The Director of the Department of Health and Human Services’ Office for Civil Rights (OCR), Roger Severino, expressed his primary enforcement concern for 2017 is to locate a HIPAA breach that is “big, juicy, egregious” to highlight it as a good example for other healthcare companies regarding the risks of failing to adhere to HIPAA Rules. When determining on which incidents to go after, OCR takes into account the opportunity to utilize the incident as an educational tool to advise covered entities to abide by particular aspects of HIPAA Rules.
At the latest ‘Safeguarding Health Information’ conference conducted by OCR and NIST, Severino discussed the need to balance law enforcement with an educational element. It is better if people would comply without OCR needing to enforce. Severino didn’t make clear what part of noncompliance with HIPAA Rules OCR is expecting to focus on with its next big, juicy settlement, though no healthcare company is safe to a HIPAA penalty when they are discovered to have broken HIPAA Rules.
Severino additionally discussed that OCR is currently receiving a large number of complaints. There are over 20,000 complaints regarding security breach and privacy violations submitted every year. OCR has a lot of personnel giving technical support to covered entities regarding their compliance programs. The objective is to considerably lower the amount of complaints and have a “culture of compliance” all over the nation.
Most of the HIPAA violations are solved by means of technical support and voluntary compliance, however financial fines are also issued for egregious HIPAA Rules violation.
This year, OCR already resolved eight settlements with HIPAA-covered entities for HIPAA violations found when investigating the complaints and data breaches. OCR also issued one civil monetary charges:
Here is a list of the 2017 HIPAA Enforcement Actions on violating covered entities and settlement amounts:
- Memorial Healthcare System – $5.5 million
- Children’s Medical Center of Dallas- $3.2 million (Civil monetary penalty
- Cardionet – $2.5 million
- Memorial Hermann Health System (MHHS) – $2.4 million
- MAPFRE Life Insurance Company of Puerto Rico – $2.2 million
- Presense Health – $475,000
- Metro Community Provider Network – $400,000
- Luke’s-Roosevelt Hospital Center Inc. – $387,000
- The Center for Children’s Digestive Health – $31,000
The biggest HIPAA settlement in 2017 was with Memorial Healthcare System. There were 6 hospitals and other facilities included in the health system, which are located in South Florida. The payment of $5.5 million settled potential violations of HIPAA Rules which involved employees that impermissibly accessed ePHI and impermissibly disclosed PHI to associated physician office employee. The settlement showed the value of audit controls and the demand to meticulously control who gets access to ePHI.
The second biggest HIPAA settlement was $2.5 million for multiple potential HIPAA rules violations that resulted in the breach of medical records of 1,391 patients. An unencrypted laptop computer of health services provider Cardionet was stolen resulting in the breach. The settlement showed how important it is to conduct an extensive risk assessment and address vulnerabilities to protect the privacy of ePHI.
In May, Memorial Hermann Health System paid $2.4 million as settlement for HIPAA violations for impermissible disclosure of a patient’s ePHI during a press release and subsequent meetings with state representatives and advocacy groups.
In January, MAPFRE Life Insurance Company of Puerto Rico agreed to pay a $2.2 million settlement. The incident that prompted the investigation was the stolen unencrypted pen drive containing 2,209 persons’ PHI. The investigation showed several violations of HIPAA Rules which include the inability to perform a complete and precise risk assessment, the inability to carry out security awareness training for employees, the unencryption of ePHI and the failure to apply proper policies to protect ePHI.
Children’s Medical Center of Dallas paid a civil monetary penalty for impermissibly disclosing ePHI and failing to comply with the HIPAA Security Rule for a number of years. The settlement solves HIPAA failures that led to a breach of 3,800 records associated with the missing unencrypted Blackberry device in 2009 and 2,462 records associated with the missing unencrypted laptop computer in 2013.
In the last summer, there was a period of silence of enforcement activities. But, the fall is most likely to see much more settlements declared.