Health plans, their employer and other health plan sponsors, fiduciaries and vendors as well as health care providers, healthcare clearinghouses, their vendors that are business associates covered by the Privacy, Security and Breach Notification Rules of the Health Insurance Portability & Accountability Act (“HIPAA”) are urged to act promptly to take well-documented steps to confirm and protect electronic protected health information and systems against the increasingly common hacking and other common cybersecurity threats in light of the rising cyber-hacking and other cybersecurity threats and exposures.
As implemented and enforced by the Department of Health & Human Services Office of Civil Rights (“OCR”), HIPAA generally requires that health plans, health care providers, healthcare clearinghouses and their service providers that qualify as business associates (hereafter “covered entities”) safeguard the privacy and security of individually identifiable protected health information (“protected health information”) in paper, electronic or other form against use, access or disclosure other than as allowed by HIPAA. Along with its general restrictions upon use, access or disclosure of protected health information, HIPAA also requires that covered entities and their business associates take the special precautions to protect electronic protected health information (“ePHI”) against improper access, use, disclosure or loss required by the OCR HIPAA Security Rule. Meanwhile, the OCR HIPAA Breach Notification Rule requires that covered entities notify affected individuals, OCR and in the case of breaches involving records of more than 500 individuals, the media in accordance with the OCR Breach Notification Rule following breach of unsecured protected health information.
OCR has an established policy of investigating all breach reports involving more than 500 individuals and these investigations commonly result in settlements that extract agreements by affected covered entities or business associates to pay huge resolution payments to avoid being assessed significantly larger civil liability penalties authorized by HIPAA. See e.g., Clinical Laboratory Pays $25,000 To Settle Potential HIPAA Security Rule Violations (May 25, 2021); Health Insurer Pays $5.1 Million to Settle Data Breach Affecting Over 9.3 Million People (January 15, 2021); Aetna Pays $1,000,000 to Settle Three HIPAA Breaches (October 28, 2020); Health Insurer Pays $6.85 Million to Settle Data Breach Affecting Over 10.4 Million People (September 25, 2020); HIPAA Business Associate Pays $2.3 Million to Settle Breach Affecting Protected Health Information of Over 6 million Individual – (September 23, 2020); Lifespan Pays $1,040,000 to OCR to Settle Unencrypted Stolen Laptop Breach (July 27, 2020); Small Health Care Provider Fails to Implement Multiple HIPAA Security Rule Requirements (July 23, 2020).
A review of the OCR data base of unsecured electronic protected health information breaches reveals that OCR has received a wave of required unsecured electronic health information breach notifications impacting 500 or more individuals arising from hacking of electronic systems or e-mail since January 1, 2021, including notices from Apple Blossom Family Practice VA Healthcare Provider (500 individuals/Network Server Hacking/IT Incident); Network Server; Texas ENT Specialists TX Healthcare Provider (535,489 individuals/ Network ServerHacking/IT Incident0; Eduro Healthcare, LLC UT Healthcare Provider (8059 individuals/Hacking/IT Incident Email); Sacramento County Department of Health Services CA Healthcare Provider (2096 individuals/Hacking/IT Incident Email); Weddell Pediatric Dental Specialists, LLC IN Healthcare Provider (5356 individuals/Hacking/IT Incident Email); Javery Pain Institute MI Healthcare Provider (1387 individuals/Hacking/IT Incident Email); OSR Physical Therapy AZ Healthcare Provider (714 individuals/Hacking/IT Incident Email}; Nippon Life Insurance Company of America NY Health Plan (4109 individuals/Unauthorized Access/Disclosure Email); Bansley and Kiener, LLP IL Business Associate (50119 /Hacking/IT Incident Network Server) Baylor Scott & White Medical Center – Waxahachie TX Healthcare Provider (883 individuals/Unauthorized Access/Disclosure Electronic Medical Record); Bansley and Kiener, LLP IL Business Associate (2297 individuals/Hacking/IT Incident Network Server); Bansley and Kiener, LLP IL Business Associate (2711/Hacking/IT Incident Network Server); Bansley and Kiener, LLP IL Business Associate (15,814/Hacking/IT Incident Network Server); Mertz Manufacturing Inc Health Insurance Plan OK Health Plan (868 individuals/Hacking/IT Incident Network Server); Department of Behavioral Health and Developmental Services VA Healthcare Provider (4037 individuals/Unauthorized Access/Disclosure Other) Great Plains Manufacturing, Inc KS Health Plan (4110 individuals/Hacking/IT Incident Network Server); and Roy Varughese, M.D. TX Healthcare Provider (2916 individuals/Hacking/IT Incident Email). These recent breach notifications represent only the latest in a rising tide of hacking associated data breach notifications that OCR has received in recent years.
