrective action plan and a monetary payment of $650,000, which is reflective of the fact that the University operated at a financial loss in 2015.

On June 18, 2013, UMass reported to the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) that a workstation in its Center for Language, Speech, and Hearing (the “Center”) was infected with a malware program, which resulted in the impermissible disclosure of electronic protected health information (ePHI) of 1,670 individuals, including names, addresses, social security numbers, dates of birth, health insurance information, diagnoses and procedure codes. The University determined that the malware was a generic remote access Trojan that infiltrated their system, providing impermissible access to ePHI, because UMass did not have a firewall in place.

OCR’s investigation indicated the following potential violations of the HIPAA Rules:

  • UMass had failed to designate all of its health care components when hybridizing, incorrectly determining that while its University Health Services was a covered health care component, other components, including the Center where the breach of ePHI occurred, were not covered components.  Because UMass failed to designate the Center a health care component, UMass did not implement policies and procedures at the Center to ensure compliance with the HIPAA Privacy and Security Rules. (Note:  The HIPAA Privacy Rule permits legal entities that have some functions that are covered by HIPAA and some that are not to elect to become a “hybrid entity.”  To successfully “hybridize,” the entity must designate in writing the health care components that perform functions covered by HIPAA and assure HIPAA compliance for its covered health care components.)
  • UMass failed to implement technical security measures at the Center to guard against unauthorized access to ePHI transmitted over an electronic communications network by ensuring that firewalls were in place at the Center.
  • Finally, UMass did not conduct an accurate and thorough risk analysis until September 2015.

In addition to the monetary settlement, UMass has agreed to a corrective action plan that requires the organization to conduct an enterprise-wide risk analysis; develop and implement a risk management plan; revise its policies and procedures, and train its staff on these policies and procedures.  The Resolution Agreement and Corrective Action Plan may be found on the OCR website at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/umass.

OCR offers guidance to covered entities and their business associates on compliance with the HIPAA Security Rule at: http://www.hhs.gov/hipaa/for-professionals/security/guidance/index.html.

To learn more about non-discrimination and health information privacy laws, your civil rights, and privacy rights in health care and human service settings, and to find information on filing a complaint, visit us at http://www.hhs.gov/hipaa/index.html.

Follow OCR on Twitter at http://twitter.com/HHSOCR

###

Posted in Privacy and Security Rules | Tagged , , , , , | Leave a comment

Yellow Light (Again): IRS Extends ACA Deadline to Furnish Forms

On November 18, 2016, the IRS extended the due date for employers to furnish 2016 Form 1095-B and Form 1095-C to individuals from January 31, 2017 until March 2, 2017. The IRS stated that the extension is appropriate because a substantial number of employers need additional time to gather and analyze the information necessary to prepare the forms.

Notice 2016-70 does not extend the deadline for filing the 1094-B, 1095-B, 1094-C or 1095-C with the IRS. The deadline to file these forms is February 28, 2017, or March 31, 2017 if filing electronically.

President-Elect Trump will take office on January 20, 2017. In light of the IRS extension and campaign rhetoric, it is becoming increasingly likely that employers will not be required to distribute and/or file the 2016 1094 and 1095 forms at all.  It would be helpful to all employers if the federal government would provide definitive guidance on this issue no later than the end of January.

Posted in Health Plans, Patient Protection and Affordable Care Act | Tagged , , , , , | Leave a comment

Advocate Health Care Settles Potential HIPAA Penalties for $5.55 Million

The following information was released by the HHS Office for Civil Rights in Action on August 4, 2016.

Advocate Health Care Network (Advocate) has agreed to a settlement with the U.S. Department of Health and Human Services, Office for Civil Rights (OCR), for multiple potential violations of the Health Insurance Portability and Accountability Act (HIPAA) involving electronic protected health information (ePHI). Advocate has agreed to pay a settlement amount of $5.55 million and adopt a corrective action plan.  This significant settlement, the largest to-date against a single entity, is a result of the extent and duration of the alleged noncompliance (dating back to the inception of the Security Rule in some instances), the involvement of the State Attorney General in a corresponding investigation, and the large number of individuals whose information was affected by Advocate, one of the largest health systems in the country.

OCR began its investigation in 2013, when Advocate submitted three breach notification reports pertaining to separate and distinct incidents involving its subsidiary, Advocate Medical Group (“AMG”). The combined breaches affected the ePHI of approximately 4 million individuals.  The ePHI included demographic information, clinical information, health insurance information, patient names, addresses, credit card numbers and their expiration dates, and dates of birth. OCR’s investigations into these incidents revealed that Advocate failed to:

  • conduct an accurate and thorough assessment of the potential risks and vulnerabilities to all of its ePHI;
  • implement policies and procedures and facility access controls to limit physical access to the electronic information systems housed within a large data support center;
  • obtain satisfactory assurances in the form of a written business associate contract that its business associate would appropriately safeguard all ePHI in its possession; and
  • reasonably safeguard an unencrypted laptop when left in an unlocked vehicle overnight.

Advocate Health Care Network is the largest fully-integrated health care system in Illinois, with more than 250 treatment locations, including ten acute-care hospitals and two integrated children’s hospitals. Its subsidiary, AMG, is a nonprofit physician-led medical group that provides primary care, medical imaging, outpatient and specialty services throughout the Chicago area and in Bloomington-Normal, Illinois.

Read the press release, resolution agreement and corrective action plan on the HHS website.

