On Wednesday, the U.S. Department of Health and Human Services, Office for Civil Rights announced a $400,000 settlement with Metro Community Provider Network arising from MCPN’s alleged failure to implement adequate security management processes to safeguard electronic protected health information in accordance with the Health Insurance Portability and Accountability Act Security Rule. This settlement followed an investigation that OCR undertook in response to a breach report that MCPN filed on January 27, 2012. While OCR found that MCPN took necessary corrective action in response to the reported breach, OCR determined that MCPN had never conducted a security risk analysis to assess the potential threats to its ePHI environment and concluded that MCPN did not have appropriate risk management policies in place at the time of the breach. OCR further found that the security risk analyses that MCPN ultimately did undertake following the breach were insufficient to satisfy the requirements of HIPAA’s Security Rule. Violations of the Security Rule have been a consistent focus of the OCR within the past year. The OCR’s willingness to go after a federally qualified health center, a safety net health care provider, in this settlement further underscores the importance of conducting robust security risk analyses to identify, assess, and address potential threats and vulnerabilities to a covered entity or business associate’s ePHI environments.
Two district courts have recently stayed cases alleging that sex discrimination under ACA Section 1557 includes discrimination on the basis of gender identity and denial of coverage for gender transition, pending the Supreme Court’s decision in G.G. v. Gloucester County School Board. The Supreme Court accepted certiorari in Gloucester in October 2016 to determine the validity of recent Department of Education Title IX guidance regarding gender identity. Briefing is currently under way. The district courts stayed the Section 1557 cases, reasoning that the Supreme Court’s decision would likely determine the validity of the Department of Health & Human Services’ Section 1557 regulations on gender identity as well.
ACA Section 1557 and Title IX rules on sex discrimination
Section 1557 (42 U.S.C. § 18116) prohibits entities that receive federal funds for health activities or programs from discriminating on the grounds prohibited by Title IX. Title IX generally prohibits discrimination on the basis of sex by recipients of federal education assistance. Title IX, however, permits federal fund recipients to set up “separate living facilities for the different sexes.” DOE and HHS regulations for Title IX, originally issued by the Department of Health, Education and Welfare, define sex in binary terms – “one sex” versus “the other sex” — and permit recipients to set up comparable but separate housing and “toilet, locker room, and shower facilities on the basis of sex.”
The federal agency shift on sex discrimination: from biological sex to gender identity
In the years prior to the enactment of the ACA, courts reached opposite conclusions as to whether Title IX and comparable sex discrimination laws, such as Title VII, prohibit discrimination based on gender identity. With the enactment of the ACA and Section 1557, suits began to be brought against health plans and providers which claimed that refusal to treat or cover services for transgender persons based on their gender identity constituted sex discrimination. In one early Section 1557 decision from 2015, Rumble v. Fairview Health Services, a district court held that Section 1557 does provide a cause of action for discrimination based on gender identity. Continue Reading Waiting for the Supremes: High Court’s Decision in Gloucester County to Determine Validity of ACA Section 1557 Gender Identity and Transgender Services Rules
On December 31, 2016, in Franciscan Alliance v. Burwell, Case No. 7:16-cv-00108-O, the District Court for the Northern District of Texas issued a nationwide injunction finding that portions of the U.S. Department of Health & Human Services, Office for Civil Right’s (OCR) Final Rule for ACA Section 1557 violated the Administrative Procedures Act and cannot be enforced. The case was brought by eight States, three private healthcare providers and the Christian Medical & Dental Society.
U.S. District Court Judge Reed O’Connor found that OCR’s interpretation of Section 1557 to prohibit discrimination against transgender persons wrongly construed both Title IX and Section 1557. He found that these statutes only prohibit discrimination on the basis of biological sex. He also found that OCR’s Final Rule failed to properly incorporate the exceptions for religious institutions and for abortion services found in Title IX – which he said that Section 1557’s language was intended to incorporate. See 20 USC § 1681(a)(3); § 1688.
The HHS Office of Civil Rights published a new FAQ response (OCR FAQ) detailing the agency’s position that generally information blocking will violate the HIPAA Privacy and Security Rules if it affects a covered entity’s access to its own protected health information (PHI) or its ability to respond to requests for access to PHI from patients. This follows a series of similar policy documents from HHS over the past 18 months that focus on preventing business arrangements or practices that would be defined as information blocking, and thereby, frustrating the goal of interoperability. Specifically, according to the OCR FAQ:
- An electronic health records (EHR) vendor or cloud provider’s actions to terminate a covered entity’s access to its own electronic PHI (ePHI) (e.g., in a payment dispute) would violate the HIPAA Privacy Rule because those actions would constitute an impermissible use of PHI.
- An EHR vendor or cloud provider’s refusal to ensure the accessibility and usability of a covered entity’s ePHI upon demand by the covered entity or to return a covered entity’s ePHI upon termination of the agreement, in the form and format that is reasonable in light of the agreement, would violate the HIPAA Security Rule.
- A business associate may not deny a covered entity access to the PHI the business associate maintains on behalf of the covered entity if necessary to provide individuals with access to their PHI under the HIPAA Privacy Rule.
- A covered entity that agrees to terms within a business associate agreement (BAA) that would prevent the covered entity from ensuring the availability of its own PHI as required would not be in compliance with the HIPAA Privacy and Security Rules.
