Affinity Health Plan, Inc. (Affinity) will pay $1,215,780 and take other corrective actions to settle alleged violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules under the Affinity Resolution Agreement and CAP (Affinity Settlement) with the U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR). The settlement comes as the September 24, 2013 deadline for health plans, health care providers, health care clearinghouses (Covered Entities) and their business associates to update the written business associate agreements that HIPAA requires exist before business associates can be allowed to create, use, access or disclose personally identifiable health care information protected by HIPAA (PHI) to carry out HIPAA-covered functions on behalf of a Covered Entity to comply with changes to HIPAA’s implementing regulations adopted by OCR earlier this year. Health plans and other Covered Entities should take timely action to confirm that their existing procedures appropriate safeguards to protect PHI when using or disposing of copiers or other equipment or media as well as to implement business associate or other policy, procedures or training updates required to comply with the updated HIPAA rules.
HIPAA Updates Require Breach Notification, Tightened Other HIPAA Requirements
HIPAA generally requires that Covered Entities (and after September 24, 2013, their business associates) safeguard and restrict the use, access or disclosure of PHI as required by HIPAA. The HITECH Act amended these requirements to tighten certain of these requirements and restrictions, to expand the sanctions for violation of these requirements, to require Covered Entities and their business associates to provide notification of breaches of unsecured PHI to individuals whose information was breached, OCR and in some cases, the media, and made certain other changes to the original requirements of HIPAA. Earlier this year, OCR amended and restated its original Privacy and Security Rules here (2013 Final Rule) to comply with changes in the regulations resulting from these HITECH Act amendments beginning last March, but set the deadline for updating business associate agreements to meet these updated requirements at September 23, 2013.
The 2013 Final Rule and other OCR guidance makes clear that OCR expects Covered Entities and their business associates appropriately to safeguard PHI stored in computers, hard drives, and other digital media until it is properly disposed in accordance with the updated standards required by HIPAA as implemented under the 2013 Final Rule. HITECH Breach Notification Rule requires HIPAA-covered entities to tell HHS of a breach of unsecured protected health information, including breaches resulting from failure to properly secure PHI stored in digital format until it has been destroyed in accordance with the standards established by the 2013 Final Rule. OCR previously has sanctioned other Covered Entities for failed to properly destroy or safeguard PHI stored in digital format on computer or other equipment before abandoning or disposing of that equipment. The Affinity Settlement reaffirms OCR’s concern that Covered Entities meet these disposal requirements when replacing or abandoning equipment containing electronic PHI.
Affinity Settlement Highlights
According to the August 14, 2013 OCR announcement of the settlement, the settlement resulted from an investigation initiated after Affinity filed a breach report with OCR on April 15, 2010, as required by the Health Information Technology for Economic and Clinical Health Act (HITECH Act.)
In its breach report, Affinity indicated that a representative of CBS Evening News told Affinity that, as part of an investigatory report, CBS had purchased a photocopier previously leased by Affinity. CBS informed Affinity that the copier that Affinity had used contained confidential medical information on the hard drive.
Affinity estimated in its breach report that up to 344,579 individuals may have been affected by this breach. OCR’s investigation indicated that Affinity impermissibly disclosed the protected health information of these affected individuals when it returned multiple photocopiers to leasing agents without erasing the data contained on the copier hard drives. In addition, OCR reports its investigation revealed that Affinity failed to incorporate the electronic protected health information (ePHI) stored on photocopier hard drives in its analysis of risks and vulnerabilities as required by the Security Rule, and failed to implement policies and procedures when returning the photocopiers to its leasing agents.
In addition to the $1,215,780 payment, the Affinity Settlement includes a corrective action plan requiring Affinity to use its best efforts to retrieve all hard drives that were contained on photocopiers previously leased by the plan that remain in the possession of the leasing agent, and to take certain measures to safeguard all ePHI.
Learn From Affinity Lesson On Proper Disposal Procedures
Like prior OCR settlements stemming from inadequate security for PHI when transitioning equipment, media or facilities, the Affinity Settlement sends another reminder to Covered Entities and their business associates again of the importance of using appropriate procedures to protect or dispose of PHI when replacing or redeploying equipment or media that may contain PHI.
“This settlement illustrates an important reminder about equipment designed to retain electronic information: Make sure that all personal information is wiped from hardware before it’s recycled, thrown away or sent back to a leasing agent,” said OCR Director Leon Rodriguez. “HIPAA covered entities are required to undertake a careful risk analysis to understand the threats and vulnerabilities to individuals’ data, and have appropriate safeguards in place to protect this information.”
OCR has published guidance concerning HIPAA’s requirements for the proper safeguarding and disposal of media and equipment in the 2013 Final Rule and other guidance. Concerning the proper disposition of copiers that may have PHI stored on their hard drives or in other digital formal, OCR in the Affinity Settlement recommended that Covered Entities and their associates also review the Federal Trade Commission’s Guidance On Safeguarding Sensitive Data Stored In The Hard Drives Of Digital Copiers and the National Institute of Standards and Technology has issued Guidance On Assessing The Security Of Multipurpose Office Machines. Covered Entities and their business associates should use this and other guidance to ensure that they can demonstrate that appropriate practices and procedures have been used to when disposing of or repurposing copies or other equipment that may contain electronic PHI.
