by Daniel J. Solove
Are privacy and security laws being enforced effectively? This post is post #4 of a series called Enforcing Privacy and Security Laws.
The Health Insurance Portability and Accountability Act (HIPAA) regulations govern health information maintained by various entities covered by HIPAA (“covered entities”) and other organizations that receive health information from covered entities when performing functions for them. HIPAA is enforced by the Office for Civil Rights (OCR) in the Department of Health and Human Services (HHS). Additionally, state attorneys general (AGs) may enforce HIPAA – only a few federal privacy laws can also be enforced by state AGs.
The health information protected by HIPAA is called “protected health information” (PHI).
Although the vast majority of HIPAA violations involve civil penalties, there can be criminal HIPAA violations, which are enforced by the Department of Justice (DOJ).
HIPAA actually consists of a number of regulations:
- The Privacy Rule
- The Security Rule
- The Enforcement Rule
- The Breach Notification Rule
The Anatomy of a HIPAA Enforcement Action
HIPAA enforcement actions are typically initiated by a complaint. The HIPAA statute doesn’t authorize people to sue for HIPAA violations, so people’s recourse under HIPAA is to file a complaint with OCR. People can sue under state law for many of the things that would constitute HIPAA violations, as HIPAA doesn’t preempt state law, and more privacy-protective state law trumps HIPAA in those states in which it is enacted.
When OCR receives a complaint, it first evaluates whether it has jurisdiction and whether there is a possible violation. It will then launch an investigation and reach a resolution. That resolution can be a finding of no violation or of a violation. Many cases are resolved by the entity being investigated agreeing to take corrective action and sometimes agreeing to pay monetary penalties.
HIPAA enforcement actions can also be triggered when there is an incident that is reported to HHS, such as a data breach.
HIPAA enforcement now also involves auditing, a topic I will discuss in another post.
Scope of HIPAA Enforcement
OCR can enforce HIPAA against a wide array of entities. Covered entities large and small are subject to OCR enforcement – from small doctors’ offices to large hospitals and health systems. OCR can enforce against not only private-sector entities but public sector ones as well. For example, one action was against a state’s Department of Health and Human Services.
OCR also has the ability to directly enforce HIPAA against business associates – and any subcontractors of business associates.
HIPAA enforcement thus follows PHI wherever it goes – except under special circumstances. So if a hospital provides PHI to a billing company, and the company subcontracts with another entity, OCR can enforce down the chain of custody. HIPAA thus is enforced along the chain . . . and PHI generally remains inside HIPAA’s protective bubble no matter where the hot potato is handed.
This concept of enforcement along the chain is really essential in today’s age where data can so readily be transferred and where so many entities have access to particular pieces of personal data. Unfortunately, unlike HIPAA, many other privacy laws do not allow for enforcement along the chain – the Family Educational Rights and Privacy Act (FERPA) is an example. Once education records are handed to others, the Department of Education is powerless to enforce against those entities.
The Story of HIPAA Enforcement
The story of HIPAA enforcement is a tale of two OCRs – the one before HITECH and the one after.
HIPAA Enforcement Before HITECH
Initially, between 2003 and 2008, HIPAA enforcement would best be characterized as a cooperative model. OCR would work with institutions to help them sin no more. The goal was not penal, but being helpful. The saying “I’m from the government, and I want to help” really applied here.
By 2008, more than 33,000 complaints had been filed with OCR. About 8000 of those were investigated, leading to 5600 instances where entities took corrective action. No fines were ever issued. Critics called HIPAA’s enforcement toothless.
In 2009, the Health Information Technology for Economic and Clinical Health ( HITECH) Act seriously ratcheted up the penalties. The fines for HIPAA violations were raised dramatically — up to $1.5 million for a violation in certain circumstances. The HITECH Act added a breach notification requirement and it mandated that HHS conduct compliance audits. Congress made clear that HIPAA enforcement should have more teeth – and that OCR should be issuing some fines.
The HITECH Act significantly renovated HIPAA. In my opinion, HITECH was one of the best set of improvements to a privacy law that Congress has ever made.
