Time to call the Guinness Book of World Records because HHS has set a new world record in HIPAA enforcement. 2016 saw a considerable increase in HIPAA enforcement resolution agreements and monetary penalties. At the end of 2016, the OCR logged over $20 million in fines for HIPAA violations from 15 enforcement actions with monetary penalties — a stark contrast to 2015 penalties which were just over $6 million from just 6 resolution agreements.
The per entity fines have increased as well increasing from about $850K in recent years to $2 million in 2016.
Also, in late 2015, the Office of the Inspector General released findings of a study that recommended a stronger enforcement and follow-up from the OCR for HIPAA violations:
OCR should strengthen its followup of breaches of PHI reported by covered entities. OCR investigated the large breaches, as required, and in almost all of the closed large-breach cases, it determined that covered entities were noncompliant with at least one HIPAA standard. Although OCR documented corrective action for most of the closed large-breach cases in which it made determinations of noncompliance, 23 percent of cases had incomplete documentation of corrective actions taken by covered entities.
Here is an overview of the resolution agreements and enforcement actions with civil monetary penalties from 2016:
Case | Date | HIPAA Issues | Penalty |
---|---|---|---|
Lincare, Inc. | 2/3/16 | Unencrypted PHI taken offsite and abandoned | $239,800 |
Complete P.T., Pool & Land Physical Therapy, Inc. | 2/16/16 | Unauthorized use of PHI in marketing materials | $25,00 |
North Memorial Health Care | 3/16/16 | Unencrypted laptop stolen
Failure to execute proper business associate agreement |
$1.55 million |
Feinstein Institute for Medical Research | 3/17/16 | Unencrypted laptop stolen | $3.9 million |
Raleigh Orthopaedic Clinic | 4/14/16 | Failure to execute proper business associate agreement | $750,000 |
New York & Presbyterian Hospital | 4/19/16 | Unauthorized disclosure and failure to safeguard PHI to film crew | $2.2 million |
Catholic Health Care Services of the Archdiocese of Philadelphia | 6/29/16 | Unencrypted phone stolen | $650,000 |
University of Mississippi Medical Center | 7/7/16 | Encrypted laptop stolen
PHI vulnerable to unauthorized access on wireless network |
$2.75 million |
Oregon Health & Science University | 7/18/16 | Two unencrypted laptops and 1 unencrypted thumb drive stolen
Failure to execute proper business associate agreement |
$2.7 million |
Advocate Health Care Network | 8/4/16 | Unencrypted laptop stolen
Failure to execute proper business associate agreement |
$5.55 million |
Care New England Health System | 9/23/16 | Lost unencrypted backup tapes
Outdated business associate agreement |
$400,000 |
St. Joseph Health | 10/17/16 | Unauthorized disclosure and compromised PHI | $2.14 million |
University of Massachusetts | 11/22/16 | Malware infection led to unauthorized disclosure of PHI | $650,000 |
Lessons from 2016
Have good compliance fundamentals – it will make a data breach cost a lot less.
A breach triggers OCR scrutiny, and when the rock is turned over, a lot of ugly things are often found crawling underneath. Relatively small breach investigations are leading to investigations of larger enterprise-wide security failures. For example, in the record $5.5 million settlement with Advocate Health Care in August, 2 of the 3 reported breaches that triggered the OCR investigation included unencrypted laptops and computers that were stolen. The OCR found that subsequent to these breaches, Advocate failed to conduct a thorough risk assessment, failed to execute a proper business associate agreement and failed to reasonably safeguard PHI among other violations.
The bottom line: Do the basics. OCR resolves most cases without fines and issues fines to the low-hanging fruit, those who have clear compliance omissions. The better your compliance with HIPAA, the more likely you’ll not be hit with a monetary penalty by OCR.
As HHS’s Deven McGraw once aptly said: “Often, when we take a look into those breaches, what we find is that they were not accidents. . . What contributed to the breach of thousands, if not tens of thousands of records, was systemic noncompliance … over a period oftentimes of years. Organizations must be given some latitude. . . . They don’t need to be perfect. But they must take HIPAA compliance seriously – and that means more than a check-box compliance program.”
It is not enough just to perform a risk analysis. Fix the problems that are discovered.
In many cases, the offending organization was aware of the risks but took minimal action. In the $2.7 million resolution with Oregon Health and Sciences University (which was investigated after reports of the theft of two unencrypted laptops and one unencrypted thumb drive), it was found that though OSHU had identified the risks in their internal risk analysis, they had not implemented adequate measures to address their own findings. OCR Director Joceyln Samuels commented: “OHSU had every opportunity to address security management processes that were insufficient. . . .This settlement underscores the importance of leadership engagement and why it is so critical for the C-suite to take HIPAA compliance seriously.”
Risk assessment, policies and procedures, and workforce training often need improvement.
In the resolution agreements, corrective actions are recommended with a 3-year monitoring agreement in addition to the monetary payment. Risk assessment, revision of policies and procedures, and workforce training are generally required. These things are obviously quite important to OCR and need to be stepped up because they are so frequently included in corrective action plans.
Portable devices with unencrypted PHI are a major problem.
In eight of the cases in 2016, the trigger for the data breach notification leading to the investigations involved the theft of unencrypted laptops, phones or thumb drives that contained PHI. Simple equation: Device + Unencrypted = Bad.
Have adequate business associate agreements.
There were five cases that involved inadequate business associate agreements. This is low-hanging fruit in an investigation, and it cries out to OCR: Please choose me for a monetary penalty!
Have a culture of compliance.
Overall, a culture of compliance would make a big difference in most of these cases. This means taking compliance seriously. The organization must devote sufficient time and resources to complying with HIPAA. The workforce should be well-trained. The organization should be doing basic things such as developing policies and procedures, doing risk assessments, and addressing risks.
Last year demonstrated that HHS is really stepping up its enforcement. It’s a good time for many organizations to take stock of their compliance program and punch it up to keep in step.
Related HIPAA Resources
HIPAA Training Courses
HIPAA Training Guide
HIPAA Training Requirements FAQ
HIPAA Whiteboard
HIPAA Resources
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of awareness training on privacy and security topics. Professor Solove also posts at his blog at LinkedIn. His blog has more than 1 million followers.
Professor Solove is the organizer, along with Paul Schwartz of the Privacy + Security Forum (Oct. 4-7, 2017 in Washington, DC), an annual event that aims to bridge the silos between privacy and security.
If you are interested in privacy and data security issues, there are many great ways Professor Solove can help you stay informed:
* LinkedIn Influencer blog
* Twitter
* Newsletter