The Department of Health and Human Services’ Office for Civil Rights (OCR) has increased its enforcement efforts in the last few years and, as a result, 2016 HIPAA settlements recorded were at the highest ever levels.
Overall, payments encompassing $22,855,300 were issued to the OCR in 2016 to settle alleged HIPAA violations. Seven settlements were over $1,500,000.
Last year, OCR resolved alleged HIPAA breaches with 12 healthcare organizations. 2016 also saw an Administrative Law Judge decree that civil monetary penalties previously imposed on a covered body – Lincare Inc. – by OCR were legal, bringing the total to 13 for 2016. Lincare was only the second healthcare group obligated to settle a civil monetary penalty for violations of the Health Insurance Portability and Accountability Act. All other organizations decided to settle with OCR voluntarily.
Financial penalties for HIPAA violations are not always appropriate. OCR normal tries to settle potential HIPAA violations using non-punitive actions. Financial penalties are kept for the most severe breaches of HIPAA Rules, when widespread non-compliance is identified, or in cases where healthcare groups have obviously disregarded HIPAA Rules.
Though major violation breaches of PHI may demand financial penalties and will have an impact on the final settlement figure, OCR has opted for financial penalties when relatively few people have been impacted by healthcare data breaches. This year has seen two settlements with healthcare groups for breaches that have affected less than 500 individuals – New York Presbyterian Hospital and Catholic Health Care Services of the Archdiocese of Philadelphia – and one civil financial penalty – Lincare Inc.
The largest HIPAA Breach Settlement of 2016 – and the largest HIPAA Breach settlement ever agreed with a single covered organization – was revealed in August. OCR agreed to settle possible HIPAA violations with Advocate Health Care Network for $5.5 million.
Prior to this, the largest HIPAA settlements were agreed with New York-Presbyterian Hospital and Columbia University after PHI was mistakenly indexed by search engines. The two entities were obligated to pay OCR a total of $4.8 million, with $3.3 million covered by New York-Presbyterian Hospital and the remainder of the figure by Columbia University.
Before this, the previous largest HIPAA settlement for a single organization was agreed with Cignet Health ($4.3 million) for restricting access to the health records of 41 patients.
2017 has begun with an early HIPAA Breach settlement with Presence Health. The $475,000 settlement was solely based on delayed breach notifications – the first time that a settlement has been agreed for just a HIPAA Breach Notification Rule violation.
Looking ahead into 2017 and further, the future of HIPAA enforcement operations is not obvious. The new administration may reduce funding for OCR which would likely have an affect impact on HIPAA enforcement.
2017 will see the completion of the long-delayed second phase of HIPAA compliance audits, although it is unlikely that a permanent audit program will be initiated this year.
In 2016, Jocelyn Samuels revealed that the OCR will stay “laser-focused on breaches occurring at health care entities,” and that OCR is going to to “maintain an effective enforcement program that addresses industry-wide noncompliance and provides corrective action to protect the greatest number of individuals.”
However, Jocelyn Samuels will be departing her role as head of OCR and it has not been announced who will take her place. While there are a number of suitable possibilities for the position, incoming US President Trump has a lot to do and the appointment of an OCR director is likely to be far down his to-do list. When a new OCR director is selected, we may find that he/she has different aims for the OCR’s budget.
What we can hope to see in 2017 is a continuation of enforcement operations that have already begun. HIPAA breach investigations take time to complete and settlements even longer. The 2016 HIPAA settlements are due to data breach reviews that were conducted in 2012-2013. The dramatic rise in data violations in 2014 – and HIPAA breaches that caused those breaches – may well lead to 2017 becoming another record-breaking year for HIPAA violation settlements.