Failure to Update Business Associate Agreement Leads to Health System’s Settlement with OCR

A hospital’s breach notification to the Department of Health and Human Services, Office of Civil Rights (“OCR”) led to a Resolution Agreement, payment of $400,000 and a Corrective Action Plan for an east coast health system. On September 23, 2016, OCR issued a press release advising that Woman & Infants Hospital of Rhode Island (“WIH”) a member of Care New England Health System (“CNE”) notified OCR of a reportable breach in November of 2012, stemming from its discovery that unencrypted backup tapes containing electronic Protected Health Information (“PHI”) were missing from two of its facilities. CNE provides centralized corporate support to the covered entities under its common ownership and control, including technical support and information security for WIH’s information systems, as its business associate. Although WIH had in place a business associate agreement (“BAA”) with CNE, it was dated from March of 2005 and had not been updated since implementation and enforcement of the HIPAA Omnibus Final Rule.

OCR’s investigation of WIH’s HIPAA Compliance program, triggered by the report of the missing tapes, uncovered the outdated BAAs. WIH updated their BAA on August 28, 2015, as a result of OCR’s investigation. OCR then determined that from September 23, 2014, the date enforcement of the Final Rule began, until August 28, 2015, WIH impermissibly disclosed the PHI of at least 14,004 individuals to its business associate when WIH provided CNE with access to PHI without obtaining satisfactory assurances, in the form of a written business associate agreement, that CNE would appropriately safeguard the PHI. The settlement was reached without any admission of liability by CNE or WIH.

The settlement is a jolt to many covered entities and their business associates for a number of reasons. The key take-aways are: (1) There is an inference in the OCR’s actions that a well worded BAA, wherein the business associates agrees to abide by the specifications required by the Privacy and Security Rules, is sufficient to satisfy the covered entity’s obligation to obtain “satisfactory assurances” the business associate will appropriately safeguard the PHI (meaning those often lengthy and burdensome security questionnaires or audits business associates are being asked to complete may be unnecessary and not required); (2) documentation of intent and action, including policies, procedures and BAAs, is extremely important in establishing HIPAA Compliance (i.e., the fact that the mistake occurred—tapes went missing—is being treated as the result of the absence of a written agreement, justifying the enforcement action, when in reality it is likely, or at least conceivable, that human error, inadvertence or lack of attention is the root cause and this could have occurred even if an updated BAA was in place and being followed); and (3) policies, procedures and continuous training and retraining of the workforce handling PHI is imperative to a successful HIPAA compliance program, and remains on the radar of any OCR investigation.

A copy of the Resolution Agreement and Corrective Action Plan may be found on the OCR website at
OCR’s sample BAA may be found at

Ransomware: Preparing for the Storm That’s A Brewin’

On July 11, 2016, the Office for Civil Rights (“OCR”) published guidelines for ransomware attack prevention and recovery, including the role HIPAA has in assisting covered entities and business associates to prevent and recover from such attacks, and how HIPAA breach notification processes should be managed in response to a ransomware attack. According to the OCR report, there have been 4,000 daily ransomware attacks since early 2016, up 300% from 2015. Earlier this week a healthcare IT Security Consultant told me the chatter he hears is that the hackers out there are working on stronger, more aggressive, more deadly hacks to unleash, and he fears a hacking storm a brewin’. Time to get serious and batten down the hatches, folks!

8-3The OCR report describes what a ransomware attack is, and explains that maintaining strict HIPAA Security Rule compliance can help prevent the introduction of malware, including ransomware. Some of the required security measures discussed include:

  • Implementing a security management process, which includes conducting a risk analysis and taking steps to mitigate or remediate identified threats and vulnerabilities;
  • Implementing processes to guard against and detect malicious software;
  • Training users on malicious software protection; and
  • Implementing access controls.

Since ransomware  gets into your system and then ties up your data, denying you access to your data (usually through encryption), and then directs you to pay a ransom to the hacker in order to receive a decryption key, maintaining frequent backups and ensuring the ability to recover data from backups is crucial to recovering from a ransomware attack. Again, HIPAA compliance protects entities because the Security Rule requires covered entities and business associates to implement a data backup plan as part of maintaining an overall contingency plan, which includes periodic testing of the plan to be sure it works.

The presence of ransomware – or any malware – is considered a security incident and triggers the need to initiate security incident response and reporting procedures. Based upon an analysis of the investigation results, breach notification may be required. Additionally, if there is an impermissible disclosure of PHI in violation of the privacy rule there is a presumed breach which may trigger notification. Whether or not the presence of ransomware would be a breach under HIPAA Rules is thus fact specific. However, unless the entity demonstrates there is a “…low probability that the PHI has been compromised,” a breach of PHI is presumed to have occurred and the entity must comply with the applicable breach notification provisions.

Further information and a copy of the OCR report can be found here.

HIPAA – Are you ready for an audit?

HIPAA (the Health Insurance Portability and Accountability Act) is well known to all health care providers, as it governs the privacy of patient information, among other things. The basic parameters of the Privacy Rule should be known to all providers who handle protected health information.

The Office of Civil Rights for the U.S. Department of Health and Human Services (“OCR”) has launched a new audit initiative to make sure that health care providers are complying with HIPAA. Concerning its initiative, OCR says, “OCR’s audits will enhance industry awareness of compliance obligations and enable OCR to better target technical assistance regarding problems identified through the audits.” Providers would be well advised to ensure that they are ready for a HIPAA audit and are in full compliance with the Privacy Rule.

