No sooner did I publish my last post on regulatory coverage than I learned about a settlement between the Office of Civil Rights (OCR) in the US Department of Health and Human Services and Fresenius Medical Care North America (Fresenius). The settlement is noteworthy because of its size relative to the number of records breached. This is a great example of how aggressive the OCR can be. It is also a good lesson for companies that may not yet be doing everything their regulators think is necessary to manage cyber risk.
In January 2013 Fresenius notified the OCR of five separate breaches of patients’ protected healthcare information (PHI) at five different entities it owns and controls. Those breaches were:
- Two desktop computers were stolen that contained PHI of 200 patients.
- An unencrypted USB drive was stolen from an employee’s car that contained PHI of 245 individuals.
- A hard drive from an out-of-service desktop computer containing PHI of 35 individuals went missing. The loss was not reported to the Fresenius risk management department.
- An unencrypted laptop containing the PHI of 10 patients was stolen from an employee’s car. The laptop was stored in a bag that had a list of the employee’s passwords.
- A desktop computer was stolen that contained the PHI of 31 individuals.
The OCR undertook a compliance review and found a number of HIPAA rule violations. They included:
- Failures by all entities to conduct an accurate and thorough risk analysis with respect to the confidentiality, integrity, and availability of patients’ PHI.
- All entities allowed PHI to be disclosed for a purpose not allowed by the HIPAA Privacy Rule.
- Certain entities failed to implement policies and procedures to prevent unauthorized access, tampering, and theft.
- One entity failed to implement policies and procedures to govern the receipt and removal of hardware and electronic media that contain PHI.
- Certain entities failed to encrypt PHI.
- One entity failed to implement policies and procedures to address security incidents.
- One entity failed to implement policies and procedures concerning the functionality and physical attributes of computer workstations used to access patient PHI.
At the conclusion of the review involving the breach of only 521 records Fresenius negotiated a $3.5 million settlement with the OCR. If you’re wondering, that’s over $6,700 per record.
One of the striking things about this settlement is that what happened to the Fresenius entities could happen to any company at any time. The violations were small slip-ups that affected a small number of patients. Nothing that happened was unusual, and Fresenius does not appear to have done anything particularly egregious that allowed the breaches to happen.
The size of the settlement amount relative to the breaches and the actions that contributed to them sends a strong signal that the OCR is deadly serious about enforcing the HIPAA Privacy and Security Rules. They will seek settlements that may appear to be disproportionate to the magnitude and consequences of any violations. This is clearly intended to send a message to HIPAA covered entities that HIPAA compliance must be given the highest priority.
Faced with a zealous regulator like the OCR, covered entities obviously need to fully understand their data privacy and security risks, and to put robust information governance policies and procedures in place that are changed and updated as needed. Companies also need to create a good record of their efforts to comply with the HIPAA Privacy and Security Rules. The OCR wants to see that your company has a culture of HIPAA compliance. They won’t just take your word for it though. A strong written record of the company’s focus and actions is necessary to satisfy the OCR. That record of compliance may ultimately moderate the OCR’s interest in seeking a large settlement.
Although the settlement with Fresenius involves breaches of PHI, it would be a mistake for non-healthcare companies to assume that other regulators in the US and abroad will act differently. As I mentioned in my last post, we are in an era where regulators are focusing hard on cyber risk. Those regulators are, or seem likely to become, every bit as assertive as the OCR is in fulfilling their consumer protection mandates.
One final note: the regulatory coverage of a good cyber policy should cover the cost to respond to the OCR and other regulators. It should also cover settlements, and fines and penalties if they are legally insurable.