LAPTOP LOSS LEADS TO HIPAA FINES
OCR announced two settlements regarding HIPAA violations resulting from laptop thefts.
North Memorial Healthcare of Minnesota will pay $1.55 million in settlement for HIPAA violations. A laptop was stolen from one of its contractors, and OCR found that North Memorial failed in two important areas:
- North Memorial did not have in place proper Business Associate Agreements; and
- North Memorial did not have an accurate and thorough risk analysis for their IT infrastructure.
This breach affected approximately 9,500 individuals PHI.
The second announcement related to Feinstein Institute for Medical Research. Feinstein will pay $3.9 million following the theft of a laptop containing PHI of around 13,000 patients and research participants. The information included names, dates of birth, addresses, social security numbers, diagnoses, laboratory results, medications and other information.
OCR found that Feinstein had a limited security management process to maintain confidentiality of its PHI and found that it had a lack of policies and procedures for limiting access to PHI by employees, had inadequate safeguards restricting access of unauthorized users and a lack of a policy to govern use of laptops and their removal from Feinstein’s facility. Apparently that laptop, in this case, was stolen from an employee’s car.
What is intriguing and frightening about these fines are the large dollar amounts. The details are often not included such as whether this is the first HIPAA breach for North Memorial and Feinstein, the extent of the harm from the data loss (is there an indication that it is being actively distributed and used or is it a laptop that was stolen and then tossed in the river and the data, while a technical HIPAA breach, did not result in any disclosure?) If indeed this is the first breach by North Memorial and/or Feinstein and this is the amount of settlement, you should carefully consider your use of laptops or other portable devises, and you should immediately require encryption of all PHI contained or used on portable devises.
NEW OIG GUIDANCE ON COMPLIANCE PROGRAMS
Late last month, the Inspector General for HHS revealed that OIG has changed its view of the effect of having a compliance program. Previously, having a compliance program was one of the issues contained in the four general factors used by OIG in making exclusion decisions and in entering into Corporate Integrity Agreements. The use of compliance programs as a factor in determining those decisions was considered one of the reasons why a practice or hospital would create ongoing compliance programs, and create special compliance programs to deal with any issues resulting from an investigation. Often, the compliance plans were critical parts of Corporate Integrity Agreements.
The HHS Inspector General has now stated that having a compliance program is no longer a plus factor in evaluating proposed penalties and settlements of investigations by OIG. We believe it is likely that there will be some walk back or clarification of the Inspector General’s statement.
NEW EMPLOYEE OVERTIME RULES
For the last twelve years, workers making more than $23,660.00 could qualify as “salaried” employees and could be exempt from overtime rules. The United States Labor Department has finalized a rule that changing that threshold number to $47,476.00. You will want to carefully review your workforce to determine which of your employees will be eligible for overtime under the revised rule.
This newsletter is edited by Paul Wallace of Jones ∙ Wallace, LLC, a member of the American Bar Association Healthcare Law Section and the American Health Lawyers Association who has been representing physicians and healthcare practices for over 25 years. Mr. Wallace assists physicians, practices and hospitals in contract items, federal legal compliance, practice entity creation, estate and wealth planning and similar issues. Please feel free to call if you have any questions on this newsletter or legal matters at (812) 402-1600 or firstname.lastname@example.org.