On June 28, the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced a settlement (resolution agreement and corrective action plan) with iHealth Solutions (also known as Advantum Health) over the alleged disclosure of protected health information through an unsecured server in violation of the Health Insurance Portability and Accountability Act (HIPAA). As part of the settlement, iHealth, a business associate that provides coding, billing, and information technology services to healthcare providers, was fined $75,000 and must implement a corrective action plan to resolve potential HIPAA Privacy and Security Rules violations, as well as increase the security of its electronic protected health information (ePHI).
According to the Resolution Agreement, OCR’s investigation was prompted by a breach notification report received by OCR from iHealth, which indicated that on May 2, 2017, the electronic protected health information (ePHI) of 267 individuals was exfiltrated from an iHealth insecure server by an unauthorized individual. Patient names, addresses, medical histories, and Social Security numbers were among the compromised information. In addition to the violation of HIPAA Rules when the protected health information was disclosed, OCR also found that iHealth failed to establish and conduct an accurate and thorough assessment to identify potential risks and vulnerabilities to the confidentiality, integrity, and availability of the ePHI it held.
OCR’s interest and response to iHealth’s data breach, which impacted a small number of individuals, demonstrates OCR’s continued commitment to ensuring compliance at all scales. It is somewhat uncommon for OCR to investigate and penalize cases affecting fewer than 500 individuals — for example, its recent settlement with business associate MedEvolve for $350,000 involved a breach that affected over 200,000 people. By contrast, the iHealth incident affected only 267 individuals. Accordingly, the $75,000 penalty iHealth received is smaller than in past enforcement actions. Further, iHealth is also one of relatively few business associates that have been investigated by OCR, which tends to focus the bulk of its enforcement effort on covered entities instead. Together, these aspects reinforce that the OCR is serious about investigating reported breaches and assessing the strength of security measures employed by both covered entities and business associates, regardless of incident scale. As such, business associates (as defined under HIPAA) should pay close attention to iHealth’s corrective action plan, as it can provide insight into OCR’s interpretation of compliance requirements.
In this post, we summarize the iHealth Corrective Action Plan and highlight key takeaways for companies looking to understand how this enforcement action should impact their health information privacy and security programs moving forward.
The Corrective Action Plan (CAP)
As part of the settlement, iHealth has agreed to implement a corrective action plan composed of the following steps, which will be overseen by HHS for a period of two years:
Conduct Risk Analysis. Within forty-five days of the Effective Date of the action plan, iHealth must conduct an assessment of the potential security risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI and submit a corresponding Statement of Work to HHS. Among other requirements, the assessment must include a complete inventory of all iHealth’s facilities, electronic equipment, information systems, devices, media, and applications that store protected health information. The security of the physical environment must also be assessed for potential risks. If HHS, upon reviewing the Statement of Work, identifies further deficiencies, it will submit suggested edits for iHealth to implement within thirty days. Moving forward, iHealth must update its Risk Analysis annually and revise as necessary to maintain the security of its protected health information.
Develop and Implement a Risk Management Plan. Following the review and approval of its Risk Analysis, iHealth must also develop a risk management plan to address and mitigate the security risks and vulnerabilities outlined in the analysis. This plan will include a process and timeline for implementation, evaluation, and revision of risk management activities. The risk management plan must be reviewed, revised, and approved by HHS.
Implement Process for Evaluating Environmental and Operational Changes. iHealth must develop a process to evaluate any environmental or operational changes that could affect the security of its ePHI. This process must be presented to HHS for review and approval within 120 days of the CAP’s Effective Date.
Revise Policies and Procedures. iHealth will develop and revise its written policies and procedures to comply with HIPAA’s Privacy, Security, and Breach Notification Rules, which govern the privacy and security of individually identifiable health information. These policies must contain specific provisions for privacy, security, and breach notification, as specified in the settlement agreement. Within thirty days of HHS approval, iHealth must distribute the updated policies and procedures and obtain signatures from all members of its workforce.
Review Reportable Employee Conduct. During the compliance term of two years, iHealth must investigate any instance in which an employee has failed or is suspected to have failed to comply with security procedures. iHealth must then report such events to HHS in a report including (1) a complete description of the event, relevant facts, and all participants, and (2) a description of actions taken and further steps iHealth plans to take to address, mitigate, or prevent any harm as a result of the incident.
Submit an Implementation Report and Annual Reports. After receiving HHS approval of its revised policies and procedures, iHealth must compile and submit an Implementation Report including the following components:
1. A signed attestation attesting that the policies and procedures approved by HHS are being implemented, have been distributed to the workforce, and that iHealth has obtained compliance certifications from all employees who work with protected health information.
2. Copies of all training materials used to update its workforce on the new and revised policies and procedures, including a description of the training provided, a summary of the topics covered, the length of the training, and a list of attendees.
3. A signed attestation listing all iHealth locations, the name under which each location does business, contact information for each location, and signed attestation that each location has complied with the CAP’s obligations.
4. A signed attestation from an owner or officer stating that they have reviewed the Implementation Report and find the information included within accurate and truthful.
Further, iHealth must submit an annual report with similar content requirements such as an attestation that procedures have been adopted, implemented, and distributed to the workforce, a summary of reportable events, an attestation that iHealth is maintaining written or electronic certifications from all workforce members that are required to receive training noting they received the requisite training, and an attestation that the annual report is accurate.
Retain Documents and Ensure Compliance. Finally, iHealth must also maintain all documents and records pertaining to the implementation of and compliance with the CAP for six years. iHealth may submit written extension requests for the requirements listed above, but a failure to submit either an extension or the required documents in a timely manner may constitute a breach of the agreement, which would allow HHS to impose a further monetary penalty or pursue other corrective actions against iHealth.
This settlement offers several key takeaways that companies should be aware of, especially if they are subject to HIPAA:
1. Scale of Data Breach is not Determinative. The iHealth settlement serves as a clear reminder that data breaches of all scales, including those that affect under 500 individuals, can still give rise to OCR scrutiny. As such, all entities governed under HIPAA should ensure compliance with HIPAA’s Privacy, Security, and Breach Notification Rules.
2. Broader Enforcement. This settlement indicates OCR’s continued commitment to enforcement of HIPAA’s Privacy, Security, and Breach Notification Rules across all entities. Although OCR has historically focused on enforcement against covered entities, the iHealth settlement should serve as a renewed warning that OCR remains interested in ensuring compliance across all entities governed under HIPAA — including business associates.
3. Monitoring Compliance with HIPAA Rules is Imperative. HIPAA’s Privacy, Security, and Breach Notification Rules outline various compliance requirements for entities governed under HIPAA. Among other requirements, entities should ensure thorough evaluation of the impact of potential risks to ePHI, establish adequate security measures to address those risks, identify an individual who will be responsible to implement and monitor such policies and procedures, and train workforce members that handle ePHI on such policies and procedures.