The Department of Health and Human Services Office for Civil Rights (HHS-OCR) announced the Agency recovered an unprecedented $28.7 million from HIPAA enforcement activities in CY 2018.  The HIPAA Privacy, Security, and Breach (HIPAA Rules) violations for which OCR was able to obtain either summary judgement or settlement payments involved some of the country’s top healthcare stakeholders; including MD Anderson ($4.3 million), Massachusetts General Hospital ($515,000), Fresenius Medical Care North America ($3.5 million), and Anthem, Inc. ($16 million).

The February 2019 OCR Press Release indicates the Agency actively pursued HIPAA Rules violations throughout the year – from a $100,000 settlement with FileFax, Inc. in January 2018 to a $3 million settlement with Cottage Health in December 2018.  In looking for possible motivation for OCR’s impressive level of recoveries in 2018, one only has to review the number of high-profile news reports in the last two years regarding breaches of not only Protected Health Information (PHI) but also of consumer Personal Identifiable Information (PII). Additionally, this demonstration of the Agency’s enforcement activities is a reflection of a policy shift OCR availed itself to as a result of regulatory changes that allow pursuit of Covered Entities (Providers, Payors, and Clearing Houses) and their Business Associates.  

The Violations

The HIPAA Rules violations resulting in the 2018 recoveries were as varied as the type of healthcare stakeholders involved. However, all reflected the lesson that Covered Entities and Business Associates must have effective Privacy, Security, and Breach programs that are regularly assessed and updated in order to avoid federal penalties.  OCR obtained a $500,000 settlement from a Provider whose HIPAA Rules violations included failure to obtain Business Associate Agreements (BAA) with its billing companies. Many Covered Entities continue to believe that BAAs are perfunctory documents that hold no authority or importance.  However, the settlement with the Provider regarding the lack of BAAs, illustrates the federal government finds them essential in establishing an effective HIPAA Program; and will penalize applicable stakeholders that neglect to comply with the BAA requirement. Additional highlights of HIPAA Rules violations that resulted in recoveries by the Agency in 2018 include:

• Cyberattacks on a Payor organization leading to the breach of health data stored in their IT system as a result of a phishing scheme exposing PHI of 79 million people.
• Medical Center failing to conduct an investigation of the potential vulnerabilities and confidentiality issues of its electronic PHI that led to PHI breach of data involving over 62,500 individuals.
• Academic Medical Center found liable for not incorporating a satisfactory level of encryption into its data system, which created three unnecessary PHI breaches.
• Hospital System allowing film crews on the premises to film a documentary without written authorization from patients. 

In addition to the financial penalties and the reputational impacts regarding the public disclosure of HIPAA Rules violations, the healthcare entities were also required to enter into Corrective Action Plans (CAP), which are monitored by the OCR.  Failure to comply with a CAP could lead to further Agency oversight actions; including but not limited to additional monetary fines, criminal penalties, and Department of Justice investigations.

The 2018 OCR settlements are a reminder that Covered Entities and their Business Associates have to remain diligent regarding HIPAA Rules Compliance. The Agency shows no evidence of slowing down on investigations of possible violations and pursuit of recoveries from healthcare industry stakeholders that fail in their obligation to safeguard PHI. 

If your organization is interested in assessing your current HIPAA Program, including proactive updates for technology, procedures, and training; please contact the DB Health Law Team Leaders Rafael A. Ruiz-Ayala at rruizayala@dugganbertsch.com  or Mori A. Hall at mhall@dugganbertsch.com.