Dedicated to providing the latest
HIPAA compliance news

OCR HIPAA Enforcement: Summary of 2016 HIPAA Settlements

Share this article on:

The Department of Health and Human Services’ Office for Civil Rights has stepped up its enforcement activities in recent years, and 2016 HIPAA settlements were at record levels. In total, payments of $22,855,300 were made to OCR in 2016 to resolve alleged HIPAA violations. Seven settlements were in excess of $1,500,000.

In 2016, OCR settled alleged HIPAA violations with 12 healthcare organizations. Last year also saw an Administrative Law Judge rule that civil monetary penalties previously imposed on a covered entity – Lincare Inc. – by OCR were lawful, bringing the total to thirteen for 2016. Lincare was only the second healthcare organization required to pay a civil monetary penalty for violations of the Health Insurance Portability and Accountability Act. All other organizations opted to settle with OCR voluntarily.

Financial penalties are not always appropriate. OCR prefers to settle potential HIPAA violations using non-punitive measures. Financial penalties are reserved for the most severe violations of HIPAA Rules, when widespread non-compliance is discovered, or in cases where healthcare organizations have blatantly disregarded HIPAA Rules.

While largescale breaches of PHI may warrant financial penalties and will have an impact on the final settlement amount, OCR has resorted to financial penalties when relatively few individuals have been impacted by healthcare data breaches. This year has seen two settlements with organizations for breaches that have impacted fewer than 500 individuals – New York Presbyterian Hospital and Catholic Health Care Services of the Archdiocese of Philadelphia – and one civil monetary penalty – Lincare Inc.

A summary of 2016 HIPAA settlements with the Office for Civil Rights is detailed in the table below:

 

Summary of 2016 HIPAA Settlements

 

Covered Entity Date Amount Breach that triggered OCR investigation Individuals impacted
University of Massachusetts Amherst (UMass) November, 2016 $650,000 Malware infection 1,670
St. Joseph Health October, 2016 $2,140,500 PHI made available through search engines 31,800
Care New England Health System September, 2016 $400,000 Loss of two unencrypted backup tapes 14,000
Advocate Health Care Network August, 2016 $5,550,000 Theft of desktop computers, loss of laptop, improper access of data at business associate 3,994,175 (combined total of three separate breaches)
University of Mississippi Medical Center July, 2016 $2,750,000 Unprotected network drive 10.,000
Oregon Health & Science University July, 2016 $2,700,000 Loss of unencrypted laptop / Storage on cloud server without BAA 4,361 (combined total of two breaches)
Catholic Health Care Services of the Archdiocese of Philadelphia June, 2016 $650,000

 

Theft of mobile device 412 (Combined total)
New York Presbyterian Hospital

 

April, 2016 $2,200,000 Filming of patients by TV crew Unconfirmed
Raleigh Orthopaedic Clinic, P.A. of North Carolina April, 2016 $750,000 Improper disclosure to business associate 17,300
Feinstein Institute for Medical Research March, 2016 $3,900,000 Improper disclosure of research participants’ PHI 13,000
North Memorial Health Care of Minnesota March, 2016 $1,550,000 Theft of laptop computer / Improper disclosure to business associate (discovered during investigation) 299,401
Complete P.T., Pool & Land Physical Therapy, Inc. February, 2016 $25,000 Improper disclosure of PHI (website testimonials) Unconfirmed
Lincare, Inc.

 

February, 2016* $239,800 Improper disclosure (unprotected documents) 278

*Civil monetary penalty confirmed as lawful by an administrative law judge

 

The largest HIPAA settlement of 2016 –  and the largest HIPAA settlement ever agreed with a single covered entity – was announced in August. OCR agreed to settle potential HIPAA violations with Advocate Health Care Network for $5.5 million.

The previous largest HIPAA settlements were agreed with New York-Presbyterian Hospital and Columbia University after PHI was accidentally indexed by search engines. The two entities were required to pay OCR a total of $4.8 million, with $3.3 million covered by New York-Presbyterian Hospital and the remainder by Columbia University. The previous largest HIPAA settlement for a single entity was agreed with Cignet Health ($4.3 million) for denying 41 patients access to their health records.

2017 has started with an early settlement with Presence Health. The $475,000 settlement was solely based on delayed breach notifications – The first time that a settlement has been agreed solely for a HIPAA Breach Notification Rule violation.

Looking forward into 2017 and beyond, the future of HIPAA enforcement activities is unclear. The new administration may cut funding for OCR which would likely have an impact on HIPAA enforcement.

This year will see the completion of the long-delayed second round of HIPAA compliance audits, although it is unlikely that a permanent audit program will commence this year.

Last year, Jocelyn Samuels said OCR will remain “laser-focused on breaches occurring at health care entities,” and that OCR is committed to “maintain an effective enforcement program that addresses industry-wide noncompliance and provides corrective action to protect the greatest number of individuals.”

However, Jocelyn Samuels will be standing down as head of OCR and it is currently unclear who will take her place. While there are a number of suitable candidates for the position, incoming president Trump has a lot on his hands and the appointment of an OCR director is likely to be relatively low down the to do list. When a new OCR director is appointed, we may find that he/she has different priorities for the OCR’s budget.

What we can expect to see in 2017 is a continuation of enforcement actions that have already commenced. HIPAA breach investigations take time to conduct and settlements even longer. The 2016 HIPAA settlements are the result of data breach investigations that were conducted in 2012-2013. The dramatic increase in data breaches in 2014 – and HIPAA violations that caused those breaches – may well see 2017 become another record-breaking year for HIPAA settlements.

Author: HIPAA Journal

HIPAA Journal provides the most comprehensive coverage of HIPAA news anywhere online, in addition to independent advice about HIPAA compliance and the best practices to adopt to avoid data breaches, HIPAA violations and regulatory fines.

Share This Post On