The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services has been busy. In addition to its recent efforts to begin audits of covered entities and business associates, OCR has announced a slew of enforcement actions against covered entities for alleged HIPAA violations.
Last month, OCR announced two seven-figure settlements for breaches of protected health information (PHI) arising from thefts of unencrypted laptops.
- OCR entered into a $1.55 million settlement with North Memorial Health Care of Minnesota, after a laptop was stolen from a car of one of the hospital’s business associates. In investigating the incident, HHS found that the hospital did not have a business associate agreement in place with the business associate and also failed to conduct a risk assessment as required by the HIPAA Security Rule.
- OCR entered into a $3.9 million settlement with the Feinstein Institute for Medical Research, after a laptop was stolen from an employee’s car, resulting in a breach of approximately 13,000 patients’ and research participants’ PHI. OCR alleged that the Institute’s security process was “limited in scope, incomplete, and insufficient to address potential risks and vulnerabilities” to PHI. OCR also found that the Institute did not maintain adequate HIPAA security policies and procedures.
As we have previously reported, thefts of unencrypted laptops are a common fact pattern leading to HIPAA liability. Covered entities and business associates should take steps to implement technical safeguards that ensure that electronic PHI stored on a laptop or mobile device is rendered unreadable or unusable to unauthorized users.
In addition, earlier this month, OCR reached a $750,000 settlement with a health clinic that failed to enter into a business associate agreement before disclosing PHI of 17,300 patients to a business partner.
These recent enforcement actions underscore the importance of covered entities’ adopting adequate HIPAA policies and procedures as well as entering into valid business associate agreements with contractors and service providers that have access to PHI.
Finally, OCR just announced a $2.2 million settlement with New York Presbyterian Hospital for permitting a crew to film hospital patients, without their authorization, during the taping of a television show. OCR found that the hospital allowed the film crew “virtually unfettered access,” and thus it did not protect against impermissible disclosures of PHI.
In conjunction with this settlement, OCR announced the release of additional guidance regarding media access to PHI. In this guidance, OCR explains that a covered entity must enter into a business associate agreement before it may allow a film crew access to areas where PHI is accessible. OCR writes that the only exceptions are for those disclosures permitted by the HIPAA Privacy Rule, such as to help locate an unidentified and incapacitated patient in its care. OCR also writes that covered entities may allow film crews into areas generally accessible to the public, such as areas where the public enters and exits the facility or a public waiting room.
The OCR guidance does not discuss whether a business associate agreement is required when a patient gives authorization and the film crew does not have access to unauthorized PHI. In these circumstances, it is likely that a patient authorization would suffice.