While provider breach reports still are the most common, health plan data breaches are becoming increasingly common. Between January 1 and December 20, 2021, for instance, OCR reported having open investigations arising from health plan breaches of unsecured protected health information reported after December 31, 2021 by Mertz by Manufacturing Inc Health Insurance Plan OK Health Plan; Great Plains Manufacturing, Inc KS Health Plan; Region IV Area Agency on Aging MI Health Plan; Kaiser Permanente MD Health Plan; Iowa Total Care, Inc. IA Health Plan; Maritz Holdings Inc. MO Health Plan; State of TN Finance & Administration TN Health Plan; Providence Health Plan OR Health Plan as well as a plethora of previously health plan associated breaches reported prior to 2021.
While health plan breach notifications generally have lagged far behind provider notifications in number, reported health plan breaches generally have resulted the largest civil monetary penalty or resolution payments largely due to the massive number of individuals affected by these breaches. See e.g., Health Insurer Pays $5.1 Million to Settle Data Breach Affecting Over 9.3 Million People (January 15, 2021); Aetna Pays $1,000,000 to Settle Three HIPAA Breaches (October 28, 2020); Health Insurer Pays $6.85 Million to Settle Data Breach Affecting Over 10.4 Million People (September 25, 2020); HIPAA Business Associate Pays $2.3 Million to Settle Breach Affecting Protected Health Information of Over 6 million Individual (September 23, 2020). In fact, health plan breaches account for the top three largest resolution agreements to date. The biggest among these resolution agreements is the still record-setting $16 million resolution agreement between health insurance giant, Anthem, Inc. and OCR that Anthem entered into to settle potential HIPAA violations OCR uncovered in its investigation of breaches of the electronic protected health information of 79 million remains OCR’s largest. See Record $16M Anthem HIPAA Settlement Signals Need To Tighten HIPAA Compliance & Risk Management
In January, 2021, OCR announced New York health insurer, Excellus Health Plan, Inc., would pay $5.1 million to settle potential HIPAA violations related to a breach affecting over 9.3 million people. The settlement resulted from OCR’s investigation of a September 9, 2015 breach report that cyber-attackers gained unauthorized access to its information technology systems. Excellus Health Plan reported that the breach began on or before December 23, 2013 and ended on May 11, 2015. The hackers installed malware and conducted reconnaissance activities that ultimately resulted in the impermissible disclosure of the protected health information of more than 9.3 million individuals, including their names, addresses, dates of birth, email addresses, Social Security numbers, bank account information, health plan claims, and clinical treatment information. The resolution payment is the second largest collected by OCR to date.
In October, 2020, OCR announced a resolution agreement with Aetna Life Insurance Company and affiliated covered entity (Aetna) where Aetna paid a $1 million resolution payment to settle potential HIPAA violations that arose from Aetna’s filing of hacking related breach reports in 2017 and OCR’s September 2021 announcement of a resolution agreement where Premera Blue Cross (PBC) agreed to pay $6.85 million to OCR (the second largest in OCR history) to settle potential HIPAA violations related to a breach affecting over 10.4 million people. This resolution represents the third largest payment to resolve a HIPAA investigation in OCR history.
