Note to Mr. Donald Trump: According to HHS' New Omnibus Rule, You Can Have A Copy of That Birth Certificate in About 100 or so Years Because HIPAA Doesn't Apply

One change under the Omnibus Rule that is somewhat flying under the radar is that HIPAA no longer will apply to a patients’ medical information 50 years after their death.  One of the main reasons HHS cites as the impetus for this change is that researchers, historians, biographers and archivists have had difficulty gaining access to such information since HIPAA was enacted.  While I find this to be an issue that may have justified a small tweak to the Privacy Rule to allow proper access to such information by authorized individuals, I find it is curious that HHS chose to simply remove all protections 50 years after death. 

The Omnibus Rule has revised the definition of “deceased individuals” at Section 164.502(f) so that a covered entity is no longer required to abide by HIPAA’s restrictions on using and disclosing a patient’s PHI 50 years after their date of death.

More curious rationale abounds in the Preamble to the Omnibus Rule. At one point, all decedents’ information is referred to as “ancient or old records of historical value held by covered entities” and with  “likely few surviving individuals concerned with the privacy of such information”.  HHS also believes that 50 years is an appropriate period of protection for decedents’ information, taking into account the remaining privacy interests of living individuals “after the span of approximately two generations have passed”. Finally, HHS dismisses that the 50 year limitation will incentivize record retention policies to be changed in order to profit from decedents’ data after 50 years has elapsed.  In my opinion, these don’t really hold up as great reasons for entirely removing HIPAA’s protection of decedents’ health information.

First, not all records are “ancient” and there certainly can be surviving individuals concerned with keeping such information private.  Obviously, people don’t all live to average life expectancies and some decedents will have even died at birth.  Such “young” decedents in particular can have many surviving family members, including siblings (maybe even a twin), parents or their own offspring.  These family members absolutely have a continuing interest to not have their deceased family member’s health information become “public” during their lifetime.

Thus, this Omnibus Rule change to the Privacy Rule appears to essentially have shifted the burden to the surviving family member to take affirmative action and expend potential resources to ensure such information is not made public. 

I am also not convinced that this change does not create an incentive to monetize access to decedents' data.  Although HHS emphasized that the change is NOT a record retention requirement (i.e., they are not saying that hospitals or health care providers have to keep records for 50 years), the change certainly could cause covered entities and business associates to hang on to such records longer, especially in cases where the data originates from decedents between the ages of birth-20 years and is still relatively “current”. 

When the original HIPAA Privacy Rule was enacted, HHS considered many comments that pointed out the negative consequences of not extending HIPAA’s protections to decedents’ data.  Commentators originally specifically argued that surviving family members would be negatively affected, and  a number of medical associations even asserted that individuals may avoid genetic testing, diagnoses, and treatment and suppress information important to their health care if they fear family members will suffer discrimination from the release of their medical information after their death. Further, it was argued that the privacy of the deceased individual and his or her family is far more important than allowing genetic information to be abstracted by an institutional or commercial collector of information.  HHS’ original response to such comments was:

Response: We find the arguments raised by these commenters persuasive. We have reconsidered our position and believe these arguments for maintaining privacy on protected health information without temporal limitations outweigh any administrative burdens associated with maintaining such protections. As such, in the final rule we revise our policy to extend protections on the protected health information about a deceased individual to remain in effect for as long as the covered entity maintains the information.

In the end, while HHS may give “researchers” the big “GO AHEAD” to access information like birth certificates of past presidents and other health information 50 years after the person's date of death, there are state laws, like Hawaii's health care information privacy law (Haw. Rev. Stat. section 323C-43 (*), that will continue to apply to the protected health information of a deceased individual following the death of that individual. Therefore, covered entities and business associates should be remember that before you begin to amend your policies to reflect that HIPAA will no longer protect the privacy of medical records and health information 50 years after a decedent’s death, state laws must still be followed – and, should be reflected in such policies as well.

(*) Note that while this statute is mentioned by HHS in its original Preamble, Hawaii appears to have repealed this law on on June 30 2001.