OCR has increasingly ramped up its enforcement of violations of the HIPAA Privacy and Security Rules related to noncompliant BAAs, so the new OCR FAQ signals that information blocking provisions could be the source of future enforcement actions.
The Department of Health & Human Services Office of Civil Rights (“OCR”) announced on August 18, 2016 that it is stepping up enforcement actions related to small breaches. Although OCR investigates all reported breaches affecting more than 500 people, this new initiative will increase investigations of breaches affecting fewer than 500 people. As OCR recognizes, it is often only through investigations following a reported breach that OCR uncovers more widespread HIPAA compliance issues, and it is those additional issues that often lead to monetary settlements or fines. Particularly given this increased enforcement initiative, covered entities and business associates should continue to evaluate and, where appropriate, strengthen their HIPAA compliance efforts.
To read more about the announcement, please click here.
Our colleagues at Data Law Insights have written about the HHS Office of Civil Rights’ $750,000 settlement with the University of Washington Medicine (“UWM”) announced this week. This third settlement in as many weeks confirms that the security risk analysis continues to be a linchpin of OCR enforcement under the HIPAA Security Rule. Indeed, the focus on risk assessments is not unique to OCR – a security risk analysis is also a CMS requirement under the Medicare/Medicaid EHR Incentive Programs. Throughout 2015, there appeared to be an increasing trend of regulators (such as OIG, OCR, and others) conducting audit and enforcement activities related to IT security. To prevent future scrutiny for violations, health care entities should commit to performing and strengthening their security risk analyses in 2016.
Last week, the HHS Office of Civil Rights (OCR) announced a settlement that has far-reaching implications on the importance of complying with the HIPAA Security Rule where medical devices create and maintain electronic protected health information (ePHI). See Data Law Insights for a post authored by Jodi Daniel, Elliot Golding, and Stephanie Willis for more details about this settlement and another one against an insurance holding company announced less than a week later.
On September 8, 2015, the Department of Health and Human Services Office for Civil Rights promulgated proposed regulations implementing Affordable Care Act Section 1557’s anti-discrimination provisions. Section 1557 applies federal anti-discrimination laws that prohibit discrimination based on race, color and national origin, sex, disability, and age to health care programs that receive federal funds, such as qualified health plans offered on marketplaces. For a detailed analysis of the proposed rules, please click here to view our recent client alert.
The U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) announced in an April 22, 2014, press release that two separate entities—Concentra Health Services (“Concentra”) and QCA Health Plan, Inc. (“QCA”)—collectively have paid almost $2 million to resolve potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules. OCR began its investigations of both entities after receiving breach reports regarding the theft of unencrypted laptop computers.
OCR received a breach report from Concentra on December 28, 2011, indicating that an unencrypted laptop was stolen on November 30, 2011, out of one of its physical therapy centers in Springfield, MO. Upon investigation, OCR discovered that Concentra had previously identified its lack of encryption as a risk, but had failed to adequately remediate and manage that risk, failed to document why encryption was not a reasonable and appropriate security measure, and failed to implement an equivalent alternative to encryption. Concentra also failed to adequately execute risk management procedures to reduce its identified lack of encryption risk. Based on the discovery of such potentially-violative conduct, Concentra agreed to pay OCR $1,725,220, and will be required (in addition to its reporting obligations) to encrypt all of its new devices and equipment, including its laptops, desktops, medical equipment, tablets, and other storage devices containing electronic protected health information (ePHI).
Mandatory encryption represents a more strict interpretation of HIPAA’s plain language, since the statute itself lists encryption as an “addressable” rather than a “required” safeguard implementation specification. See 45 C.F.R. § 164.312(a)(2)(iv). Admittedly, it is unclear whether OCR’s focus on and remedial mandate of encryption stemmed from Concentra’s own identification of its lack of encryption as a security risk. But recent comments by Susan McAndrew, Deputy Director for Health Information Privacy at OCR, while speaking at a HIMSS14 HIPAA compliance session, suggest that an increased wave of HIPAA enforcement and compliance audits are on the horizon. Combined with the encryption obligations listed in the Concentra Resolution Agreement, it is possible that OCR sees encryption as an emerging best practice, if not a close-to-required HIPAA safeguard.
In a similar set of events, OCR began its investigation of QCA after receiving a February 21, 2012, breach report that an unencrypted laptop computer containing the ePHI of 148 individuals was stolen from an employee’s car. OCR’s investigation revealed that QCA failed to implement policies and procedures to prevent, detect, contain, and correct security violations. QCA also failed to physically safeguard its ePHI-accessible workstations by neglecting to restrict access to authorized users. As a result, QCA has agreed to pay OCR $250,000, and will be required to develop risk analyses and risk management plans, provide mandatory security training to its employees, and promptly investigate any information that an employee failed to comply with security and privacy policies and procedures. Notably, although this breach implicated the ePHI of a smaller set of individuals, it still triggered an OCR investigation.
These two settlements represent the latest in a series of OCR compliance investigations and fines, including WellPoint Inc.’s July 2013 $1.7 million penalty for leaving ePHI accessible over the internet, thereby impermissibly disclosing the ePHI of 612,402 individuals. In addition, Affinity Health Plan received a $1.2 million fine in August 2013 for failing to properly dispose of a photocopier, which impermissibly disclosed the PHI of up to 344,579 individuals.
In an effort to provide preventative information to other health organizations, OCR has made available six educational programs for health care providers. Topics range from understanding the basics of HIPAA security risks to mobile device compliance measures.