“Encrypt your laptops and other mobile devices” is only one of the key lessons leaders of health plans, health care providers, health care clearinghouses (“Covered Entities”) and their business associates should take away from the Department of Health and Human Services Office for Civil Rights (OCR)’s April 22 announcement that Concentra Health Services (Concentra) and QCA Health Plan, Inc. of Arkansas (QCA) collectively are paying $1,975,220 under separate Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rule resolution agreements resulting from thefts of unencrypted laptops. Along with the importance of encryption, however, these Resolution Agreements also contain equally significant, more broadly applicable lessons to Covered Entities, business associates and their leaders about some of the specific processes, actions and documentation that OCR them to implement and be prepared to defend the adequacy of their HIPAA “culture of compliance” if they file a breach report or otherwise face a HIPAA audit or investigation from OCR.
Consequently, while confirming the adequacy of their organization’s existing encryption of laptops and mobile devices, Covered Entities and their leaders should also consider using these and other Resolution Agreements as a road map for reviewing and tightening their management oversight and other HIPAA compliance documentation and practices generally.
Concentra Resolution Agreement
Under the Concentra Resolution Agreement, Concentra agrees to pay OCR a monetary settlement of $1,725,220 and adopt a corrective action plan to settle potential violations of the HIPAA Privacy and Security Rules and evidence their remediation of OCR’s findings.
OCR opened a compliance review of Concentra after receiving a breach report that an unencrypted laptop was stolen from its the Springfield Missouri Physical Therapy Center on November 30, 2011. OCR’s investigation concluded that Concentra previously had recognized in multiple risk analyses that a lack of encryption on its laptops, desktop computers, medical equipment, tablets and other devices containing electronic protected health information (ePHI) was a critical risk. While steps were taken to begin encryption, Concentra’s efforts were incomplete and inconsistent over time leaving patient PHI vulnerable throughout the organization. OCR’s investigation further found Concentra had insufficient security management processes in place to safeguard patient information.
In particular, the Resolution Agreement states that HHS’ investigation found that the following conduct occurred (Covered Conduct):
Concentra failed to adequately remediate and manage its identified lack of encryption or, alternatively, document why encryption was not reasonable and appropriate and implement an equivalent alternative measure to encryption, if reasonable and appropriate, from October 27, 2008, until June 22, 2012 (date on which a complete inventory assessment was completed and Concentra immediately took action to begin encrypting all unencrypted devices) (see 45 C.F.R. § 164.312(a)(2)(iv))
Concentra did not sufficiently implement policies and procedures to prevent, detect, contain, and correct security violations under the security management process standard when it failed to adequately execute risk management measures to reduce its identified lack of encryption to a reasonable and appropriate level from October 27, 2008, (date of Concentra’s last project report indicating that 434 out of 597 laptops were encrypted) until June 22, 2012 (date on which a complete inventory assessment was completed and Concentra immediately took action to begin encrypting all unencrypted devices) (see 45 C.F.R. § 164.308(a)(1)(i)). 3.
In the Resolution Agreement, Concentra has agreed to pay OCR $1,725,220 to settle potential violations and will adopt a corrective action plan to evidence their remediation of these findings.
QCA Resolution Agreement
QCA’s much smaller $250,000 monetary penalty under the QCA Resolution Agreement also resulted from a breach notification of the theft of an unencrypted laptop and also requires corrective actions in addition to a monetary settlement. OCR opened its investigation after QCA reported in February 2012 that an unencrypted laptop computer containing the ePHI of 148 individuals was stolen from a workforce member’s car. OCR’s investigation revealed that while QCA encrypted their devices following discovery of the breach, QCA failed to comply with multiple requirements of the HIPAA Privacy and Security Rules, beginning from the compliance date of the Security Rule in April 2005 and ending in June 2012.
To resolve OCR’s charges it violated HIPAA, QCA agreed to a $250,000 monetary settlement and is required to provide HHS with an updated risk analysis and corresponding risk management plan that includes specific security measures substantially similar to those imposed on the Concentra Resolution Agreement to reduce the risks to and vulnerabilities of its ePHI. QCA is also required to retrain its workforce and document its ongoing compliance efforts.
Corrective Action Plan Lessons For Other Covered Entities & Business Associates
Unquestionably, laptop and other mobile device encryption is a key take away of the two separate resolution agreements against Concentra and QCA. OCR Deputy Director of Health Information Privacy Susan McAndrew made this point clear in the announcement of the Concentra and QCA Resolution Agreements, stating “Covered entities and business associates must understand that mobile device security is their obligation,” and “Our message to these organizations is simple: encryption is your best defense against these incidents.”
As important as this encryption warning is, however, leaders of Covered Entities and business associates must not overlook the more subtle but equally important messages in these Resolution Agreements share about the management oversight and other specific actions, documentation and other evidence that OCR may expect their organizations and its leadership to produce if OCR investigates or audits its HIPAA compliance.
