To Accept CMPs or Not to Accept CMPs?
On October 23, 2019, the Department of Health and Human Services Office for Civil Rights (OCR) announced imposition of $2.1 million in CMPs against Jackson Health System (JHS), a Florida-based nonprofit academic medical system, to resolve multiple HIPAA violations over several years. This CMP announcement marks OCR’s fifth monetary penalty and 69th financial enforcement action.
This case highlights the importance for covered entities to periodically conduct thorough risk analyses, proactively audit access logs to identify suspicious patterns, and demonstrates how multiple, seemingly unrelated HIPAA problems can significantly increase the risk of a financial enforcement action. It also raises the question of whether it is best to seek a financial settlement and corrective action plan, or just accept imposition of civil monetary penalties.
Summary of OCR’s Action
On August 22, 2013, JHS notified OCR of a January 2013 loss of paper records for 756 patients from one of its health information management departments. JHS’s internal investigation identified additional lost paper records of another 680 patients, but did not report this to OCR until June 7, 2016.
Additionally, in July 2015, OCR became aware of multiple news reports involving the protected health information (PHI) of a JHS patient who was a well-known NFL player. JHS determined that two employees had accessed the patient’s electronic medical record without a business purpose.
In February of 2016, JHS submitted a breach report identifying that an employee had inappropriately accessed 24,188 patients’ records and had been selling patient information since July 2011.
Investigation Uncovers Breach Notification Rule Violations
OCR's investigation found violations of the Breach Notification Rule, the Security Rule’s risk analysis, risk management, and information system activity review requirements, and the Privacy Rule’s minimum necessary requirements. OCR proceeded with a “letter of opportunity” (offering an opportunity to raise mitigating factors and affirmative defenses) and a “notice of proposed determination” proposing $2,154,000 in CMPs and an opportunity to appeal the proposed determination.
Of note, the CMPs relate to the:
- (i) Security management process standard (the Security Rule standard governing risk analysis, risk management, and information system activity review);
- (ii) Information access management standard; and
- (iii) Requirement to timely notify OCR of a breach.
OCR found the first two were due to “reasonable cause” while the last was due to “willful neglect.” The majority of the CMP amount is attributable to the willful neglect finding for the lack of timely breach notification to OCR.
JHS Waives Right to Contest OCR’s Findings; Agrees to Pay CMPs
OCR did not increase the CMPs by counting violations of “implementation specifications” that fell under each “standard” as separate violations (such as by treating risk analysis and information system activity review as separate violations) or by including alleged violations of the minimum necessary standard and its implementation specifications.
JHS waived its right to contest OCR’s findings and request a hearing, instead agreeing to pay the $2,154,000 in CMPs. We do not know if a lower settlement amount was offered by JHS, or what a corrective action plan may have entailed.
Take-Away Considerations
In light of OCR’s actions against JHS, covered entities and business associate should consider:
- Conducting Comprehensive Risk Analyses and Implementing Appropriate Improvements: Failing to conduct accurate and thorough assessments of risks and vulnerabilities is a commonly cited deficiency in OCR actions. These issues are exacerbated when deficiencies are identified but not resolved.
- The Security Rule Security Management Process standard requires a covered entity or business associate to, in accordance with § 164.306, implement policies and procedures to prevent, detect, contain, and correct security violations. The standard further requires covered entities and business associates to address any identified deficiencies. OCR previously has issued guidance on the risk analysis, available here. See 45 C.F.R. § 164.308(a)
- Following Up on a Breach Investigation If Additional Facts Are Subsequently Discovered: The HIPAA Breach Notification Rule requires a covered entity to notify the Secretary following the discovery of a breach of unsecured PHI. See 45 C.F.R. § 164.408. In JHS’s case, JHS did not timely provide initial notification to OCR, and then subsequently failed to provide addenda as additional breach details emerged.
- OCR cited the notification delay as an “aggravating factor” in determining the CMPs. Covered entities should provide notification in compliance with the HIPAA timing requirements after a breach is discovered and should file timely addenda when appropriate.
- Becoming Aware of a Wide Variety of Insider Threats: The implementation specification regarding information systems activity review requires a covered entity or business associate to implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. See 45 C.F.R. § 164.308(l)(ii)(D). Additionally, the “minimum necessary” standard requires limiting PHI access to only those workforce members who require the PHI to do their jobs. See 45 C.F.R. § 164.514(d).
- Organizations should consider an array of possible insider threats, including paying extra attention to the specific risk factors in their environment. In cases like JHS’s, organizations should consider putting additional safeguards in place when dealing with a celebrity patient (e.g., an NFL player) and implementing technology to detect a user’s access to a disproportionately large number of patient records.
- Balancing CMPs Versus Settlements: JHS decided to accept the imposition of CMPs rather than contesting the matter or entering into a settlement. As a result, JHS avoided a multi-year corrective action plan.
It is unclear whether going the settlement route would have resulted in a lower financial outlay, particularly if the cost of implementing a corrective action plan was significant. But the case highlights that, when OCR proceeds with financial enforcement, there may be some benefit in paying the money and moving on without having to implement a corrective action plan.
It is also worth noting that HIPAA regulations require OCR to notify various entities about the imposition of CMPs (but not financial settlements): “appropriate” State or local medical or professional organizations, State agencies administering or supervising the administration of State health care programs, utilization and quality control peer review organizations, and State or local licensing agency or organizations .
Accordingly, even without a corrective action plan, paying the CMPs may not be the end of the matter as others receiving notice may become involved.