Department of Health and Human Services Cracks Down on Vendor Oversight in Recent Hospital Settlements
From the rise in ransomware attacks to inadvertent disclosure of information by subcontractors, the health services industry is reminded that a potential consequence of a data breach is the threat of a regulatory enforcement action. In what may be a sign of things to come, the Department of Health and Human Services (DHHS) is scrutinizing both “covered entities” and “business associates” under the authority of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH).
On April 14, DHHS reached a $750,000 settlement with North Carolina-based Raleigh Orthopaedic Clinic, for transmitting protected health information to a third-party vendor without entering a formal “business associate agreement.” This comes on the heels of an earlier settlement in which DHHS obtained $1.55 million from North Memorial Health Care, a Minnesota hospital chain, in resolution of claims over a similar HIPAA violation alongside other risk management failures. North Memorial’s settlement required a comprehensive series of corrective actions and is illustrative of the consequences of failing to maintain adequate vendor oversight.
In September 2011, North Memorial Health Care, a “covered entity,” reported to the DHHS, Office for Civil Rights (OCR) that a laptop containing unencrypted protected health information (PHI) of more than 8,000 patients was stolen from the vehicle of an employee of Accretive Health – a data analytics firm that the hospital contracted with to provide financial and debt collection services. Prior to the incident, North Memorial did not have a written “business associate agreement” with Accretive, as required by the HIPAA regulations. Pursuant to 45 C.F.R. § 164.504(e), a business associate agreement must contain, among other things, provisions requiring the business associate to implement “appropriate safeguards” to prevent unauthorized use or disclosure of PHI, report unauthorized use or disclosure of PHI to the covered entity no later than 60 days following discovery of a breach, and ensure that subcontractors agree to the same restrictions and conditions that apply to the business associate with respect to PHI.
In addition to paying $1.55 million, the settlement with OCR required North Memorial to implement a comprehensive corrective action plan (CAP) requiring it to undertake several correction actions:
• develop policies and procedures related to business associate relationships, including assessing the hospital’s future business relationships to determine whether the HIPAA Rules required it to enter into additional business associate agreements;
• modify its existing risk analysis process, including undertaking a complete inventory of all electronic equipment, data systems, and applications used by North Memorial;
• develop and implement an organization-wide risk management plan, policies, and procedures for approval by DHHS;
• train all appropriate workforce members concerning the policies and procedures regarding business associate relationships and risk management; and
• provide substantial reporting to DHHS, including notification within 30 days of “Reportable Events” (instances in which a workforce member violated the policies and procedures required by the CAP), and an annual report containing, among other things, signed attestations from an officer of the hospital attesting that the plan, policies and procedures required by the CAP have been implemented, and copies of all training materials.
North Memorial’s breach of the CAP entitles DHHS to impose a civil monetary penalty under 45 C.F.R. Part 160.
Accretive, the hospital’s “business associate,” was itself subject to a separate investigation by the Federal Trade Commission in 2013 as a result of this breach. The enforcement action against Accretive was the first brought against a business associate under the 2013 provisions of HITECH. HITECH extended direct and statutory liability for HIPAA violations to business associates, supplementing contractual liability and clarifying that a business associate may be liable even in the absence of an agreement with a covered entity. See 45 C.F.R. § 160.402. The FTC’s February 2014 consent order with Accretive required it to implement a comprehensive information security program.
These settlements have specific implications for companies that are “covered entities” and “business associates” as those terms are defined by HIPAA. See 45 C.F.R. § 160.103 (HIPAA definitions). A “covered entity” is specifically defined as either a health plan, a health care clearinghouse, or a healthcare provider (including pharmacies). A “business associate” is defined more generally as any person who, “on behalf of [a] covered entity or of an organized health care arrangement (as defined in [the Act]) in which the covered entity participates . . . creates, receives, maintains, or transmits protected health information” or provides “legal, actuarial, accounting, consulting, data aggregation, . . . management, administrative, accreditation, or financial services to or for such covered entity, or to or for an organized health care arrangement in which the covered entity participates.” The definition includes persons who conduct services such as “claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, patient safety activities, billing, benefit management, practice management, and repricing.” Business associates do not include employees of the covered entity itself.
The OCR’s settlement with North Memorial is yet another example of a regulatory agency bringing an enforcement action where a regulated company failed to safeguard the security practices of vendors given access to sensitive customer or client information of the regulated entity. Agencies such as the Federal Trade Commission, Securities and Exchange Commission, and Federal Reserve Board have brought enforcement actions and issued guidance requiring companies to maintain oversight of the security practices of their third-party vendors who are entrusted with PII, PHI and other sensitive data. See, e.g., In the Matter of R.T. Jones Capital Equities Mgmt., Inc., No. 3-16827 (S.E.C. Sept. 22, 2015); In the Matter of GMR Transcription Servs., Inc., No. 122-3095 (F.T.C. Jan. 31, 2014); S.E.C. Office of Compliance Inspections and Examinations, OCIE’s 2015 Cybersecurity Examination Initiative Vol. IV, Issue 8 (Sept. 15, 2015); Federal Trade Commission, Start with Security: A Guide for Business, Lessons Learned from FTC Cases (June 2015); Federal Reserve Board, Guidance on Managing Outsourcing Risk (Dec. 2013); Federal Trade Commission, Protecting Personal Information, A Guide for Business (Nov. 2011).
We will continue to monitor the regulatory responses to breaches related to vendor management and enforcement actions brought by DHHS.