The magnitude of these three recordbreaking resolution agreements sends a strong signal that health plans and other covered entities impacted by hacking incidents should expect little sympathy or quarter from OCR. OCR Director Roger Severino drove this point home when he warned in OCR’s announcement of the Aetna resolution agreement, “Hacking continues to be the greatest threat to the privacy and security of individuals’ health information. In this case, a health plan did not stop hackers from roaming inside its health record system undetected for over a year which endangered the privacy of millions of its beneficiaries. …. We know that the most dangerous hackers are sophisticated, patient, and persistent. Health care entities need to step up their game to protect the privacy of people’s health information from this growing threat.”
Coupled with these warnings, the series of alerts issued by OCR urging health plans and other HIPAA covered entities to guard their electronic systems and electronic protected health information against various hacking, malware and other cybersecurity threats send a clear message to health plans and other HIPAA regulated covered entities and business associates to constantly monitor and reconfirm the adequacy of their own HIPAA privacy, security, breach notification and other procedures and protections or be prepared to face similar sanctions from OCR.
Along side the OCR warnings, employment and union sponsored health plans, their insurers, business associates and fiduciaries also now face additional pressure to take prudent steps to secure their health plans’ protected health information and electronic data systems against improper use, access, destruction or disclosure under April, 2021 Employee Benefit Security Administration (“EBSA”) guidance package that for the first time officially recognizes cybersecurity as included in the fiduciary responsibilities of employee benefit plan fiduciaries under the Employee Retirement Income Security Act (“ERISA”) and addition of cybersecurity to its plan audits. As a result, in addition to complying with HIPAA, ERISA-covered health plan fiduciaries and sponsors also should be prepared to demonstrate that plan fiduciaries have taken the steps prudently necessary to guard health and other employee benefit plan data and systems against cybersecurity threats. In light of this guidance health plan fiduciaries and sponsors generally will want to ensure that at minimum, they can demonstrate that the health plan and health plan vendor cybersecurity safeguard meet or exceed the recommendations included in the following guidance materials published by EBSA as part of this cybersecurity announcement and any other steps that are prudent to guard against cybersecurity threats:
- Tips for Hiring a Service Provider: Helps plan sponsors and fiduciaries prudently select a service provider with strong cybersecurity practices and monitor their activities, as ERISA requires.
- Cybersecurity Program Best Practices: Assists plan fiduciaries and record-keepers in their responsibilities to manage cybersecurity risks.
- Online Security Tips: Offers plan participants and beneficiaries who check their retirement accounts online basic rules to reduce the risk of fraud and loss.
In light of this OCR and EBSA guidance, health plan sponsors, fiduciaries and vendors and other HIPAA covered entities and business associates are urged to take documented steps to audit and strengthen as needed their safeguards against hacking and other cybersecurity threats including:
- In the case of any health plan or health plan vendor, taking well documented steps to assess and tighten as necessary their health plan systems and data security to meet or exceed the recommendation outlined in the EBSA cybersecurity guidance or otherwise necessary to prudently guard their plans and plan data and systems against cybersecurity threats.
- Reviewing and monitoring on a documented, ongoing basis the adequacy and susceptibilities of existing practices, policies, safeguards of their own organizations, as well as their business associates and their vendors within the scope of attorney-client privilege taking into consideration data available from OCR, data regarding known or potential susceptibilities within their own operations as well as in the media, and other developments to determine if additional steps are necessary or advisable.
- Updating policies, privacy and other notices, practices, procedures, training and other practices as needed to promote compliance and defensibility.
- Renegotiating and enhancing service provider agreements to detail the specific compliance, audit, oversight and reporting rights, workforce and vendor credentialing and access control, indemnification, insurance, cooperation and other rights and responsibilities of all entities and individuals that use, access or disclose, or provide systems, software or other services or tools that could impact on security; to clarify the respective rights, procedures and responsibilities of each party in regards to compliance audits, investigation, breach reporting, and mitigation; and other relevant matters.
- Verifying and tightening technological and other tracking, documentation and safeguards and controls to the use, access and disclosure of protected health information and systems.
- Conducting well-documented training as necessary to ensure that members of the workforce of each covered entity and business associate understand and are prepared to comply with the expanded requirements of HIPAA, understand their responsibilities and appropriate procedures for reporting and investigating potential breaches or other compliance concerns, and understand as well as are prepared to follow appropriate procedures for reporting and responding to suspected
violations or other indicia of potential security concerns.
