HIPAA ENFORCEMENT
FAQ

by Daniel J. Solove

The Health Insurance Portability and Accountability Act (HIPAA) regulations govern health information maintained by various entities covered by HIPAA (“covered entities”) and other organizations that receive protected health information (PHI) from covered entities when performing functions for them.

Who Enforces HIPAA?

HIPAA is enforced by the Office for Civil Rights (OCR) in the Department of Health and Human Services (HHS).

Additionally, state attorneys general (AGs) may enforce HIPAA – only a few federal privacy laws can also be enforced by state AGs. Although the vast majority of HIPAA violations involve civil penalties, there can be criminal HIPAA violations, which are enforced by the Department of Justice (DOJ).

Can People Sue for HIPAA Violations?

Although HIPAA doesn’t provide for a private right of action for people to sue, HIPAA leaves intact more protective state law. And there’s a lot of state law protecting medical privacy. So just because an entity might get lucky and receive a slap on the wrist from OCR, there still might be lawsuits under state law – plus there could state agency enforcement too under a state’s own laws (or under HIPAA).

It is a common myth that people can’t sue for HIPAA violations.  They can — just not directly under HIPAA.  Under various state tort actions such as negligence, plaintiffs can use HIPAA as a standard of care.  What this means is that people can sue for HIPAA violations — not under HIPAA but through their own state’s tort law.

How Frequently Does OCR Issue Financial Penalties?

Initially, between 2003 and 2008, HIPAA enforcement would best be characterized as a cooperative model. OCR would work with institutions to help them sin no more.

In 2009, the Health Information Technology for Economic and Clinical Health ( HITECH) Act seriously ratcheted up the penalties. The fines for HIPAA violations were raised dramatically — up to $1.5 million for a violation in certain circumstances. Congress made clear that HIPAA enforcement should have more teeth – and that OCR should be issuing some fines.

And OCR has responded, with almost 30 cases involving a monetary penalty or settlement.

These cases have nearly all settled, with HHS entering into a resolution agreement with the entity. A resolution agreement includes:

— a financial penalty

— a corrective action plan (CAP) that often involves entities improving their policies and procedures, training, risk analyses, and security practices

— a reporting requirement, typically ranging from 1 to 3 years

How Painful Is HIPAA’s Sting?

The penalties as part of the resolution agreements are quite steep.

For example, in 2012, penalty amounts ranged from $50,000 to $1.7 million. There were three penalties of $1.5 million or higher.

Total = $4,850,000

Average: $970,000

In 2013, penalty amounts ranged from $150,000 to $1.7 million. There are two penalties in excess of $1 million.

Total = $3,493,280

Average = $678,656

In 2014, penalties ranged from $150,000 to $3.3 million.

Total = $7,940,220

Average= $1,134,317

The violations involve paper and electronic records. Frequent themes are inadequate training, failure to encrypt, and failure to conduct a risk assessment.

Is Harm Needed for a Penalty?

Harm isn’t required for there to be a monetary penalty. In one case, PHI was left in boxes unattended in a driveway to a house. But there were no allegations that any unauthorized individual accessed the PHI or took the records. There were no allegations that any PHI was lost. Nevertheless, the monetary penalty was $800,000.

How Many HIPAA Complaints Have Been Filed?

Let’s step back and look at the big picture of HIPAA enforcement. Recently, at the end of August of 2014, the total number of HIPAA complaints received by OCR since 2003 exceeded 100,000.

How Many Data Breaches Are Listed on the HHS Website?

Since 2009, there have been more than 1200 data breaches involving 500 or more people that have been listed on the HHS “wall of shame” website.

Has HIPAA Enforcement Been Increasing?

The story for HIPAA case resolutions is that they have been generally increasing throughout the years. Starting in 2008, there have been between 8000 to 10,000 resolutions. Notice the huge spike in the number in 2013 after the Omnibus Final Rule, an increase of nearly 50% from 2012.

 What Are the Compliance Issues OCR Has Investigated the Most?

According to HHS, the compliance issues most investigated include:

— Impermissible uses and disclosures of PHI

— Lack of safeguards of PHI

— Lack of patient access to PHI

— Uses or disclosures of more than the minimum necessary PHI

— Lack of administrative safeguards of ePHI

About Professor Solove and TeachPrivacy

This resource page was written by Professor Daniel J. Solove.  Professor Solove is a law professor at George Washington University Law School and the leading expert on privacy and data security law. He has taught privacy law every year since 2000, has published 10 books and more than 50 articles, including the leading textbook on information privacy law and a short guidebook on the subject. His LinkedIn blog has more than 1 million followers. Click here for more information about Professor Solove.

TeachPrivacy provides HIPAA training, privacy awareness training, information security awareness training, phishing training, FERPA training, PCI training, as well as training on many other privacy and security topics.  TeachPrivacy was founded by Professor Solove, who is deeply involved in the creation of all training programs because he believes that training works best when made by subject-matter experts and by people with extensive teaching experience.

Please Contact Us If You Are Interested In HIPAA Training

We can provide you with a login so you can evaluate the programs. Click here for our catalog.