HHS Investigation of Business Associate Results in $350,000 Settlement
HHS has announced a resolution agreement with a business associate that had contracts with two covered health care entities to handle and protect individual electronic protected health information (ePHI) containing sensitive information such as patient names, billing addresses, telephone numbers, primary health insurers, and social security numbers. After receiving a breach notification report alleging that a File Transfer Protocol server containing ePHI was openly accessible to the public on the internet, HHS commenced an investigation. The investigation indicated that the business associate disclosed more than 230,000 individuals’ ePHI, failed to enter into a business associate agreement with a subcontractor, and did not conduct a security risk analysis or implement a management plan to determine and address vulnerabilities of ePHI across the organization. The HHS press release underscored that the Office of Civil Rights (OCR) investigates all breach reports of unsecured PHI affecting 500 or more people, that hacking/IT incidents were the most frequent type of large breach reported in 2022, and that network servers are the largest category of breaches involving more than 500 individuals.
The resolution agreement requires a $350,000 settlement payment and compliance with a two-year corrective action plan (CAP). Under the CAP, the business associate must, among other things, submit the following for HHS’s review and approval to ensure compliance with HIPAA: (1) a comprehensive risk analysis and risk management plan; (2) policies and procedures that are distributed to all members of the workforce; and (3) a privacy and security training program for workforce members that have access to PHI. The business associate must also investigate failures to comply with policies and procedures and report any material failure to HHS.
EBIA Comment: This resolution agreement reminds health plans of the importance of acting prudently as HIPAA covered entities, and periodically revisiting their risk analysis, risk management plan, business associate agreements, policies and procedures, and training. Indeed, the HHS press release cautions HIPAA covered entities and their business associates to “improve their efforts” to identify, deter, protect against, detect, and respond to cybersecurity threats and malicious actors. The business associate in this situation might have been able to avoid the HIPAA breach and audit if it had a risk assessment and management plan, policies and procedures, and training. Furthermore, it is prudent practice for health plans that entrust participants’ ePHI to other entities to monitor those entities and ensure compliance through entering into business associate agreements and conducting regular security audits. For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Sections XX.D (“Resolution Agreements”), XXIII.F (“Applying the HIPAA Privacy and Security Rules to Group Health Plans and Their Sponsors”), XXIV.F (“HIPAA Audits”), XXV.H (“Breach Planning and Response”), XXX.F (“Policies and Procedures, Documentation Requirements”), and XXXI.E (“Problems Relating to HIPAA Security”).
Contributing Editors: EBIA Staff.