OCR just announced a settlement agreement with the University of Massachusetts-Amherst for a breach of records at its Center for Language, Speech, and Hearing, which was not designated as a covered health care component in its hybridization. UMass is the third hybrid entity in the 43 enforcement actions listed on the HHS website that has been cited for lack of proper hybrid designation and insufficient risk analyses and risk management programs as a result.
The level of expected knowledge of, and compliance with, both hybrid designation and the associated risk analysis and risk management requirements have been raised significantly over time.
- In 2013, Idaho State University (ISU) paid $400,000 for a breach of 17,500 records ($44.86/record) due to the failure to conduct a risk analysis until 2012 and to remediate the risks. The first requirement in the corrective action plan was the submission of documentation designating it as a hybrid entity and identifying all of its designated covered health care components. The second required copies of its most recent risk management plan that included specific security measures to reduce the risks and vulnerabilities to a reasonable and appropriate level for all of its covered health care components.
- In 2014, Skagit County, the first county government to settle with OCR, paid $215,000 over a breach of 1,581 records ($135.99/record). Although not the first or second requirement in the Corrective Action Plan (those were focused on breach notification and accounting of disclosures), the third required hybrid documentation designating its covered health care components and the fourth, conducting an accurate and thorough risk assessment of its designated health care components and implementing security measures to reduce the risks.
- Now in 2016, with the OIG and GAO urging OCR to toughen its enforcement, UMass will be paying $650,000 for a breach of 1,670 records ($389.22/record), with a comment in the Press Release implying that the penalty was lower than it might have otherwise been had UMass not operated at a financial loss in 2015. With a specific mention of the failure of UMass to designate their Center of Language, Speech, and Hearing as a covered health care component, the #1 requirement in the Corrective Action Plan is to complete an inventory and designation of its health care components and to conduct a comprehensive and thorough Risk Analysis (now capitalized in the CAP) of each such component; and requirement #2 to develop an enterprise-wide Risk Management Plan (also capitalized) to address and mitigate identified security risks and vulnerabilities.
OCR hasn’t published a lot of guidance regarding hybrid entities but be aware of this one: the Privacy Rule permits a covered entity that is a single legal entity and that conducts both covered and non-covered functions to elect to be a “hybrid entity.” To be a hybrid entity, the covered entity must designate in writing its operations that perform covered functions as one or more “health care components.” After making this designation, most of the requirements of the Privacy Rule will apply only to the health care components. A covered entity that does not make this designation is subject in its entirety to the Privacy Rule.
OCR Director, Jocelyn Samuels has been vocal about the need to do a comprehensive and thorough risk analysis in many of the press releases announcing settlements, here’s what she said about the UMass agreement:
“Entities that elect hybrid status must properly designate their health care components and ensure that those components are in compliance with HIPAA’s privacy and security requirements.”
Don’t hesitate – designate and document those covered health care components including healthcare operations and relevant administrative support (e.g. legal, audit), conduct a risk analysis across all covered health care components and implement a risk management plan to address the identified risks.
The fines are getting steeper!
You can view the HHS press release here.