It isn’t the Size of the Breach: OCR Issues Largest Fine to Date against FMCNA

People like to talk about the big cyber breaches: Instagram, Ashley Madison, Target, and Equifax, just to name a few.  But it is not always the number of people affected by a breach that should cause concerns for businesses; it is the failure of a business to take appropriate steps to protect personal data. Let us deconstruct our point by using a recent example related to healthcare data under the Health Insurance Portability and Accountability Act (“HIPAA”) and its first settlement of 2018.

For those of you who do not know, the Department of Health and Human Services’ Office for Civil Rights (OCR) is the organization that investigates and enforces HIPAA’s Privacy and Security Rule.

In February, the OCR reported that it reached a settlement with Fresenius Medical Care North America (FMCNA) whereby FMCNA has agreed to pay the OCR $3.5 million to resolve multiple potential HIPAA violations that alleged contributed to five (5) separate data breaches.  In total, the breaches exposed 525 patients’ Protected Health Information (“PHI”).  One breach exposed as few as ten (10) pieces of PHI. Ok, so in the grand scheme of breaches not a big deal, right?   Equifax exposed the Personal Identifiable Information (“PII”) of 145 million Americans in just one breach.  FMCNA’s 5 breaches did not even hit 1000. So, why in the world are they paying $3.5 million and Equifax has not paid a dime in regulatory penalties?

The answer is in the question.  First, FMCNA (being a covered entity under HIPAA) is in a regulated industry: healthcare. The OCR takes violations of HIPAA very seriously.  But here, it was not the size of the breaches that triggered the regulatory penalties, but FMCNA’s apparent failure to appropriately safeguard the PHI.  After the breaches occurred, the OCR launched an investigation into the breaches.  And it was not the number of individuals affected by the breaches that was the impetus for the HIPAA penalty, but that the investigation revealed a plethora of HIPAA Security Rule violations.

By way of background, HIPAA sets standards for, among other things, who has access to PHI. A covered entity or business associate cannot protect PHI in its possession unless it maintains the security of the PHI. Under HIPAA, covered entities and business associates must protect PHI against both intentional disclosure, in violation of the patients rights, and against inadvertent disclosure because of an attacker’s unauthorized access to PHI.  HIPAA further requires covered entities and business associates to have in place appropriate administrative, physical and technical safeguards and to reasonably implement those safeguards. Part and parcel of these obligations is the requirement that covered entities and business associates conduct a comprehensive and accurate risk analysis to identify all potential risks to the confidentiality and integrity of PHI.  Only upon understanding what type of PHI you have, where it is stored, how it is created, how it is transmitted, and how it is accessed can you even begin to appreciate how to protect it.

For FMCNA, the OCR concluded that it had failed to perform the proper risk analysis and assessment. In addition to this HIPAA violation, the OCR also discovered that FMCNA’s covered entities had other significant violations.  Certain of FMCNA’s covered entities failed to implement policies and procedures governing the receipt and removal of computer hardware and electronic storage devices that contained PHI. Further, certain covered entities did not implement encryption, or its equivalent. There were also physical security shortfalls at some facilities and no policies and procedures in place to address a security breach.

In addition to the rather large (one of the largest ever) financial settlements, FMCNA has also agreed to adopt a corrective action plan to address all of the HIPAA shortfalls and to bring all policies and procedures in line with the standards set forth in HIPAA.  So it is not just the fines FMCNA has to look forward to, but the OCR will also be monitoring and providing oversight to FMCNA in the coming months and years.

What exactly does this settlement show us and why is it so important for those of us who work with organizations in the healthcare arena?  First, it is not the size of the breach that matters.  The FMCNA breaches were miniscule in comparison to most security breaches.  While five separate breaches is nothing to minimize, the number of affected individuals is relatively small.  The big issue the OCR seemed to have with FMCNA were the administrative, technical and physical security failures.  It was FMCNA’s non-compliance that really sank them.  The OCR cares very much about a breach, if FMCNA had the appropriate administrative, physical and technical safeguards in place these breaches may not have occured in the first place, but the investigation went beyond the breaches.  It uncovered a systemic failure that suggested violations of HIPAA requirements.

In terms of a takeaway message, organizations of all sizes that qualify as covered entities and business associates should not take HIPAA security and privacy rules lightly. Having properly reviewed, assessed and documented the entire data security process is essential. The OCR knows and understands that cybersecurity is not a one-size-fits-all proposition.  But, from the OCR’s perspective, a failure to understand and evaluate your systems and security is unacceptable.  If you have a breach, and the OCR concludes that the breach reveals HIPAA noncompliance, its clearly does not matter if 1 person or 1 million people are affected.  In other words, it isn’t the size of the breach that matters when dealing with HIPAA and the OCR.  Proceed with care and caution.  Invest in complete and appropriate solutions.  Because, in order to avoid fines from the OCR, it is clear that cybersecurity is always a good investment.

* * * * *

Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind.  If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.