HIPAA Settlements Between Healthcare Providers and the Government
HHS relied mainly on voluntary compliance measures to address HIPAA violations until approximately one year ago. Recent settlements between HHS and healthcare providers suggest, however, that resolution settlements could be more severe if a violation happens today. HHS may still rely on voluntary compliance, but it is also willing to use other measures, like fines, resolution agreements, and detailed corrective action plans.
II. Resolution agreements and corrective action plans
Two recent HIPAA violations have resulted in substantial fines and detailed resolution agreements and corrective action plans, suggesting that this may be a turning point in the enforcement HHS employs to resolve HIPAA violations.1
A. Resolution agreements
A Resolution Agreement is "a contract signed by HHS and a covered entity in which the covered entity agrees to perform certain obligations (e.g., staff training) and make reports to HHS, generally for a period of three years."2 HHS has used resolution agreements in two major settlements, one with Providence Health & Services (PHS) on July 9, 2008 and one with CVS Pharmacy (CVS) on Jan. 15, 2009. HHS intends only to use Resolution Agreements to "settle investigations with more serious outcomes, when OCR [the Office of Civil Rights] has not been able to reach a satisfactory resolution through the covered entity's demonstrated compliance or corrective action through other informal means."3
Resolution agreements typically will involve paying a fine,4 and the entity agrees to enter into and comply with a corrective action plan (CAP), as a term and condition of the Resolution Agreement. The entity does not admit liability by signing the Resolution Agreement, at least not in the two cases which have entered into such agreements at this time.5 HHS agrees, however, to release the entity from "any actions arising out of or related to" the conduct that violated the law.6 The six-year statute of limitations for imposing civil monetary penalties on an entity for a HIPAA violation is tolled to ensure that HHS may still bring an action against the entity in the event "of an uncured material breach."7
B. Corrective action plans
Both resolution agreements entered into by HHS at this time have utilized CAPs as a term and condition of the settlement. CAPs require specific corrective action obligations to prevent another violation, with appropriate tailoring to address the gaps in the entity's policies and procedures that led to the violation at issue. Corrective action obligations have included addressing the entity's policies and procedures and submitting them for approval to HHS; distributing the policies and procedures to all members of the workforce and certifying receipt, understanding and acceptance of them; dictating minimum content in the policies and procedures; ensuring that members of the workforce receive adequate training on the policies and procedures; monitoring for violations; and creating a procedure for members of the workforce to report violations internally.8
The entity must also present an implementation report to HHS within a specified number of days after the entity's policies and procedures are approved.9 The implementation report "summarize[es] the status of the implementation of the CAP" by the entity.10 The entity, finally, submits an Annual or Periodic Report to HHS each year the CAP is in force.11 This Report, among other entity-specific requirements, includes disclosing training schedules and materials; confirmation that the entity has certifications from all members of the workforce that went through training; summaries of any violations; and certification that a designated entity representative reviewed the Report and confirms "the information is accurate and truthful."12
HHS will notify the entity if it determines the entity breached the CAP, and the entity must respond in the time demanded. The response can be either that the entity is in compliance; the "alleged material breach has been cured";13 or the entity cannot repair the alleged breach within the time limit but is working to do so.14 HHS may impose civil monetary penalties against the entity if it fails to meet the time and response requirements.15
C. PHS and CVS settlements
These more severe HHS settlements that utilize fines and resolution agreements have been implemented against two entities, PHS and CVS, as noted above. The settlements were based on the following facts.
PHS entered into a resolution agreement with HHS that required a $100,000 fine and a CAP. A PHS employee removed four backup tapes and two optical disks containing unencrypted, electronic protected health information (ePHI) from a division of PHS, which was a common practice, on Dec. 30, 2005. The employee left these disks and tapes in his car overnight, and they were stolen from the vehicle.16 Laptops with unencrypted ePHI were stolen from members of PHS' workforce on four other separate occasions17 after members of the workforce removed the laptops from PHS.18
CVS entered into a resolution agreement with HHS that required a $2.25 million fine and a CAP. OCR and the Federal Trade Commission jointly investigated CVS' HIPAA compliance "after media reports alleged that patient information maintained by the pharmacy chain was being disposed of in industrial trash containers outside selected stores that were not secure and could be accessed by the public."19 The investigation also discovered that CVS did not have a policy for sanctioning members of its workforce who did not comply with its PHI disposal policies and procedures.20
III. Other settlements21
HHS has settled HIPAA violations with health care providers using other means when a resolution agreement is not appropriate.
