Share this article on:
The Department of Health and Human Services’ Office for Civil Rights is the main enforcer of HIPAA compliance. Up until 2016, financial penalties for HIPAA violations were rare. Then there was a doubling of financial penalties in 2016 and enforcement actions continued at an elevated level in 2017.
2018 got off to a slow start with few penalties issued and there was speculation that OCR was scaling back its enforcement activities. However, there was a flurry of announcements about settlements in the latter half of the year, including the largest ever HIPAA penalty.
The recently published Beazley Breach Insights Report includes an analysis of OCR enforcement activities in 2018 and confirms that OCR is not easing up on healthcare organizations. In 2018, settlements and civil monetary penalties ranged from $100,000 to $16 million, with an average penalty of $2.8 million, up from $1.9 million in 2017,
The Beazley Breach Response (BBR) team also found it is taking much longer for OCR to close its investigations and settle HIPAA cases. Cases now take an average of 4.3 years to close compared to 3.6 years in 2018.
The Beazley report contains a warning for healthcare organizations. It doesn’t require a major breach to trigger an OCR investigation. OCR is now scrutinizing all breach reports and is attempting to identify patterns that could indicate non-compliant behavior.
In the case of Fresenius Medical Care, five breaches were experienced, but each involved fewer than 250 records. The pattern was identified, noncompliance was discovered, and the case was finally settled for $3.5 million.
There were many common themes in 2018 HIPAA enforcement actions, one of the most prevalent being risk analysis failures. Covered entities must regularly perform and document security risk analyses and develop risk management plans to address vulnerabilities and reduce them to an acceptable level.
Access controls must be set appropriately and maintained, and encryption must be considered for all ePHI. If the decision is taken not to encrypt, that decision must be documented and alternative measures must be implemented in its place. The settlements also highlight how important it is to have business associate agreements in place with all vendors who are provided with access to PHI.
While there were many Security Rule failures, the HIPAA settlements in 2018 also highlight the importance of respecting patient rights and complying with the HIPAA Privacy Rule. Multiple settlements resolved privacy violations such as filming patients and disclosing PHI without consent.