Mass. AG Levies 750k Judgment on Hospital for Data Breach
Massachusetts Attorney General Martha Coakley announced on May 24, 2012 having reached a settlement agreement with South Shore Hospital for failure to protect personal and confidential health information of over 800,000 patients.
“Hospitals and other entities that handle personal and protected health information have an obligation to properly protect this sensitive data, whether it is in paper or electronic form,” AG Coakley said. “It is their responsibility to understand and comply with the laws of our Commonwealth and to take the necessary actions to ensure that all affected consumers are aware of a data breach.”
The consent judgment requires South Shore Hospital to pay a total of $750,000, including $250,000 in civil penalties and $220,000 towards an education fund for protection of PHI and personal information. However, South Shore Hospital did receive a "credit" for security measures it implemented after the breach occurred of $275,000, leaving only $475,000 payable.
The consent judgment also requires South Shore Hospital to undergo audit and report results of certain security measures, as well as take steps to ensure compliance with HIPAA business associate provisions and other federal and state security requirements. In addition to failure to comply with HIPAA business associate obligations, South Shore Hospital also failed to comply with HIPAA and state obligations to implement appropriate safeguards, policies, and procedures to protect patient information, and appropriately train its workforce in safeguarding the privacy of PHI. It also neglected to ensure that the contractor itself had procedures in place to protect such PHI, according to the AG.
Three boxes full of unencrypted computer backup tapes had been sent to a subcontractor of Archive Data Solutions in 2010 to be erased and resold; however, the subcontractor only received one of the boxes and the remaining two were never recovered. According to the AG's office, South Shore Hospital did not have a business associate agreement in place with the contractor nor had it informed Archive Data that the backup tapes contained PHI.
The backup tapes contained Social Security Numbers, names, financial account numbers, and medical diagnoses. As reported by HealthDataManagement, South Shore Hospital had determined in July 2010 that the missing backup tapes was not a breach requiring individual notice to affected and potentially affected individuals. Rather, it posted a prominent notice on its website, citing state law provisions permitting alternative notifications where costs would exceed $250,000 or where over 500,000 residents are affected.
It is unclear whether this breach was reportable and therefore actually reported to the Department of Health and Human Services (HHS) under the HITECH Breach Notification Rule. Although the PHI here was unencrypted and therefore "unsecured" within the meaning of the HITECH Breach Notification Rule, covered entities are also required to conduct an assessment to determine whether an incident poses a "significant risk of harm" to the individual(s) that would give rise to a reportable breach. Most importantly, a breach in and of itself does not automatically mean a HIPAA violation has occurred.
If a covered entity determines that there was a breach, all affected individuals and individuals reasonably believed to be affected are required to receive written notice of the breach, as well as HHS where over 500 individuals have been affected. HITECH also permit alternative notification but only where the contact information of an individual is incomplete or where written notice has been returned undeliverable to the covered entity attempting to notify such individual of a reportable breach.
Aside from South Shore Hospital's obvious failure to obtain a business associate agreement and apparently even inform Archive Data that it was a business associate subject to certain HIPAA provisions, it is unclear what else it was South Shore Hospital did or failed to do that contributed to the 750k settlement agreement and other alleged HIPAA and state law violations. The AG's office noted that multiple shipping companies had handled the backup tapes, but did not otherwise indicate whether it was the lack of policies and procedures for safeguarding PHI and training workforce in such safeguards that resulted in the missing backup tapes (again, a breach itself does not automatically mean a HIPAA violation has occurred) or whether the focus was on the hospital's overall HIPAA and state law compliance program.
What is even more noteworthy is that the AG stated South Shore Hospital failed to determine whether Archive Data had sufficient safeguards in place to protect the PHI it would receive on the backup tapes prior to destruction. This clearly places an obligation upon covered entities to go beyond ensuring that the business associate agreement itself is in compliance with HIPAA by requiring the business associate to implement reasonable safeguards to protect PHI.
While covered entities have always been, and should be, responsible for appropriate oversight and monitoring of their business associates, just how far is a covered entity responsible for going? Does a hospital need to request that the business associate provide copies of its policies and procedures for safeguarding PHI? Policies and procedures for data destruction or erasing data? Information on how its staff is trained on the business associate's obligations under HIPAA and the business associate agreement?
And if a hospital is not satisfied with a business associate's policies and procedures, can it require additional safeguards and processes be implemented? Should a hospital also require notification by a business associate of potential breaches and security incidents to safeguard against bad calls? With business associates frequently resisting the inclusion of any provisions in a business associate agreement beyond the bare minimum required by HIPAA, covered entities may find it increasingly difficult to provide the required levels of oversight, safeguards and assigned responsibility.
With over 22% of reported breaches since 2009 involving business associates, as reported by HealthcareInfoSecurity, and with only one case (see Minnesota AG case against Accretive Health) so far targeting business associates directly for HIPAA violations, covered entities remain liable for the actions of their business associates, despite that business associates are now directly subject to certain HIPAA provisions. Covered entities also bear the brunt of a breach, as it is their patients who may be seriously harmed. As determining liability for breaches and other security incidents between a covered entity and a business associate involved remains quite uncertain for now, the business associate regulations (expected "soon" ever since last year) will be a welcomed ray of clarity for covered entities and business associates alike.