HIPAA Regulation Updates Require Other Updates Beyond Disposal Procedures
In addition to addressing the concerns that lead to the Affinity Settlement, Covered Entities and their business associates also should verify that their practices, policies, privacy notices, business associate agreements, and training also are updated to comply with updates to the updated 2013 Final Rule adopted by OCR earlier this year here.
Since passage of the HITECH Act, OCR officials have warned Covered Entities to expect an omnibus restatement of its original regulations. While OCR had issued certain regulations implementing some of the HITECH Act changes, it waited to publish certain regulations necessary to implement other HITECH Act changes until it could complete a more comprehensive restatement of its previously published HIPAA regulations to reflect both the HITECH Act amendments and other refinements to its HIPAA Rules. The 2013 Regulations published today fulfill that promise by restating OCR’s HIPAA Regulations to reflect the HITECH Act Amendments and other changes and clarifications to OCR’s interpretation and enforcement of HIPAA.
In response to the updated Final Regulations and these expanding HIPAA enforcement and exposures, all Covered Entities should review critically and carefully the adequacy of their current HIPAA Privacy and Security compliance policies, monitoring, training, breach notification and other practices taking into consideration OCR’s investigation and enforcement actions, emerging litigation and other enforcement data; their own and reports of other security and privacy breaches and near misses; and other developments to decide if additional steps are necessary or advisable. In response to these expanding exposures, all covered entities and their business associates should review critically and carefully the adequacy of their current HIPAA Privacy and Security compliance policies, monitoring, training, breach notification and other practices taking into consideration OCR’s investigation and enforcement actions, emerging litigation and other enforcement data; their own and reports of other security and privacy breaches and near misses, and other developments to decide if tightening their policies, practices, documentation or training is necessary or advisable.
For Help or More Information
If you need help monitoring or providing input on this legislation or to understand and respond to these or other legislation, laws and regulations, or with reviewing and updating, administering or defending your group health or other employee benefit, human resources, insurance, health care matters or related documents or practices, please contact the author of this update, Cynthia Marcotte Stamer.
A Fellow in the American College of Employee Benefit Council, immediate past Chair of the American Bar Association (ABA) RPTE Employee Benefits & Other Compensation Group and current Co-Chair of its Welfare Benefit Committee, Vice-Chair of the ABA TIPS Employee Benefits Committee, a council member of the ABA Joint Committee on Employee Benefits, and past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group, Ms. Stamer is recognized, internationally, nationally and locally for her more than 25 years of work, advocacy, education and publications on cutting edge health and managed care, employee benefit, human resources and related workforce, insurance and financial services, and health care matters including extensive experience on HIPAA and other privacy and data security issues. Author of numerous prominent publications on HIPAA and other data security and privacy concerns impacting health plans, health care providers, employers, financial services providers and others, Ms. Stamer also serves as the scribe for the ABA JCEB annual Technical Sessions meeting with OCR and has represented numerous health plans, employers, health care providers and others in investigating, redressing, reporting data breach, identity theft and other compliance concerns.
She advises clients on, publishes, and speaks on HIPAA and other health plan, qualified and non-qualified deferred compensation and retirement, severance and other employee benefit, compensation, and human resources, management and other programs and practices tailored to the client’s human resources, employee benefits or other management goals. A primary drafter of the Bolivian Social Security pension privatization law, Ms. Stamer also works extensively with management, service provider and other clients to monitor legislative and regulatory developments and to deal with Congressional and state legislators, regulators, and enforcement officials about regulatory, investigatory or enforcement concerns.
Recognized in Who’s Who In American Professionals and both an American Bar Association (ABA) and a State Bar of Texas Fellow, Ms. Stamer serves on the Editorial Advisory Board of Employee Benefits News, the editor and publisher of Solutions Law Press HR & Benefits Update and other Solutions Law Press Publications, and active in a multitude of other employee benefits, human resources and other professional and civic organizations. She also is a widely published author and highly regarded speaker on these matters. Her insights on these and other matters appear in the Bureau of National Affairs, Spencer Publications, the Wall Street Journal, the Dallas Business Journal, the Houston Business Journal, Modern and many other national and local publications. You can learn more about Ms. Stamer and her experience, review some of her other training, speaking, publications and other resources, and register to receive future updates about developments on these and other concerns from Ms. Stamer here.