- Tracking and reviewing on a systemized, well-documented basis actual and near miss security threats to evaluate, document decision-making and make timely adjustments to policies, practices, training, safeguards and other compliance components as necessary to identify and resolve risks.
- Establishing and providing well-documented monitoring of compliance that includes board level oversight and reporting at least quarterly and sooner in response to potential threat indicators.
- Establishing and providing well-documented timely investigation and redress of reported
violations or other compliance concerns.
- Establishing contingency plans for responding in the event of a breach.
- Establishing a well-documented process for monitoring and updating policies, practices and other efforts in response to changes in risks, practices and requirements.
- Preparing and maintaining a well-documented record of compliance, risk, investigation and other security activities.
- Pursuing other appropriate strategies to enhance the covered entity’s ability to demonstrate its compliance commitment both on paper and in operation.
Because susceptibilities in systems, software and other vendors of business associates, covered entities and their business associates should use care to assess and manage business associate and other vendor associated risks and compliance as well as tighten business associate and other service agreements to promote the improved cooperation, coordination, management and oversight required to comply with the new breach notification and other HIPAA requirements by specifically mapping out these details.
Leaders of covered entities or their business associates also are cautioned that while HIPAA itself does not generally create any private right of action for victims of breach under HIPAA, breaches may create substantial liability for their organizations or increasingly, organizational leaders under state data privacy and breach, negligence or other statutory or common laws. In addition, physicians and other licensed parties may face professional discipline or other professional liability for breaches violating statutory or ethical standards. Meanwhile, the Securities and Exchange Commission has indicated that it plans to pursue enforcement against leaders of public health care or other companies that fail to use appropriate care to ensure their organizations comply with privacy and data security obligations and the Employee Benefit Security Administration recently has issued guidance recognizing prudent data security practicces as part of the fiduciary obligations of health plans and their fiduciaries.
Finally, health plans and other covered entities are reminded that appropriate strategic planning and use of attorney-client privilege and other evidentiary tools can critically impact the defensibility of pre-breach, breach investigation and post-breach investigation and decision-making. Because HIPAA, EBSA and other rules typically require prompt investigation and response to known or suspected hacking or other cybersecurity threats, health plans and other covered entities or business associates should seek the assistance of experienced legal counsel to advise and assist in these activities to understand the potential availability and proper use of these and other evidentiary rules as part of the compliance planning process as well as to prepare for appropriate use in the event of a known or suspected incident to avoid unintentional compromise of these protections.
For Additional Information Or Assistance
If you need have questions or need assistance with health, benefit, payroll, investment or other data, systems or other privacy or security related risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer may be able to help. Longtime scribe for the American Bar Association Joint Committee on Employee Benefits agency meeting with OCR and author of leading publications on HIPAA and other privacy and data security concerns, Ms. Stamer also regularly assists clients and provides input to Congress, OCR and other agencies, publishes and speaks extensively on medical and other privacy and data security, health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Her publications and insights appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. Her insights on HIPAA risk management and compliance frequently appear in medical privacy related publications of a broad range of health care, health plan and other industry publications. She also is a highly-sought out speaker on privacy and data security who serves on the planning faculty and speaks for the Association of State & Territorial Health Plans (ASTHO), the Los Angeles Health Department, the American Bar Association, the Health Care Compliance Association, a multitude of health industry, health plan, insurance and financial services, education, employer employee benefit and other clients, trade and professional associations and others. You can get more information about her HIPAA and other experience here. If you need assistance with these or other compliance concerns, wish to inquire about arranging for compliance audit or training, or need legal representation on other matters, e-mail Ms. Stamer or call (214) 452-8297.
About Solutions Law Press, Inc.™
Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources available here.
Important Information About This Communication
If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.
NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access of this publication.
Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.
©2021 Cynthia Marcotte Stamer. Limited non-exclusive right to republish granted to Solutions Law Press, Inc.™