by Daniel J. Solove
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently announced the costliest HIPAA settlement to date — a $4.8 million settlement with New York and Presbyterian Hospital (NYP) and Columbia University (CU). The case involved the disclosure of protected health information on the Internet. Here are some lessons from this latest case:
1. HIPAA penalties are steep.
HIPAA fines can now be up to $1.5 million — and that’s per provision of HIPAA violated. In most incidents, OCR can find many provisions of HIPAA violated, as was the case here
Prior to the HITECH Act of 2009, OCR had more of a training wheels type of enforcement. But the HITECH Act dramatically raised the amounts of fines, and HHS shifted to a more punitive enforcement regime.
This isn’t your grandfather’s HIPAA anymore. HIPAA is formidable, and it has some sharp teeth.
This case was a settlement and didn’t involve a civil monetary penalty (CMP). But the amount was steep in part because the potential penalties are steep.
2. HHS’s new enforcement regime is just starting to rev up.
It has only been a few years. According to HHS’s website, there have been 21 consent decrees and 1 CMP issued thus far. Look for these numbers to start increasing.
3. The settlements don’t not just involve money — they also require a substantive corrective action plan and compliance reporting.
The settlements require both entities to have a “substantive corrective action plan” that “includes undertaking a risk analysis, developing a risk management plan, revising policies and procedures, training staff, and providing progress reports.” The entities must submit annual compliance reports to HHS.
4. It could be tougher — look at the FTC’s settlements.
As scary as this new OCR enforcement regime may sound, HIPAA-regulated entities should be grateful. The OCR resolution agreements will last for 3 years. In contrast, many FTC consent orders last for 20 years! I wrote a post the other day with Professor Woodrow Hartzog about how formidable FTC consent orders can be.
5. All it takes is one person to cause an incident.
The incident that led to this case was caused by a physician with a personally-owned computer server on the network without adequate technical safeguards.
This point is one I frequently mention when people ask me about the return on investment for the kind of workforce training I provide. People often say that no matter what the awareness message, some people will ignore it. That’s true. Training can’t eliminate risk entirely. But if it results in a number of people not making a blunder, that can reduce risk a lot. For example, one person can fall for a phishing ploy and infect the computer system with a virus allowing hackers access to data. Just one person, just one click.
6. The immediate cause of an incident is often the tip of a much larger iceberg.
Although the specific incident involved the physician with the computer server, OCR’s investigation revealed that the problem was much deeper. According to OCR, “neither NYP nor CU made efforts prior to the breach to assure that the server was secure and that it contained appropriate software protections.” Also OCR faulted both entities for not having “an adequate risk management plan.” OCR also faulted NYP for failing to “implement appropriate policies and procedures for authorizing access to its databases.”
Whenever there is an incident, the weaknesses in a HIPAA compliance program ratchet up the enforcement penalty pain. When viewed in hindsight after an incident, these weaknesses paint an ugly picture. The reality is often not as ugly as it appears, as many compliance programs have weaknesses in some areas. But in hindsight, these weaknesses look bad. And they are memorialized in bronze on the HHS website.
The best medicine is to be proactive and shore up the weaknesses. Measures like creating policies and procedures, having a risk management plan, and having a good training program are low-hanging fruit. They take a little time and some money, but they are well worth it.
Remember the saying, “Prevention is worth a pound of cure.”
The saying can be adapted for HIPAA: “Prevention costs a fraction of cure.”
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of training on privacy and security topics. This post was originally posted on his blog at LinkedIn, where Solove is an “LinkedIn Influencer.” His blog has more than 600,000 followers.
If you are interested in privacy and data security issues, there are many great ways Professor Solove can help you stay informed:
* Professor Solove’s LinkedIn Influencer blog
* Professor Solove’s Twitter Feed
* Professor Solove’s Newsletter