Other Resources
If you found this update of interest, you also may be interested in reviewing some of the other updates and publications authored by Ms. Stamer available including:
- IRS Releases Updated Healthcare Law Online Resources Publication
- IRS Extends Remedial Amendment On Cycle Opinion Deadline For Some Defined Benefit Plans
- Self-Dealing Or Other Mishandling of Employee Benefit Plan Funds Risky For Fiduciaries & Those Appointing Them
- Employers & Insurers Reminded Of July 31 Deadline To Pay New ACA-Required PCORI Fees
- Use New Government Health Care Reform Resources With Care
- OCR Warns Others Learn From WellPoint’s $1.7 M HIPAA Settlement
- “Pay Or Play” Reprieve Still Leaves Employers Facing Challenging 2014 Health Care Reform Deadlines
- HHS Continues Preparations For New Health Insurance Marketplace By Awarding Grants To Promote Kids Enrollment
- HHS Touts Enrollment Tools, Says Exchange Enrollment Ready Despite GAO Concerns
- HIPAA Sanctions Triggered From Covered Entity Statements To Media, Workforce
- Consider OCR Technical Corrections When Updating Privacy Practices & Agreements For Omnibus Restatement of HIPAA Privacy, Security, Breach Notification & Enforcement Rules
- Id & Manage Hidden Employee Benefit Exposures In Business Insolvency Or Other Transactions
- Final Regulations Update HIPAA Health Plan Wellness Program Rules
- Beware: Not All Products Marketed As “Fixed Indemnity Coverage” Products Are HIPAA/ACA Exempt
- CMS Publishes FY 2014 Final Inpatient Rehabilitation Facility Prospective Payment Rule
- Tighten Disability Compliance To Avoid ADA Suits, Program Disqualification & Other Risks
- Doc Caught Submitting Conflicting Patient Records to Private Payer Versus Medicare Criminally Sentence, Pays Civil Settlement
- OCR To Covered Entities: Learn From WellPoint $1.7 Settlement
- Improper Billing Of Private Payers Increasing Source Of Liability & Risk For Providers
- Ambulatory Care Orgs Face New Joint Commission Standards Beginning January 1, 2014
- Hollywood Pavillion & Other Fraud Convictions Show Individuals Risk Prison Time For Health Care Fraud Involvement
- 55 Hospitals To Pay $35M+ To Settle FCA Claims Charges On Kyphoplasty Procedures
- Whistleblower Collects $2.7 M of $14.5M Sound Inpatient Physicians Overbilling Settlement
- OIG Urges CMS To Step Up Efforts To Recover “Overpayments”
- HHS Continues Preparations For Health Care Marketplace By Awarding $32M Of Grants To Up CHIP & Medicaid Enrollment
- Hospital Pay $275K To Settle HIPAA Charges After Sharing PHI With Press, Workforce In Response To Fraud Reports
- OCR Makes Technical Corrections To HIPAA Omnibus Final Rule; September 2013 Enforcement Deadline Looming
- Updated Kaiser Family Foundation Tool May Help Project Which Employees Will Get Exchange Subsidies
- New IRS Guidance On ESOP Investment Diversification Reminder To Tighten Compliance, Risk Management
- EBSA Releases Model ACA Notices Discussing Coverage Options
- Group Health Plans &No-Fault & Worker’s Comp Ruled Primary Plans When Coordinating With Medicare Advantage Plans
- Changing Plan Years Won’t Extend Health Plan’s Affordable Care Act Annual Limit Waiver Eligibility
- Deadline To Send ACA Summary of Benefits & Coverage Adds Pressure To Finalize 2014 Plan Designs As Agencies Add MEC & MV Disclosures To SBC
- Study Finds Down Economy, Not Health Care Reform Accounts For Slower Health Care Cost Increases; Projects Renewed Costs When Economy Improves
- IRS Witholding Calculator Can Help Avoid Over & Underwithholding
- Responding To West, Texas, Boston & Other Tragedies: Information and Reassurance Resources
- Justice Department Charges Employer, Pension Plan With Violating USERRA Reemployment Rights
- Administration Proposes To Let PBGC Board Set Premiums In Effort To Shore Up Finances
- Administration Proposes Expanding Eligibility, Simplifying Small Employer Health Care Tax Credit
- Health Care Transparency Effectiveness & Value Depends On Data Quality, Understanding & Awareness
- Test Your Health Care Reform Knowledge On 3rd Anniversary of Reform Passage
- Insured “Expatriate Plans” Get Temporary Reprieve From Affordable Care Act Compliance Thru 2015 If Meet Other Health Plan Mandates
- Insured “Expatriate Plans” Get Temporary Reprieve From Affordable Care Act Compliance Thru 2015 If Meet Other Health Plan Mandates
- OCR Plans To Survey Health Plans, Other Covered Entities Hit With HIPAA Audits in 2012
- Businesses Urged To Strengthen Their Worker Classification Defenses As IRS, Other Agencies Step Up Audits & Enforcement
- Alert Employees Claiming Qualified Adoption Expenses and Education Credits About Changed IRS Procedures
- 13 Employer Tips For Coping With Health Care Reform Now!
- Sequester Will Cut ACA Small Businesses Health Care Tax Credits
For important information about this communication click here. THE FOLLOWING DISCLAIMER IS INCLUDED TO COMPLY WITH AND IN RESPONSE TO U.S. TREASURY DEPARTMENT CIRCULAR 230 REGULATIONS. ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN.
©2013 Cynthia Marcotte Stamer, P.C. Nonexclusive license to republish granted to Solutions Law Press, Inc. All other rights reserved