Epstein Becker Green Health Care and Life Sciences Client Alert

As the Department of Health and Human Services’ (“HHS”) Office of Civil Rights (“OCR”) proceeds with its second round of HIPAA audits, this time covering business associates as well as covered entities, a recent settlement with a physician group providing cancer care services serves as a reminder that failure to take HIPAA security seriously can result in hefty fines and a supervised corrective action plan.

The issue began on July 19, 2012, when a laptop bag was stolen from an employee’s car. Although the laptop itself did not contain any electronic Protected Health Information (“ePHI”), backup media for a computer server was also in the bag. That backup media contained the ePHI of approximately 55,000 individuals and was unencrypted. As required, the covered entity, a cancer care physician group, reported the breach to OCR. OCR conducted an investigation and, as a result of that investigation, alleged that the covered entity had: (1) “failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities” to the PHI; (2) “failed to implement policies and procedures that govern the receipt and removal of [ePHI] into and out of its facility; and (3) “impermissibly disclosed” ePHI by failing “to safeguard unencrypted back-up tapes. . . .” The outcome, three years after the initial breach, was a $750,000 fine and a corrective action plan.

The corrective action plan is in effect for three years and requires the covered entity to submit certain information to HHS for approval by HHS. Specifically, the corrective action plan requires the covered entity to conduct a comprehensive and thorough risk assessment within 90 days after the “effective date” of the agreement. The covered entity must provide a copy of that risk assessment to HHS for review. HHS will then inform the covered entity whether it approves or disapproves of the risk assessment. If HHS disapproves of the risk assessment, the covered entity has 60 days to revise its risk assessment to address HHS’s concerns, and then it must resubmit the assessment. The submission/review process continues until HHS approves the risk assessment submitted.[1]

Once HHS approves the risk assessment, the covered entity then has 90 days to submit a risk management plan for HHS’s approval. Once again, the review and approval process takes place until HHS approves the covered entity’s risk management plan. After the approval of the risk management plan, the covered entity must provide HHS with copies of appropriately revised policies and procedures (to the extent revision is necessary based on the risk management plan). Once again, the review process continues until HHS approves the revised policies. The covered entity must do the same with its training program.

In addition, under the corrective action plan, the covered entity submits reports annually and must notify HHS of “Reportable Events.” A “Reportable Event” is broadly defined as any instance in which a workforce member fails to comply with the covered entity’s privacy and security policies. Notably, any breach of the corrective action plan exposes the covered entity to potential additional civil monetary penalties.

The current action emphasizes OCR’s findings and concerns expressed during Phase 1 of its HIPAA audits. Those audits identified various areas of frequent noncompliance with HIPAA standards, including: risk analysis and risk management, individual access and access control, the reasonable safeguards requirement (including encryption and decryption), device and media controls, transmission security, training, and content and timeliness of breach notifications. OCR indicated that these noncompliance areas would form the foundation of the Phase 2 audits. The alleged deficiencies for which the recent fine was imposed fall squarely within the Phase 2 priorities.

The penalty and corrective action plan serve as a reminder to both covered entities and business associates to ensure that risk assessments and policies are up to date, are well documented, and provide for adequate safeguards for the nature and scope of the business involved.

* * *

This Client Alert was authored by Arthur J. Fried, Patricia M. Wagner, and Adam C. Solander. For additional information about the issues discussed in this Client Alert, please contact one of the authors or the Epstein Becker Green attorney who regularly handles your legal matters.


[1] The covered entity must also review the risk assessment annually.

Jump to Page

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.