"Significant Risk of Harm" No Longer Required to Trigger Breach Notification

When it comes to responding to a Breach, what every Covered Entity (CE) and Business Associate (BA) wants to know is “Do we have to notify, or not?”  Completing a documented “Risk Assessment” has always been required under the Interim Final Breach Notification Rule, but now HHS has made it expressly clear that the “risk of harm” is not something that can be used to avoid required notifications. 

The Interim Breach Rule defined a Breach to mean generally “the acquisition, access, use, or disclosure of protected health information in a manner not permitted [by the Privacy Rule] which compromises the security or privacy of the protected health information.” See 45 CFR 164.402. It further elaborated that “compromises the security or privacy of the PHI” meant poses a significant risk of financial, reputational, or other harm to the individual. HHS explained that it originally included this “harm” standard in order to align the rule with many State breach notification laws as well as existing obligations on Federal agencies that have a similar “risk of harm” standard for triggering breach notification.

But, HHS has now backpedaled on the 'significant risk of harm' test, and replaced it with a presumption that any impermissible use or disclosure of PHI is presumed to be a breach unless the CE or BA, as the case may be, demonstrates that there is a low probability that the PHI has been compromised. 

HHS goes on to state in its Preamble to the Omnibus Rule that CEs and BAs essentially have the burden of proof to demonstrate that there is a low probability that the PHI is compromised.  The CE and BA must also maintain written documentation (for 7 years) sufficient to demonstrate why it concluded that there is a low probability that the PHI was compromised and did not issue notices.

So, developing a process for completing and documenting Breach Risk Assessments is now more important than ever with each incident of unauthorized use or disclosure of PHI.  The 4 factors that HHS states should be evaluated during such assessment follow:

1)  Nature & Extent of PHI

For this factor, HHS suggests that CEs and BAs consider the type of PHI involved, such as if the PHI was of a more “sensitive” nature. An example given is if credit card numbers, social security numbers, or other information that increases the risk of identity theft or financial fraud are involved, then this would cut against finding that there is “low probability” that the PHI was compromised. With respect to clinical information, HHS points out that CEs and BAs might consider things like the nature of the services, as well as the amount of information and details involved.  It is worth noting that in a footnote, HHS specifically calls out that “sensitive” information is not just things like STDS, mental health or substance abuse.

2)  Unauthorized Person

To evaluate the second factor, HHS suggests that CEs and BAs consider who the unauthorized recipient is or might be.  For example, if the recipient person is someone at another CE or BA, then this may support a finding that there is a lower probability that the PHI has been compromised since CEs and BAs are obligated to protect the privacy and security of PHI in a similar manner as the CE or BA from where the breached PHI originated.  Another example given is if PHI containing dates of health care service and diagnoses of certain employees was impermissibly disclosed to their employer, the employer may be able to determine that the information pertains to specific employees based on other information available to the employer, such as dates of absence from work. In this case, there may be more than a low probability that the PHI has been compromised.

3)  Acquired or Viewed

The third factor requires CE and BAs to investigate and determine if the PHI was actually acquired or viewed or, alternatively, if only the opportunity existed for the information to be acquired or viewed.  One example given here, which is a common scenario that arises for many CEs and BAs, is where a CE mails information to the wrong individual who opens the envelope and calls the CE or BA to say that he/she received the information in error.  HHS points out that in such a case, the unauthorized recipient viewed and acquired the information because he/she opened and read the information and so this cuts against a finding that there is low probability that the PHI was compromised.  To contrast, HHS offers an example of how to analyze this factor in the context of lost laptops.  Specifically, HHS explains that if a laptop computer is stolen and later recovered and a forensic analysis shows that the otherwise unencrypted PHI on the laptop was never accessed, viewed, acquired, transferred, or otherwise compromised, the CE or BA could determine that the information was not actually acquired by an unauthorized individual even though the opportunity existed.

