A Year of HIPAA Enforcement: OCR HIPAA Penalties Issued in 2015
In its capacity as enforcer of the Health Insurance Portability and Accountability Act (HIPAA) Rules, the Department of Health and Human Services’ Office for Civil Rights (OCR) can issue fines to HIPAA-covered entities that fail to implement sufficient safeguards to keep the Protected Health Information (PHI) of patients and health plan members secure.
OCR has been criticized in recent years for an apparent lack of enforcement, specifically for failing to issue financial penalties for clear violations of the HIPAA Privacy, Security, and Breach Notification Rules by HIPAA-covered entities.
Covered entities are required to self-report data breaches to OCR under the Breach Notification Rule of 2009, and all data breaches that expose the PHI of more than 500 patients are investigated. Sometimes, those data breaches occur even when covered entities have implemented all of the administrative, technical, and physical controls that are required by the HIPAA Security Rule.
However, in many cases, data breaches are suffered as a result of HIPAA failures. In such cases, action is taken by OCR although the vast majority of those breaches – 99.9% – do not result in financial penalties. Instead, OCR opts for a wrist slap and a Corrective Action Plan (CAP). A CAP is a set of actions that must be taken to bring data privacy and security standards up to the standard required by HIPAA. The CAP includes a strict time scale for changes to be made, with the requirement to report the completion of elements of the CAP to OCR.
In cases where there has been willful violation of HIPAA rules, or when multiple violations have occurred, a CAP alone is insufficient and a financial penalty is issued. In 2015, six financial penalties were issued to covered entities, with all opting to settle the violations without admission of liability.
The settlement amounts reflect the severity of the violations, the number of violations discovered by OCR investigators, the length of time those violations had been allowed to persist, and the number of individuals affected. As was shown in 2013, a data breach does not necessarily have to involve more than 500 individuals for a financial penalty to be issued. Hospice of North Idaho was fined $50,000 in 2013 for a data breach that exposes the records of only 441 individuals.
Although 6 settlements were agreed in 2015, the violations that led to the financial penalties did not occur last year. OCR enforcement actions taken against covered entities can take many years before settlements are finally reached. In fact, a delay of up to six years is not unheard of.
2015 was a particularly bad year for covered entities with over 133 million healthcare records exposed in 259 reported data breaches. However, financial HIPAA penalties are unlikely to be decided for at least two years. It could take until 2020 before covered entities have to pay for data breaches stemming from violations uncovered last year.
Consequently, it is difficult to gauge how tough OCR is being on covered entities, although the number of violation penalties now being issued has increased significantly since the HIPAA Enforcement Rule was Issued in 2009.
2015 OCR HIPAA Violation Penalties
In 2015, the following OCR HIPAA violation penalties were issued to covered entities that were investigated after patient data was inadvertently, or in some cases deliberately, disclosed to unauthorized individuals.
Cornell Prescription Pharmacy – $125,000
The fine was issued for the improper disposal of PHI after 1,600 customers’ data was discovered to have been disposed of insecurely in an unlocked and open container.
The fine showed that regardless of the size of an organization, HIPAA financial penalties can and will be issued. Cornell operates a single location pharmacy in Denver, CO.
Cancer Care Group, P.C. – $750,000
A settlement was reached with Cancer Care Group, IN., after an unencrypted laptop and data backups were stolen from the vehicle of a company employee.
The high fine was warranted as the healthcare provider had failed to conduct an organization-wide risk analysis and had not implemented policies to control devices being removed from company premises by employees.
St. Elizabeth’s Medical Center – $218,400
A settlement was reached with St. Elizabeth’s Medical Center, MA, after employees were discovered to be using an unsecure system to share PHI. The records of close to 500 patients were potentially exposed.
While numerous HIPAA failures were discovered by OCR investigators, one of the main reasons for the financial penalty was the failure to conduct a comprehensive risk assessment.
Triple-S Management Corporation – $3.5 million
The largest HIPAA settlement of the year was agreed with Puerto Rico based Triple-S Management Corporation. The huge fine was warranted due to the discovery of multiple HIPAA failures and the numerous data breaches suffered by Triple-S subsidiaries. Security Rule failures, including the failure to conduct a comprehensive risk assessment, and lack of appropriate data security controls to safeguard ePHI were cited by OCR in the settlement agreement.
Lahey Clinic Hospital, Inc. – $750,000
Lahey Clinic Hospital, MA., also received a substantial HIPAA fine for failing to conduct a fully comprehensive risk assessment and implement appropriate physical controls to secure ePHI. An unencrypted laptop computer was stolen exposing the ePHI of 599 patients in 2011. The laptop had been left in an unlocked treatment room.
University of Washington Medicine – $850,000
University of Washington Medicine suffered a data breach impacting 90,000 patients as a result of an employee inadvertently installing malware on a computer after falling for a phishing campaign. It may not be possible to prevent all cyberattacks, but training staff on phishing email identification may have prevented this breach. The fine however, was for the failure to perform an enterprise-wide risk assessment.