At the end of 2017, the OCR logged just under $20 million in fines for HIPAA violations from 10 enforcement actions with monetary penalties. In 2016, the total in penalties was roughly the same amount but from 15 organizations.
Here is an overview of the resolution agreements and enforcement actions with civil monetary penalties from 2017:
Lessons from 2017
Devices, devices, devices . . .
Quite a number of cases involved failure to implement safeguards for PHI on mobile devices. The best fix is to superglue devices to staff. Short of doing that, organizations should recognize that mobile devices frequently get lost or stolen, so there should be heightened security controls when PHI is accessible on these devices.
Several cases involved failing to provide timely notice or to act promptly after problems were discovered. In politics, it’s often not the scandal, but the coverup that fells politicians. In the world of HIPAA, it’s often not the incident, but the response that leads to organizations being penalized.
Be sure to follow the Breach Notification Rule
This year saw the first enforcement case for failing to follow the HIPAA Breach Notification Rule. Tip: Follow the rule.
Conduct risk assessments! I repeat: Conduct risk assessments!
If HIPAA enforcement were a song, risk assessments would be the chorus line. Year after year, the HIPAA enforcement cases nab many organizations for insufficient risk assessments – or, in some cases, none at all.
Have adequate business associate agreements.
Several cases involved the failure to have adequate business associate agreements (BAAs). HIPAA provides a lot of guidance about what must be in BAAs. In most cases involving providing PHI to other organizations or to vendors, you need to have a BAA.
Not having audit controls can be very costly.
One of the larger HIPAA enforcement cases on record – a $5.5 million penalty – was based on the failure to have audit controls. The facts of the case are as follows:
On April 12, 2012, MHS submitted a breach report to HHS indicating that two MHS employees inappropriately accessed patient information, including names, dates of birth, and social security numbers. On July 11,2012, MHS submitted an additional addendum breach report to notify HHS that during its internal investigation, it discovered additional impermissible access by 12 users at affiliated physician offices, potentially affecting another 105,646 individuals. Some of these instances led to federal charges relating to selling protected health information (PHI) and filing fraudulent tax returns.
Just a few bad-apple employees caused this breach. Heed the lesson of this case, because it can take only one bad apple.
Avoid making obvious mistakes.
In one of the more stunning HIPAA violations, a patient used an allegedly fraudulent ID card. The institution properly disclosed the information to the police, resulting in the patient’s arrest. But then the institution issued a press release about the incident that included the patient’s name in the title. Result: A $2.4 million penalty.
Related Posts of Interest
For my overview of last year’s HIPAA enforcement, see my post:
Lessons from 2016, the Biggest HIPAA Enforcement Year on Record
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of awareness training on privacy and security topics. Professor Solove also posts at his blog at LinkedIn. His blog has more than 1 million followers.
Professor Solove is the organizer, along with Paul Schwartz of the Privacy + Security Forum (Oct. 3-5, 2018 in Washington, DC), an annual event that aims to bridge the silos between privacy and security.
If you are interested in privacy and data security issues, there are many great ways Professor Solove can help you stay informed:
* LinkedIn Influencer blog