However, here HHS is also quick to point out that if a laptop is lost or stolen, HHS would not consider it reasonable to delay breach notification based on the hope that the computer will be recovered and that forensics might show that the PHI was never accessed.

4)  Mitigation

The final factor to analyze is mitigation. HHS reminds CEs and BAs that each must attempt to mitigate the risks to PHI following any impermissible use or disclosure, such as by obtaining the recipient’s satisfactory assurances that the PHI will not be further used or disclosed (through a confidentiality agreement or similar means) or will be destroyed.  When determining the probability that the PHI has been compromised, CEs and BAs should consider the extent of what steps needed to be taken to mitigate, and how effective the mitigation was.  HHS offered an example that CEs and BAs may be able to obtain and rely on the assurances of an employee, affiliated entity, BA, or another CE that the entity or person destroyed PHI it received in error, while such assurances from certain third parties may not be sufficient. 

HHS discusses other aspects of Breach Notification in the Preamble, which I will cover in future posts.  As a primer, HHS goes into a discussion on how uses and disclosures of PHI beyond HIPAA’s Minimum Necessary rule could constitute a Breach! (but remember that Minimum Necessary does not apply to disclosures:  for treatment; to the patient himself/herself; pursuant to a valid Authorization; that are required by law, including HIPAA; and (of course) to HHS, when disclosure of PHI is required under the Privacy Rule for enforcement purposes (See here).

In the end, covered entities and business associates (and now, sub-vendors of BAs too!) just want to know what they should do in response to breaches.  The general answer is that the scales have tipped towards notifying affected individuals in most cases where PHI gets into the hands of someone who was not intended to have it.  That said, CEs and BAs should strongly consider assembling an educated core "team" of individuals who will become adept at completing Breach Risk Assessments, contacting outside assistance and counsel as needed, and proceeding with an appropriate response.

As a final interesting observation, it's worth noting that HHS specifically states that the penalty distribution methodology requirement of the HITECH Act (§13410(c) was not addressed in the Omnibus Rule, and will be the subject of a future rulemaking.  The HITECH Act provides:

(c) DISTRIBUTION OF CERTAIN CIVIL MONETARY PENALTIES COLLECTED.—

(3) ESTABLISHMENT OF METHODOLOGY TO DISTRIBUTE PERCENTAGE OF CMPS COLLECTED TO HARMED INDIVIDUALS.—

Not later than 3 years after the date of the enactment of this title, the Secretary shall establish by regulation and based on the recommendations submitted under paragraph (2), a methodology under which an individual who is harmed by an act that constitutes an offense referred to in paragraph (1) may receive a percentage of any civil monetary penalty or monetary settlement collected with respect to such offense.  (emphasis added).

It will be very interesting to see if HHS will apply the same standard it decided on for Breach determinations to also determine if a person has been “harmed” for purposes of paying individuals a percentage of CMPs collected against a Covered Entity, BA or BA sub-vendor for such HIPAA violations. That is, will HHS part with a % of CMPs collected and disburse such payments to patients based on a “presumption of harm” unless HHS can demonstrate and document otherwise? 

I guess we will have to wait for the next Rule to be released to see if the threshold HHS selected for purpose of determining "harm” for Breach Notification will be carried over to its own determinations of when to pay individuals under this HITECH Act mandate. Stay tuned for that.....

Deciphering the HITECH Omnibus Rule: Business Associates

Since the HITECH Notice of Proposed Rulemaking (NPRM) was released in July of 2010, covered entities and business associates have been waiting (im)patiently for the Final HITECH Omnibus Rule to be released.  As of this past Thursday, we all finally have some guidance on how to implement provisions of the HITECH Act, including but not limited to provisions governing business associate and subcontractor liability, individual access rights, fundraising, marketing, breach standards, and much more. 