In 2013, HHS issued the Omnibus Final Rule implementing HITECH Act changes in HIPAA. But its enforcement approach changed earlier, right after the HITECH Act.
HIPAA Enforcement After HITECH
In the past few years, we are seeing HIPAA enforcement resolutions that include fines. But even today, most HIPAA enforcement resolutions “simply spell out corrective action plans or offer technical assistance.”
There have been just 22 cases involving financial payments or a civil monetary penalty.
Resolution Agreements
When a civil monetary penalty is involved, HHS will enter into a resolution agreement with the entity. A resolution agreement includes:
- a financial penalty;
- a corrective action plan (CAP) that often involves entities improving their policies and procedures, their training, their risk analyses, and their security practices; and
- a reporting requirement for a duration of time, typically ranging from 1 to 3 years.
According to OCR, it has entered into 22 resolution agreements, which come with a penalty, and issued one civil monetary penalty. They are listed on HHS’s website.
How Painful Is HIPAA’s Sting?
The penalties as part of the resolution agreements are quite steep.
For example, in 2012, penalty amounts ranged from $50,000 to $1.7 million. There were three penalties of $1.5 million or higher.
Total = $4,850,000
Average: $970,000
In 2013, penalty amounts ranged from $150,000 to $1.7 million. There are two penalties in excess of $1 million.
Total = $3,493,280
Average: $678,656
So far in 2014, penalties have been issued for the following amounts:
- $215,000
- $3,300,000
- $1,500,000
- $1,725,220
- $250,000
Total = $6,990,220
Average: $1,398,044
The Many Flavors of Resolution Agreements
The OCR resolution agreements appear to be deliberately eclectic, involving institutions large and small, as well as many different types of incidents. They represent a nice cross-section of different types of HIPAA violations.
To a HIPAA wonk like me, reading them is akin to going into a gelato store and being able to taste all the flavors. (Having done both, I would opt for the gelato store if you had a choice.)
The violations involve paper and electronic records. Frequent themes are inadequate training, failure to encrypt, and failure to conduct a risk assessment.
Is Harm Needed for a Penalty?
Harm isn’t required for there to be a monetary penalty. In one case, PHI was left in boxes unattended in a driveway to a house. But there were no allegations that any unauthorized individual accessed the PHI or took the records. There were no allegations that any PHI was lost. Nevertheless, the monetary penalty was $800,000.
The Big Picture of HIPAA Enforcement
Let’s step back and look at the big picture of HIPAA enforcement. Recently, at the end of August of this year, the total number of HIPAA complaints received by OCR since 2003 exceeded 100,000.
Since 2009, there have been more than 1000 data breaches involving 500 or more people that have been listed on the HHS “wall of shame” website. Of these OCR completed 751 investigations.
One of the great things about HHS enforcement is that HHS maintains some of the most comprehensive statistics and information on its website. Other agencies only report a fraction of what HHS reports. And some barely have anything on their websites at all.
One interesting difference between HHS and the FTC is that HHS reports on the cases it investigates, whereas the FTC often keeps it a secret when it conducts an investigation and resolves not to take action.
Nature of Compliance Issues
HHS’s website contains a useful ranking of the most frequent types of compliance problems. Based on all cases, the compliance issues most investigated include:
- Impermissible uses and disclosures of protected health information;
- Lack of safeguards of protected health information;
- Lack of patient access to their protected health information;
- Uses or disclosures of more than the minimum necessary protected health information; and
- Lack of administrative safeguards of electronic protected health information.
Enforcement Statistics
The story for HIPAA case resolutions is that they have been generally increasing throughout the years. Starting in 200 8, there have been between 8000 to 10,000 resolutions.
HHS provides the graphic chart below, and that chart shows visually an interesting trend. Look at the total resolutions for 2013, the year of Omnibus. There’s a huge spike in the number, an increase of nearly 50% from 2012. The graphic chart for 2013 looks like a tower in Dubai!