A. Other settlement means
HHS' other settlement means include: changing policies and procedures,22 training staff on new or amended policies and procedures, addressing the problem or repairing the flaw in the system,23 apologizing to the complainant,24 changing a form or document25 and sanctioning the employee responsible.26 HHS does not provide dates or other identifying information regarding these settlements, so it is unclear whether many of them took place before or since HHS has started to use Resolution Agreements to settle violation cases.
B. Hospital telephone messages27
A hospital employee, as a specific and pertinent example, called a patient regarding the patient's medical problem and plan for treatment. The patient was not available, and the employee left this PHI with the patient's daughter. The hospital employee also violated HIPPA by calling the patient's home phone number when the patient requested only communication at her work phone number. The hospital resolved this matter with HHS by drafting and executing new procedures that required training employees to limit the content in their phone messages. They were also instructed to check the patient's contact restrictions with respect to messages.
1 John Eriksen, HIPAA Compliance Must Address Organization Oversight, 18 MANAGED HEALTHCARE EXECUTIVE 10, 10 (2008).
2 U.S. Dep't of Health & Human Servs., Case Examples and Resolution Agreements, www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/index.html (last visited May 22, 2009).
4 Id. Providence Health & Services received a $100,000 fine in 2008, and CVS Pharmacy, Inc. received a $2.25 million fine in 2009.
5 Providence Health & Services ("PHS") Resolution Agreement, July 9, 2008, at 1, available at www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/providenceresolutionagreement.html; CVS Pharmacy, Inc. ("CVS") Resolution Agreement, January 15, 2009, at 2, available at www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/cvsresolutionagreement.html. CVS "expressly den[ied] any violation of HIPAA or the Privacy Rule." Id.
6 CVS Resolution Agreement, supra note 5, at 4.
7 Id. at 4–5.
8 Id. at 11–17. See also PHS Resolution Agreement App'x A, supra note 5, at 3–8.
9 CVS Resolution Agreement, supra note 5, at 17; PHS Resolution Agreement App'x A, supra note 5, at 8.
10 CVS Resolution Agreement, supra note 6, at 17.
11 Id. at 18–19; PHS Resolution Agreement App'x A, supra note 5, at 8–9.
12 CVS Resolution Agreement, supra note 5, at 19; PHS Resolution Agreement App'x A, supra note 5, at 9.
13 CVS Resolution Agreement, supra note 5, at 20.
14 Id. at 19–20; PHS Resolution Agreement App'x A, supra note 5, at 9–10.
15 CVS Resolution Agreement, supra note 5, at 20; PHS Resolution Agreement App'x A, supra note 5, at 10.
16 PHS Resolution Agreement, supra note 5, at 1.
18 U.S. Dep't of Health & Human Servs., Resolution Agreement: HHS, Providence Health & Services Agree on Corrective Action Plan to Protect Health Information, www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/providenceresolutionagreement.html (last visited May 21, 2009).
19 News Release, U.S. Dep't of Health & Human Servs., CVS Pays $2.25 Million and Toughens Practices to Settle HIPAA Privacy Case (Feb. 18, 2009), available at www.hhs.gov/news/press/2009pres/02/20090218a.html.
20 CVS Resolution Agreement, supra note 5, at 2.
21 U.S. Dep't of Health & Human Servs., All Case Examples, www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/allcases.html (last visited May 21, 2009). This website contains a list of twenty-seven case examples with brief facts and HHS resolution.
22 This occurred, as a few select examples, on facts like leaving a phone message with a patient's daughter; disclosing PHI to a newspaper without patient approval; and keeping pseudoephedrine log books out on the pharmacy counter.
23 This occurred when patients could see computer screens with PHI and when an HMO mailed an explanation of benefits to an unauthorized family member.
24 This occurred on facts like sending a claim with patient test results to the improper payor; revealing PHI to a research company without the patient's approval; placing a red "AIDS" sticker on the front of patient's medical records that other patients could see.
25 This occurred when an HMO sent the patient's medical records to a disability insurance company based upon a form it utilized and when a practice faxed a patient's HIV status to his employer instead of his new provider.
26 This occurred, as a few select examples, on facts a health insurer releasing a patient's PHI without going through the proper procedures; revealing PHI to a research company without the patient's approval; a supervisor examining another employee's medical record; discussing a patient's HIV/AIDS status near other patients without taking precautions to avoid being overheard.
27 U.S. Dep't of Health & Human Servs., All Case Examples: Hospital Implements New Policies for Telephone Messages, www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/allcases.html (last visited May 21, 2009).
Anna Timmerman (email@example.com) is an associate with McGuireWoods.
© Copyright ASC COMMUNICATIONS 2016. Interested in LINKING to or REPRINTING this content? View our policies by clicking here.