True to its name, the HITECH “Omnibus” Rule or Final Rule packs in a lot of changes to the HIPAA Privacy and Security Rules, enforcement provisions and breach notification requirements of the HITECH Act, as well as amendments to GINA and handling of genetic information.  To make dissecting this 500+ page rule manageable, the next few posts will focus on key aspects of the HITECH Final Rule, starting today with the provisions of the Final Rule which impact business associates and their subcontractors

A covered entity is and has been required by HIPAA to enter into a HIPAA Business Associate Agreement (HIPAA BAA) with any entity that would create, receive or transmit PHI for or on their behalf in connection with certain health care operations purposes.  However, before the implementation of the HITECH Act, business associates of covered entities were not directly liable for improper uses or disclosures of protected health information (PHI) in the performance of services or functions. 

Ultimately, only covered entities were responsible in the event a business associate failed to appropriately safeguard the PHI they were provided with or used/disclosed it improperly. However, as you know, HITECH made provisions of the Privacy and Security Rules directly applicable to business associates, with the NPRM proposing several modifications to the definition of a “business associate”, including adding Patient Safety Organizations and patient safety activities as well as certain health information exchange organization (HIOs) and personal health record (PHR) activities. 

The HITECH Final Rule modifies the definition of “business associate” to mean that a business associate is any person who “creates, receives, maintains, or transmits” PHI on behalf of a covered entity, in order to clarify that any entity that maintains PHI, such as a data storage organization, is a business associate even if it does not access or view the PHI.  PHRs vendors will also be considered business associates where they provide PHRs for or on behalf of a covered entity, rather than simply establishing a connection for the covered entity to send PHI to the individual’s PHR.  Rather than acting simply as a “conduit”, the PHR vendor is maintaining PHI on behalf of the covered entity for the benefit of the individual. 

For HIOs and other entities, they will be considered business associates where they (1) provide data transmission services with respect to PHI and (2) require routine access to the PHI.  The Preamble to the HITECH Final Rule clarifies “access on a routine basis” to mean circumstances where an entity requires access to PHI in order to perform services and functions on behalf of a covered entity, such as management of an exchange network through use of record locator and other services on behalf of its participants.  However, HHS recognizes that it will depend upon the circumstances and states its intention of issuing future guidance in this area. 

Most importantly, and perhaps a sore point for business associates and their subcontractors, the HITECH Final Rule makes subcontractors of a business associate that create, receive, maintain or transmit PHI on behalf of such business associate likewise HIPAA business associates.  Therefore, these downstream subcontractors will be subject to the same requirements that the first business associate is subject to.  Each business associate now also is required to have a HIPAA compliant BAA in place with its subcontractors, its subcontractor with its own subcontractors, and so forth down the chain of subcontractors no matter how long. 

HHS recognized that,

“The intent of the proposed extension of the Rules to subcontractors was to avoid having privacy and security protections for [PHI] lapse merely because a function is performed by an entity that is a subcontractor rather than an entity with a direct relationship with a covered entity.  Allowing such a lapse in privacy and security protections could allow business associates to avoid liability….”

Furthermore, the Preamble stated, “applying HIPAA privacy and security requirements directly to subcontractors also ensures that the privacy and security protections of the HIPAA Rules extend beyond covered entities to those entities that create or receive [PHI] in order for the covered entity to perform in health care functions.”

The HITECH Final Rule also provides some clarification as to when a business associate will be an “agent” of a covered entity.  Although generally determinations of whether a business associate will be acting as an agent of a covered entity are fact specific, the Preamble to the Final Rule makes it clear that federal common law agency principles will be applied, regardless of whether the parties consider or state themselves to be independent contractors.  If the covered entity has the right to control or direct any given service or function provided or performed by the business associate, then an agency relationship will likely be created (i.e., how a business associate will make available access to PHI by an individual).  

Liability for a business associate’s actions, however, will only extend to the scope of the agency. For example, if a business associate fails to limit PHI disclosed to the minimum necessary while performing services it was engaged by a covered entity to perform (as an agent), then the business associate is likely acting within the scope of agency.  However, a business associate’s conduct is outside the scope of agency where it acts for its own benefit or for that of a third party. 