Posted in HIPAA, Patient Protection and Affordable Care Act | Tagged , , | Leave a comment

OCR Launches Phase 2 of HIPAA Audit Program

As a part of its continued efforts to assess compliance with the HIPAA Privacy, Security and Breach Notification Rules, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has begun its next phase of audits of covered entities and their business associates.  Audits are an important compliance tool for OCR that supplements OCR’s other enforcement tools, such as complaint investigations and compliance reviews.  These tools enable OCR to identify best practices and proactively uncover and address risks and vulnerabilities to protected health information (PHI).

In its 2016 Phase 2 HIPAA Audit Program, OCR will review the policies and procedures adopted and employed by covered entities and their business associates to meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules.  These audits will primarily be desk audits, although some on-site audits will be conducted.

The 2016 audit process begins with verification of an entity’s address and contact information.  An email is being sent to covered entities and business associates requesting that contact information be provided to OCR in a timely manner.  OCR will then transmit a pre-audit questionnaire to gather data about the size, type, and operations of potential auditees; this data will be used with other information to create potential audit subject pools.

If an entity does not respond to OCR’s request to verify its contact information or pre-audit questionnaire, OCR will use publically available information about the entity to create its audit subject pool.  Therefore an entity that does not respond to OCR may still be selected for an audit or subject to a compliance review.  Communications from OCR will be sent via email and may be incorrectly classified as spam.

Learn more about OCR’s Phase 2 Audit program.

Posted in HIPAA, Privacy and Security Rules | Tagged , , , , | Leave a comment

Improper Disclosure of Research Participants’ Protected Health Information Results In $3.9 Million HIPAA Settlement

Feinstein Institute for Medical Research agreed to pay the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) $3.9 million to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules and will undertake a substantial corrective action plan to bring its operations into compliance. This case demonstrates OCR’s commitment to promoting the privacy and security protections so critical to build and maintain trust in health research.  Feinstein is a biomedical research institute that is organized as a New York not-for-profit corporation

OCR’s investigation began after Feinstein filed a breach report indicating that on September 2, 2012, a laptop computer containing the electronic protected health information (ePHI) of approximately 13,000 patients and research participants was stolen from an employee’s car.  The ePHI stored in the laptop included the names of research participants, dates of birth, addresses, social security numbers, diagnoses, laboratory results, medications and medical information relating to potential participation in a research study.

OCR’s investigation discovered that Feinstein’s security management process was limited in scope, incomplete, and insufficient to address potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI held by the entity.  Further, Feinstein lacked policies and procedures for authorizing access to ePHI by its workforce members, failed to implement safeguards to restrict access to unauthorized users, and lacked policies and procedures to govern the receipt and removal of laptops that contained ePHI into and out of its facilities.  For electronic equipment procured outside of Feinstein’s standard acquisition process, Feinstein failed to implement proper mechanisms for safeguarding ePHI as required by the Security Rule.

Read the entire U.S. Department of Health and Human Services press release.

Read the resolution agreement.

Posted in HIPAA, Privacy and Security Rules | Tagged , , , , | Leave a comment

$1.55 Million Settlement Underscores the Importance of Executing HIPAA Business Associate Agreements

North Memorial Health Care has agreed to settle charges that it potentially violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules by failing to implement a business associate agreement with a major contractor and failing to institute an organization-wide risk analysis to address risks and vulnerabilities to its patient information. North Memorial is a comprehensive, not-for-profit health care system in Minnesota that serves the Twin Cities and surrounding communities. The settlement includes a monetary payment of $1,550,000 and a robust corrective action plan.

Read the entire U.S. Department of Health and Human Services press release.

Read the resolution agreement.

Posted in HIPAA, Privacy and Security Rules | Tagged , , , , | Leave a comment

Yellow Light: IRS Delays Reporting Requirements Again!

Earlier today, the IRS announced an extension of the due dates for IRS Forms 1094 and 1095. In IRS Notice 2016-4, the IRS states that employers are not required to furnish individuals with either Form 1095-B or 1095-C until March 31, 2016. The deadline was previously February 1, 2016. In addition, employers are not required to file Form 1094-B or Form 1094-C with the IRS until May 31, 2016 if filing paper returns, or June 30, 2016 if filing electronically. The prior deadlines were February 29, 2016 (paper) and March 31, 2016 (electronic).

This is now the second delay of the ACA reporting requirements. On July 2, 2013 (coincidentally, also adjacent to a national holiday), the U.S. Department of the Treasury issued a blog post that announced a delay of the ACA shared responsibility penalties and the accompanying reporting requirements until the 2015 taxable year. A copy of my summary of the prior delay is available here.

The IRS now anticipates that many people will now file their individual tax returns (Form 1040) prior to receiving the Form 1095-B or 1095-C from their employers or other coverage providers. Accordingly, the IRS will allow individuals to rely on other information from their employers or other coverage providers for purposes of filing their returns in 2015.

As most large employers are well aware, the IRS Forms 1094-C and 1095-C are complicated and impose significant administrative burdens. Any delay or simplification of these forms is welcome news. However, at this point, the IRS has lost all credibility on ACA matters, after insisting that there would be no delay of the 2015 reporting deadlines. It is now manifestly clear that the IRS is struggling with the ACA shared responsibility rules as much as the rest of the country.

Please consult your attorney or contact Jim Hamilton at Bose McKinney & Evans with any questions on this issue.

Posted in health insurance, Health Plans, Patient Protection and Affordable Care Act, Self-funded Health Plans | Tagged , , , , , , , , , , , , | Leave a comment