After a relatively quiet start to 2018, the Office for Civil Rights within the U.S. Department of Health and Human Services (OCR) has had an incredibly busy week, with the announcement of a blockbuster settlement, an updated security risk assessment tool, and new priorities for the agency.
In a record-breaking settlement, Anthem, one of the nation’s largest health benefits companies, has agreed to pay OCR $16 million and take substantial corrective actions to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) after self-reporting a series of cyberattacks that resulted in the largest health information data breach in U.S. history. Notably, the breach included electronic protected health information (ePHI) that Anthem maintained as a business associate acting on behalf of its affiliated health plans, making this week’s enforcement action by OCR one of the few involving a business associate.
In March of 2015, Anthem filed a breach report with OCR informing the agency of its discovery that cyberattackers had gained access to its information and technology (IT) systems through an undetected continuous and targeted cyberattack for the alleged purpose of extracting data. After filing the report, Anthem later discovered that the cyberattackers had infiltrated its IT systems through a phishing scam sent to one of its subsidiaries that was initiated by at least one employee responding to a malicious e-mail.
OCR’s further investigation determined that between early December 2014 and late January 2015, cyberattackers had stolen the ePHI of approximately 79 million people, which included names, social security numbers, medical benefit identification numbers, and various other demographic identifiers.
In addition to the unauthorized disclosure of ePHI, OCR’s investigation revealed that Anthem had failed to conduct an enterprise-wide risk analysis in accordance with the HIPAA Security Rule, lacked sufficient standard operating procedures to regularly monitor its IT system activity, failed to identify and respond to other suspected and/or known security incidents, and failed to implement minimum controls to safeguard against unauthorized access to its IT systems.
In addition to paying the $16 million settlement, Anthem has agreed to a vigorous corrective action plan to ensure its compliance with HIPAA—including requirements to conduct an enterprise-wide security risk analysis and incorporate the results of such analysis into a security risk management plan. While conducting a risk analysis is a typical requirement in many OCR corrective action plans, Anthem must also provide OCR with a description of how it will conduct the analysis before it begins and let the agency weigh in on whether the plan is robust enough to satisfy the requirements under the Security Rule.
The Anthem settlement marks only the fifth OCR enforcement action this year, but the settlement figure puts OCR at just under the $25 million mark for monetary recoveries in 2018.
OCR’s press release and resolution agreement with Anthem are available here.
Updated Security Risk Assessment Tool
If the announcement of the Anthem settlement is not enough to signal to covered entities and their business associates the heightened importance of complying with the risk analysis requirements under HIPAA, just this week OCR and the Office of National Coordinator for Health Information Technology released an updated version of the downloadable Security Risk Assessment Tool 3.0 built to help small and medium-sized healthcare providers assess the state of their security programs. The newest version offers users an enhanced interface, as well as the ability to track business associates and IT assets, and create detailed reports, among other features. The updated Security Risk Assessment Tool 3.0 is available here.
In a speech yesterday, Roger Severino, the director of OCR, said that the OCR desk audit program, which was originally styled as a vehicle through which OCR could provide technical assistance to the industry in a non-punitive manner, may become another enforcement tool for the agency in the future. Notably, Severino said that OCR may select entities to audit based on those that self-report breaches under the HIPAA Breach Notification Rule, and then pursue enforcement actions against those found to be “bad actors.”
On a slightly different topic, Severino commented that the exchange of health information for care coordination purposes is a priority for OCR, and that the agency will issue requests for information and will consider offering a HIPAA safe harbor for such exchanges.
Venable’s healthcare attorneys have significant experience representing clients in connection with OCR’s enforcement efforts, including audits, compliance reviews, and corrective action plans, and will continue to monitor the agency’s enforcement actions closely. If you have any questions related to this alert, please contact one of the authors.