Business associates are also subject to the HITECH marketing requirements, to be discussed in a future blog post.  And finally, the HITECH Final Rule applies certain other provisions of the Privacy Rule directly to business associates.  Business associates will have direct liability for impermissible uses or disclosures in violation of the HIPAA BAA or the Privacy Rule, as well as:

  • failure to disclose PHI where required by the Secretary;
  • failure to disclose PHI for access rights;
  • failure to limit PHI used/disclosed to the minimum necessary;
  • failure to obtain a HIPAA compliant BAA with subcontractors;
  • failure to provide breach notification;
  • failure to provide an accounting of disclosures (subject of a separate future rulemaking)

Covered entities and business associates are permitted under the Final Rule transition provisions to continue operating under existing HIPAA BAAs for up to one year beyond the compliance date of the Final Rule, or initial renewal/modification, whichever earlier.  The minimum requirements of a HIPAA BAA were slightly modified by the Final Rule, and now:

  1. Must include the requirement that a business associate report any Breach of which it becomes aware to the covered entity, in addition to security incidents;
  2. Must include the requirement that a business associate, to the extent the business associate is to carry out a covered entity's obligation under the Privacy Rule, comply with the requirements that apply to the covered entity in the performance of such obligation; and
  3. Need not include the requirement that the covered entity report a business associate to the Secretary for patterns or practices which constitute a material breach or violation of the HIPAA BAA.

Stay tuned for a discussion of the new Breach Presumption and Risk Assessment requirements implemented by the Final Rule...

FINALLY! HHS Releases the Final HIPAA/HITECH Omnibus Rule.

Finally, the long awaited Final Rules are out.  The Department of Health and Human Services (HHS) posted the HIPAA/HITECH "Omnibus Rule" on January 17, 2013 at 4:15 pm.  You can download a copy here, or go straight to the source at:  www.federalregister.gov/public-inspection.  HHS also posted a Press Release, which you can review here.  The "official" version of the Final Rules is scheduled to be published in the Federal Register on January 25, 2013.

The Final Rules are effective on March 26, 2013, and Covered entities and business associates must comply by September 23, 2013.

The Omnibus Rule is comprised of four final rules:

  • Final modifications to the HIPAA Privacy, Security, and Enforcement Rules mandated by the HITECH Act, and certain other modifications to improve the Rules, which were issued as a proposed rule on July 14, 2010. These modifications include:
    • Make business associates of covered entities directly liable for compliance with certain of the HIPAA Privacy and Security Rules’ requirements;
    • Strengthen the limitations on the use and disclosure of PHI for marketing and fundraising purposes, and prohibit the sale of PHI without individual authorization;
    • Expand individuals’ rights to receive electronic copies of their health information and to restrict disclosures to a health plan concerning treatment for which the individual has paid out of pocket in full;
    • Require modifications to, and redistribution of, a covered entity’s NPP;
    • Modify the individual authorization and other requirements to facilitate research and disclosure of child immunization proof to schools, and to enable access to decedent information by family members or others;
    • Adopt the additional HITECH Act enhancements to the Enforcement Rule not previously adopted in the October 30, 2009, interim final rule (referenced immediately below), such as the provisions addressing enforcement of noncompliance with the HIPAA Rules due to willful neglect
  • Final Rule adopting changes to the HIPAA Enforcement Rule to incorporate the increased and tiered civil money penalty structure provided by the HITECH Act, originally published as an interim final rule on October 30, 2009;
  • Final Rule on Breach Notification for Unsecured PHI, which replaces the breach notification rule’s “harm” threshold with a more objective standard and supplants an interim final rule published on August 24, 2009;
  • Final Rule modifying the HIPAA Privacy Rule as required by the Genetic Information Nondiscrimination Act (GINA) to prohibit most health plans from using or disclosing genetic information for underwriting purposes, which was published as a proposed rule on October 7, 2009.