HHS/OCR Issues Guidance on HIPAA and Workplace Wellness Programs

Many employers view wellness programs as a way to lower health care costs and promote healthy behavior. With the growth of workplace wellness programs, new guidance from the Office of Civil Rights (OCR) at the Department of Health and Human Services (HHS) is timely. HHS/OCR recently issued guidance in the form of frequently asked questions about HIPAA and workplace wellness programs.

5-19The applicability of HIPAA to a workplace wellness program depends on how the program is structured. An employer may sponsor its own wellness program or offer it through the employer’s group health plan. When a workplace wellness program is offered as part of a group health plan, individually identifiable health information collected from wellness program participants is protected under HIPAA because the group health plan is a covered entity under HIPAA. However, a workplace wellness program that is not offered as part of a group health plan but is offered by an employer directly is not covered by HIPAA since HIPAA applies only to covered entities and business associates, but not to employers in their capacity as employers. However, other federal and state laws may apply to the collection and/or use of information by an employer that directly offers a workplace wellness program.

The guidance also addresses whether a group health plan may allow an employer as plan sponsor access to protected health information about participants in a wellness program offered through the plan. If the employer does not administer the health plan, the group health plan can disclose to the employer as plan sponsor only information on which individuals are participating in the health plan and summary health information if requested for the purposes of modifying the plan or obtaining premium bids for coverage.

The guidance states that  the group health plan can provide an employer that is a plan sponsor and performs administrative functions on behalf of the group health plan with access to protected health information necessary to perform its plan administrative functions, but only if certain conditions are met. These conditions, which the employer as plan sponsor must include in plan documents and certify agreement to, include the following:

  • There must be adequate separation between employees who perform plan administrative functions and those who do not;
  • Protected health information cannot be used or disclosed for employment-related actions or other prohibited purposes under the privacy rule; and
  • There must be reasonable and appropriate administrative, technical, and physical safeguards to protect any electronic protected health information.

As employers and group health plans begin developing and implementing workplace wellness programs this year, they should review OCR’s recent guidance to ensure that they are in compliance with HIPAA.


Image courtesy of Flickr by Robert Gourley

HIPAA Privacy and Public Health Emergency Situations

In light of the Ebola outbreak, the U.S. Department of Health and Human Services (HHS), Office of Civil Rights (OCR) has issued a bulletin reminding health care providers that the protections under the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule are not set aside during an emergency.  OCR reminds covered entities that “the protections of the Privacy Rule are not set aside during an emergency.”  OCR cautions that in an emergency situation, covered entities must continue to implement reasonable safeguards to protect patient information against impermissible uses and disclosures.  Thus, covered entities and their business associates should review the HIPAA Privacy Rule to ensure that uses and disclosures in emergency situations are appropriate, as well as provide training and reminders to employees.

HIPAA recognizes that under certain circumstances it may be necessary to share patient information without authorization.  OCR’s bulletin notes that covered entities may disclose protected health information without a patient’s authorization as necessary to treat the patient or a different patient.  HIPAA also allows covered entities to release patient information without authorization for certain public health activities.  A covered entity may disclose protected health information to a public health authority that is authorized by law to collect or receive the information for the purpose of preventing or controlling disease, injury, or disability.  Information may also be shared at the direction of a public health authority to a foreign government that is acting in collaboration with the public health authority.   In addition, health information may be shared with persons at risk of contracting or spreading a disease or condition if authorized by law.  Finally, health care providers may share patient information with anyone as necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public consistent with applicable law and ethical standards.

There are additional circumstances that allow the disclosure of protected health information.  A covered entity may disclose protected health information to a patient’s family members, relatives, friends, or other persons who the patient identifies as being involved in the patient’s care and disaster relief organizations.  Covered entities should review the specific circumstances that allow the release of this information.

Covered entities should also review whether the minimum necessary requirement applies.  For most disclosures, but notably not disclosures to health care providers for treatment purposes, a covered entity must make reasonable efforts to limit the information disclosed to the “minimum necessary” to accomplish the purpose.

Although the media has reported many details about Ebola patients, HIPAA is not suspended when providing information to the media about Ebola or other public health emergencies.  Therefore, covered entities should carefully review the rules surrounding disclosures to the media or others not involved in the care of the patient.  If the media requests information about a particular patient by name, a health care facility may release limited facility directory information to acknowledge that the individual is a patient and provide basic information about the patient’s condition in general terms, if the patient has not objected or restricted the release of this information, but information about an incapacitated patient may only be released if the disclosure is believed to be in the patient’s best interest and is consistent with the patient’s prior expressed preferences.   General information about a patient’s condition includes critical or stable, deceased, or treated and released.  OCR cautions that affirmative reporting or disclosure to the media or the public at large about an identifiable patient or  specific information may not be done without the patient’s or an authorized personal representative’s written authorization, unless one of the limited circumstances described elsewhere in OCR’s bulletin is applicable.

Although HIPAA is not suspended during a public health or other emergency, the HHS Secretary may waive certain provisions under the Project Bioshield Act of 2004 and section 1135(b)(7) of the Social Security Act.  The limited waiver applies to certain sanctions and penalties of the Privacy Rule if the President declares an emergency or disaster and the HHS Secretary declares a public emergency.  The waiver only applies in the emergency area and for the emergency period identified; to hospitals that have instituted a disaster protocol; and for up to 72 hours after the hospital implements its disaster protocol.  Once the Presidential or Secretarial declaration ends, a hospital must comply with the entire Privacy Rule, even if less than 72 hours have elapsed since the hospital implemented its disaster protocol.