OCR officials have stated that Covered Entities and their business associates should use the corrective action plans in resolution agreements to help guide their own compliance efforts. While the message to encrypt mobile device is important, it is not the only lesson that leaders should learn. The Concentra and QCA Resolution Agreements, as well as their predecessors also contain detailed information about various other processes and procedures that OCR views as necessary or helpful to the compliance efforts of Covered Entities and their business associates. Privacy officers and other leaders of Covered Entities and business associates should avoid the mistake of allowing the Resolution Agreement’s clear messaging about mobile device encryption to lure them or their organization into overlooking broader and more generalized messages the corrective action plans included in the Concentra, QCA and other Resolution Agreements share about the compliance processes and analysis, management review and oversight, training and other compliance practices and documentation that OCR may expect their organizations to create and produce.
The requirement of officer attestation that his organization completed the detailed corrective actions required by OCR and that the reports submitted to OCR are accuratein the Concentra and QCA Resolution Agreements Corrective Action Plans, for instance, reflects OCR’s expectation that senior management take ownership of ensuring the adequacy of their organization’s HIPAA compliance. In this respect, leaders of Covered Entities and business associates particularly should note that both the Concentra and QCA Resolution Agreements, as well as the Skagit County Resolution Agreement announced in March, 2014 require specific attestations from an “officer” of the entity that the officer reviewed the reports, made reasonable inquiry regarding its content and believes that, upon such inquiry, the information is accurate and truthful. These attestation requirements, like those required by OCR in the Skagit County Resolution Agreement OCR announced in March send a clear message that OCR views leaders as responsible for taking appropriate steps to require and confirm adequate HIPAA compliance in the same manner as typically applies to other Federal Sentencing Guideline compliance efforts. See HIPAA Covered Entities Should Review & Correct HIPAA Policies In Response To New County Hospital Resolution Agreement, Other Developments. These attestation requirements send a strong message that OCR expects the leadership of Covered Entities, business associates to take ownership of and keep tabs on their organization’s HIPAA compliance. In light of this, leadership of all Covered Entities and their business associates should evaluate the adequacy of their current HIPAA management oversight and documentation in proving the “culture of compliance” expected by HIPAA.
Viewed from this perspective, the corrective action steps and reporting requirements imposed by the Concentra, QCA and other Resolution Agreements are valuable road maps to both privacy officers and other management of Covered Entities and business associates about the processes, steps and documentation that management should consider requiring as part of its direction and oversight of their organizations’ Privacy, Security and Breach Notification compliance.
In this respect, management should note that both Resolution Agreements require that Concentra and QCA conduct, document, and report to OCR on a series of specific steps toward compliance. In both cases, for instance, OCR requires Concentra and QCA among other things, to conduct a ‘thorough risk assessment’ of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all ePHI, then develop and implement a ‘detailed risk management plan’ that addresses the identified compliance concerns, the plan and timeline for their redress and steps for monitoring and verifying those actions are taken.
From the Resolution Agreements’ discussion, leaders should expect that the documentation and evidence that OCR may require their organizations to produce will include:
- A detailed risk management plan that documents and explains its strategy for implementing security measures sufficient to reduce the risks and vulnerabilities identified in the risk analysis to a reasonable and appropriate level based on the organization’s circumstances;
- With the risk management plan, include material evidence of all implemented and all planned remediation actions associated with the risk management plan along with specific timelines for their expected completion and identify the compensating controls that will be in place in the interim to safeguard Concentra ePHI;
- Requires for any changes to its information technology (IT) infrastructure, software or other components, an updated risk analysis in association with any changes or updates to its organizational IT infrastructure (security environment) that affect the risks and vulnerabilities to ePHI received or maintained by Concentra containing all of these elements;
- Require that their team track and document the encryption status of mobile and other devices and PHI that both shows that the organization both requires and tracks compliance with requirements to encrypt devices containing ePHI and that the organization requires specific review and documentation that ePHI will not be used on computer or other devices that are unencrypted.
- Not only that required workforce training is completed but also whether existing and future documentation requires and retains the documentation that would enable the organization to demonstrate to OCR that the leadership of the organization requires monitoring and documentation that all workforce members have completed the required training, the training materials used for the training, the topics covered, the length of the session(s), when training session(s) were held, and the attestations or other documentation from individual workforce members that the organization requires to verify participation, understanding and affirmation of the individual of the need to comply with HIPAA.
Accordingly, management of Covered Entities and business associates should consider verifying that these organizations have, or take the steps necessary, to be able to provide this documentation and other evidence.
The reporting requirements that OCR imposes under the Resolution Agreements also may be helpful to leaders of Covered Entities or their business associates about the importance of requiring periodic detailed and documented reporting from the Privacy Officer on their organization’s compliance with HIPAA, and some of the types of information that they should expect to receive in these reports. In this regard, leaders may wish to take note that the Resolution Agreements in Concentra, QCA, and Skagit each required that their organizations prepare and provide reports, accompanied by the required officer attestations containing among other things:
- A summary of the organization’s security management process and the security measures taken during the Reporting Period, including, if applicable, any documentation of training related to those measures;
- A summary of the organization’s encryption efforts taken during the Reporting Period; and
- A summary of the organization’s security awareness training efforts taken during the Reporting Period.