Over the next several days, we will digest and analyze the impact of the changes in the Final Rules and be posting summaries by various topic on Legal HIE, so check back often.  Find out what the final verdict is on the "harm" threshold for Breach determinations; what are the final changes you will need to make to your Notice of Privacy Practices; how access to decedents' information has changed; changes to releasing immunization records; new protections to genetic information, and much more....

Also, final updates to all of our HIPAA HITECH-Helpbooks reflecting all Final Rule changes will be completed very soon.  If you are interested in additional information about our Helpbooks, please email me at helen@oscislaw.com.

ONC Setting Stage for NHIN Governance Guidance

Last year, ONC announced that it would not be moving forward on establishing governance regulations for the Nationwide Health Information Network (now called the "eHealth Exchange") as a result of the comments and feedback it received.  Instead, it proposed to move forward with developing best practices guidance and support activities for existing governance initiatives and goals in nationwide health information exchange (HIE).

This year, ONC is kicking off several activities to support HIE governance. First, a federal funding opportunity is available for existing governance entities to further develop and adopt policies, interoperability requirements, and business practice criteria relating to HIE. Applications may be submitted until February 4 on Grants.gov

Secondly, Dr. Mostashari and ONC have scheduled an open Town Hall listening session for this coming Thursday, January 17, as well as February 14 in order for stakeholders to express their priorities, concerns or issues.  Based on stakeholder input, the HIT Policy Committee and HIT Standards Committee are expected to hold a public hearing then on January 29 to discuss current HIE policies, practices and impediments, as well as opportunities to strengthen and improve governance. 

Finally, ONC will develop and publish a series of governance "guidelines" based on the feedback it has received for effective and trustworthy HIE.  Stay tuned for more information on ONC's new site for HIE Governance

Kaiser Permanente Faces Investigation Over Inappropriate Storage of Patient Records by Contractor

Kaiser Permanente is facing investigation over the handling of approximately 300,000 patient records by a contract storage firm.  According to an article in the LA Times, Kaiser contracted with small business Sure File Filing System ("Sure File") to organize and clear out older patient records on its behalf.  As it turns out, the storage firm kept those patient records in a warehouse shared with an individual's party rental business and Ford Mustang, then in the storage firm's owner's personal garage and home.

Although Kaiser retrieved the paper records Sure File possessed upon termination of the contract in 2010, Kaiser recently filed suit, allerging that all of the patient records had not been returned or destroyed when its contract with Sure File was terminated. Patient records, according to Kaiser, were still maintained on hard drives that Stephan and Liza Dean, the couple who own and run Sure File, allegedly kept in their garage with the door open. When Kaiser sued for breach of contract and to recover the files, the hard drives were apparently relocated from the garage to the couples' home, and the patient records only deleted as of this past New Year's Eve.

The LA Times article states that HHS officials were notified last year when the Deans filed a complaint.  You read that right. The individuals responsible for storing the data in an unsecured warehouse, their garage and their house apparently were the ones who filed the complaint that patient records had not been handled appropriately by Kaiser. 

In addition, Stephan Dean reportedly threatened to contact patients directly to inform them of how Kaiser had mishandled their health information.  According to the article, Dean claims Kaiser employees repeatedly failed to maintain the privacy of patient information, citing multiple emails sent by hospital employees to him requesting and including patient-specific information such as social security numbers in an insecure manner.

Kaiser was confident that patient information was not disclosed or accessed inappropriately, although employees were disciplined for failing to follow policies.  Kaiser spokesman John Nelson stated,

 "Kaiser Permanente is committed to protecting the medical and personal privacy of its patients. In retrospect, we certainly wish we'd never done business with Mr. Dean."

It is not likely that Kaiser is squeaky clean in this mess, given it appears Kaiser failed at a minimum to have a proper HIPAA business associate agreement (HIPAA BAA) in place prior to releasing patient records to the contractor.  However, a bigger question is, if OCR is indeed investigating the mishandling of Kaiser's patient records, what liability may exist for the contractor?