OCR receives thousands of complaints each year: 10,454 complaints in 2012 and 12,915 in 2013. HHS’s website keeps stats on the number of complaints each year.
The majority of these complaints are dismissed or resolved – in 2012, 3,361 of those complaints required corrective action while 3,470 required action in 2013.
State Enforcement
In addition to increasing penalties and mandating audits, HITECH also permitted state attorneys general to bring enforcement actions for HIPAA violations at the pre-HITECH penalty levels.
However, few actions have been brought thus far.
Of the actions brought, all state attorneys general have also relied on state data protection laws.
In 2010, Connecticut was the first state to pursue actions under HITECH, bringing a case against insurer Health Net Inc. for waiting six months to provide notification after a data breach.
Vermont followed, pursuing its own action against Health Net in 2011.
Minnesota brought an action against Accretive Health in 2012 under both state law and HIPAA, but the state’s settlement announcement appears to be largely based on state data protection law, rather than HIPAA requirements.
Massachusetts has been especially active in HIPAA enforcement. The state has a strong consumer protection law, and all of its actions have also relied on state law. In May 2012, Massachusetts settled a lawsuit against South Shore Hospital under both HIPAA and state law for failing to adequately protect health information of over 800,000 patients.
The following year, an action was brought against Goldthwait Associates for failing to implement appropriate safeguards required by HIPAA and for violating state data security regulations. A final settlement was announced against Woman and Infant’s Hospital of Rhode Island in 2014 for a 2012 data breach.
Analysis and Takeaways
1. HIPAA enforcement used to be toothless; now, post-HITECH, it has some teeth and significant fines have been issued. HITECH really strengthened HIPAA in many ways. This is not your grandfather’s HIPAA anymore – it’s much more powerful.
2. There have been only 22 cases thus far with fines. There have been more than 100,000 complaints since 2003. There should be a lot more fines.
3. HIPAA allows for HHS enforcement along the chain of custody of PHI. This is a really essential protection, as these days, it is so common for PHI to circulate among various entities.
4. HIPAA allows state AGs to enforce, though not many have availed themselves of this power.
5. Reading the resolution agreements reveals that doing three things would help a lot with HIPAA compliance: (a) encrypt, (b) conduct risk assessments, and (c) have good workforce training.
6. Although an incident might spark an investigation, the resolution agreements show that the incident is just the tip of the iceberg. There are other HIPAA compliance shortcomings that OCR will typically find. Turn over the stone, and you’ll often find more than one bug crawling underneath.
7. The number of cases with corrective action taken has risen steadily throughout the years. And HIPAA enforcement activity is increasing, especially in 2013.
8. Although HIPAA doesn’t provide for a private right of action for people to sue, HIPAA leaves intact more protective state law. And there’s a lot of state law protecting medical privacy. So just because an entity might get lucky and receive a slap on the wrist from OCR, there still might be lawsuits under state law – plus there could state agency enforcement too under a state’s own laws (or under HIPAA).
9. HHS provides a wealth of information and transparency compared to other federal enforcement agencies.
10. Auditing is another important new dimension to HIPAA enforcement, a topic I will explore later on.
* * * *
Enforcing Privacy and Security Laws: Other Posts in this Series
1. Why Enforce Privacy and Security Laws?
2. The Privacy Pillory and the Security Rack: The Enforcement Toolkit
3. Who Are the Privacy and Security Cops on the Beat?
4. The Brave New World of HIPAA Enforcement [this post]
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of training on privacy and security topics. This post was originally posted on his blog at LinkedIn, where Solove is an “LinkedIn Influencer.” His blog has more than 800,000 followers.
If you are interested in privacy and data security issues, there are many great ways Professor Solove can help you stay informed:
* Professor Solove’s LinkedIn Influencer blog
* Professor Solove’s Twitter Feed
* Professor Solove’s Newsletter
Please join one or more of Professor Solove’s LinkedIn Discussion Groups:
* Privacy and Data Security
* HIPAA Privacy & Security
* Education Privacy and Data Security