In light of these requirements, leaders of Covered Entities or business associates also should consider establishing policies that both require periodic reporting to management and management review of reports on their organization’s ePHI and other Privacy and Security compliance that will produce documentation of similar periodic management oversight as an ongoing process within their organizations.
Since the Concentra and QCA Resolutions are only two of several existing Resolution Agreements, and likely will be supplemented by others in the future, management also should ensure that past and future Resolution Agreements as well as other guidance and developments under HIPAA are systematically reviewed and responded to in a similar, well documented manner.
Learn More At Upcoming Workshops and Teleconferences
Leaders, privacy officers, internet security officers, technology professionals and others concerned about HIPAA and other privacy and security management for Covered Entities, business associates and others can learn more about HIPAA Privacy, Security and Data Breach compliance and risk management by participating in one of the following upcoming HIPAA educational events that the author of this update, Cynthia Marcotte Stamer, will be a featured presenter:
- HIPAA Compliance: Are You Ready If A Breach Occurs? Privacy, Security, HITECH, Record Retention Teleconference presented by the American Bar Association Joint Committee on Employee Benefits on April 29, 2014;and
- ISSA-LA and HIMSS Southern California 2nd Annual Healthcare Privacy and Security Summit scheduled for May 15-16 at the Universal City Hilton, Universal City, California.
For Representation, Training & Other Resources
If you need assistance monitoring these and other regulatory policy, enforcement, litigation or other developments, or to review or respond to these or other workforce, benefits and compensation, performance and risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer may be able to help.
Board Certified in Labor & Employment Law, Past Chair of the ABA RPTE Employee Benefit & Other Compensation Arrangements Group, Co-Chair and Past Chair of the ABA RPTE Welfare Plan Committee, Vice Chair of the ABA TIPS Employee Benefit Plans Committee, Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 25 years’ experience advising health plan and employee benefit, insurance, financial services, employer and health industry clients about these and other matters. Ms. Stamer has extensive experience advising and assisting health care providers, health plans, their business associates and other health industry clients to establish and administer medical privacy and other compliance and risk management policies, to health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. The scribe for the ABA JCEB Annual Agency Meeting with the Office of Civil Rights (OCR) for the past several years who has worked on medical and other privacy concerns throughout her career, she regularly designs and presents HIPAA and other risk management, compliance and other training for health plans, employers, health care providers, professional associations and others, defends covered entities and business associates against OCR, FTC and other privacy and data security investigations, serves as special counsel in litigation arising from these concerns and is the author of several highly regarded publications on HIPAA and other privacy and security concerns.
Ms. Stamer also regularly works with OCR, FTC, USSS, FBI and state and local law enforcement on privacy, data security, health care, benefits and insurance and other matters, publishes and speaks extensively on medical and other privacy and data security, health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Her publications and insights appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. For instance, Ms. Stamer for the third year will serve as the appointed scribe for the ABA Joint Committee on Employee Benefits Agency meeting with OCR. Her insights on HIPAA risk management and compliance often appear in medical privacy related publications of a broad range of health care, health plan and other industry publications Among others, she has conducted privacy training for the Association of State & Territorial Health Plans (ASTHO), the Los Angeles Health Department, the American Bar Association, the Health Care Compliance Association, a multitude of health industry, health plan, insurance and financial services, education, employer employee benefit and other clients, trade and professional associations and others. You can get more information about her HIPAA and other experience here.
You can review other recent human resources, employee benefits and internal controls publications and resources and additional information about the employment, employee benefits and other experience of the Cynthia Marcotte Stamer, PC here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile www.cynthiastamer.com or by registering to participate in the distribution of these and other updates on our HR & Employee Benefits Update distributions here including:
- IRS Gives Ex Pat Plans Limited Exemption From ACA Reporting Rule
- PBGC Proposes Rules Allowing Lifetime Benefit Rollover Option For Defined Contribution Participant Account Balances
- ONC HIPAA Security Risk Assessment Tool Intended To Help Covered Entities Assess Compliance
- List of Countries Excluded From Foreign Earned Income Exclusion Minimum Time Requirements Published
- Some Sponsors Should Act by 3/31 To Withdraw Individually-Designed Cash Balance Plan Approval Request
- HHS Extends Health Plan Certification of Compliance Comment Period
- HIPAA Covered Entities Should Review & Correct HIPAA Policies In Response To New County Hospital Resolution Agreement, Other Developments
- NLRB Helps Union Force Another Health Care Employer To Recognize & Bargain With Union
- Hospital To Pay $75K For Refusing To Hire Disabled Child Care Worker
- Use Care Before Using “Skinny Plan” Option As Code Section 4980H Tool
- HHS Extends Proposed EDI Rule Time to 4/3 To Get More Input From Self-Insured Plans, TPAs
- New OCR Guidance Assigns More HIPAA Homework Health Plans, Providers, Business Associates and Employers
- Agencies Proposes To Treat Certain EAP, Dental and Vision Only Plans As ACA & HIPAA Excepted Benefits
If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating or updating your profile here. For important information about this communication click here. ©2014 Cynthia Marcotte Stamer. Limited, non-exclusive right to republished granted to Solutions Law Press, Inc. All other rights reserved.