Business associates are independently liable as a result of the HITECH Act for certain of the HIPAA Security Rule requirements, in particular, administrative, physical and technical safeguards for electronic PHI.  However, given the uncertainty surrounding business associate liability in the absence of a HITECH final rule, and because the majority of the activities associated with the contract took place prior to 2010, the contractor might only be on the hook contractually for failing to safeguard, return and/or destroy the patient records. Although enacted in 2009, many provisions of HITECH did not take effect until February of 2010.

Assuming Kaiser had obtained an appropriate HIPAA BAA from Sure File, at a minimum, the contractor would have agreed to implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of electronic protected health information and/or appropriate safeguards to prevent use or disclosure of PHI other than as provided for by its contractI think we would all agree that storing hard drives with hundreds of thousands of patient records in your garage or home, or records in an unsecured shared warehouse space, is a far cry from implementing reasonable and appropriate safeguards, however reckless the other party may also have acted with regard to the information. 

HHS Rings in 2013 with News of Settlement for Small Breach

We hope all of our readers had a happy and relaxing holiday season, and we wish you all the best for this New Year!

It seems fitting for the first post of the year to revolve around HHS's announcement of its first breach settlement of 2013.  In what may quickly become a "trend" for HHS and OCR, the $50,000 settlement with the Hospice of North Idaho (HONI) is the first of its kind.  Coming after OCR investigated a reported breach involving 441 patients and theft of an unencrypted laptop in the summer of 2010, it is a far cry from the breach tallies we have seen in the past numbering in the hundreds of thousands of affected individuals and over a million dollars in fines.

Yet again OCR has called out a covered entity for failing to conduct a risk analysis as required by the HIPAA Security Rule and cracked down on yet another breach involving an unencrypted device (see, for example, the Alaska DHHS Resolution Agreement which resulted from theft of a flashdrive containing PHI).  Not only did OCR state that HONI had failed to implement policies and procedures to address mobile device security despite regular and routine use of laptops in the field, but that HONI also failed to conduct a risk analysis to safeguard electronic PHI, stating,

´╗┐´╗┐HONI did not conduct an accurate and thorough analysis of the risk to the confidentiality of ePHI on an on-going basis...from the compliance date of the Security Rule to January 17, 2012.  In particular, HONI did not evaluate the likelihood and impact of potential risks to the confidentiaity of electronic PHI maintained in and transmitted using portable devices, implement appropriate security measures to address such potential risks, document the chosen security emasures and the rationale for adopting those measures, and maintain on an on-going basis reasonable and appropriate security measures. (emphasis added)

The risk analysis is too often abandoned to the wind by many covered entities, despite being a "Required" implementation specification for the security management process needed to prevent, detect, contain, and correct security violations.

Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.  

This breach settlement combined with the fact that the risk analysis is also an independent core measure required for Meaningful Use participants in the Medicare and Medicaid EHR Incentive Programs, suggests all covered entities should make it their New Year's Resolution to be more proactivate about their risk analyses and throw out bad portable device habits, whether they are big or small. If your organization doesn't have policies and procedures regarding use of laptops, flashdrives, and other devices which can store or access ePHI, and a good reason for not encrypting them where their use is necessary, it may be in for a rude awakening in the event of loss, theft or OCR or CMS knocking at the door to conduct an audit. Remember, even though not required per se by the HIPAA Security Rule, encryption of data at rest and in transmission is an implementation specification that must be addressed by all covered entities.    

OCR and ONC have made available several resources and tools to help covered entities of all sizes in conducting and reviewing a risk analysis.  The majority of these are now readily available in one location on the Health IT website under the National Learning Consortium Resources section. The NIST 800-30 Special Publication has also consistently been referred to by OCR as a resource to use in preparing for and conducting risk analyses. In addition, ONC recently released a new initiative aimed at increasing the security of mobile devices, Mobile Devices: Know the RISKS. Take the STEPS. PROTECT and SECURE Health Information.

Whatever the reasons or excuses in the past, make 2013 the year your organization resolves to be more proactive about its risk analysis and security management processes, managing mobile devices and the overall security of ePHI.