The Department of Health and Human Services’ Office for Civil Rights has stepped up its enforcement activities in recent years, and 2016 HIPAA settlements were at record levels. In total, payments of $22,855,300 were made to OCR in 2016 to resolve alleged HIPAA violations. Seven settlements were in excess of $1,500,000.
In 2016, OCR settled alleged HIPAA violations with 12 healthcare organizations. Last year also saw an Administrative Law Judge rule that civil monetary penalties previously imposed on a covered entity – Lincare Inc. – by OCR were lawful, bringing the total to thirteen for 2016. Lincare was only the second healthcare organization required to pay a civil monetary penalty for violations of the Health Insurance Portability and Accountability Act. All other organizations opted to settle with OCR voluntarily.
Financial penalties are not always appropriate. OCR prefers to settle potential HIPAA violations using non-punitive measures. Financial penalties are reserved for the most severe violations of HIPAA Rules, when widespread non-compliance is discovered, or in cases where healthcare organizations have blatantly disregarded HIPAA Rules.
While largescale breaches of PHI may warrant financial penalties and will have an impact on the final settlement amount, OCR has resorted to financial penalties when relatively few individuals have been impacted by healthcare data breaches. This year has seen two settlements with organizations for breaches that have impacted fewer than 500 individuals – New York Presbyterian Hospital and Catholic Health Care Services of the Archdiocese of Philadelphia – and one civil monetary penalty – Lincare Inc.
A summary of 2016 HIPAA settlements with the Office for Civil Rights is detailed in the table below:
Summary of 2016 HIPAA Settlements
Covered Entity
Date
Amount
Breach that triggered OCR investigation
Individuals impacted
University of Massachusetts Amherst (UMass)
November, 2016
$650,000
Malware infection
1,670
St. Joseph Health
October, 2016
$2,140,500
PHI made available through search engines
31,800
Care New England Health System
September, 2016
$400,000
Loss of two unencrypted backup tapes
14,000
Advocate Health Care Network
August, 2016
$5,550,000
Theft of desktop computers, loss of laptop, improper access of data at business associate
3,994,175 (combined total of three separate breaches)
University of Mississippi Medical Center
July, 2016
$2,750,000
Unprotected network drive
10.,000
Oregon Health & Science University
July, 2016
$2,700,000
Loss of unencrypted laptop / Storage on cloud server without BAA
4,361 (combined total of two breaches)
Catholic Health Care Services of the Archdiocese of Philadelphia
June, 2016
$650,000
Theft of mobile device
412 (Combined total)
New York Presbyterian Hospital
April, 2016
$2,200,000
Filming of patients by TV crew
Unconfirmed
Raleigh Orthopaedic Clinic, P.A. of North Carolina
April, 2016
$750,000
Improper disclosure to business associate
17,300
Feinstein Institute for Medical Research
March, 2016
$3,900,000
Improper disclosure of research participants’ PHI
13,000
North Memorial Health Care of Minnesota
March, 2016
$1,550,000
Theft of laptop computer / Improper disclosure to business associate (discovered during investigation)
299,401
Complete P.T., Pool & Land Physical Therapy, Inc.
February, 2016
$25,000
Improper disclosure of PHI (website testimonials)
Unconfirmed
Lincare, Inc.
February, 2016*
$239,800
Improper disclosure (unprotected documents)
278
*Civil monetary penalty confirmed as lawful by an administrative law judge
The largest HIPAA settlement of 2016 – and the largest HIPAA settlement ever agreed with a single covered entity – was announced in August. OCR agreed to settle potential HIPAA violations with Advocate Health Care Network for $5.5 million.
The previous largest HIPAA settlements were agreed with New York-Presbyterian Hospital and Columbia University after PHI was accidentally indexed by search engines. The two entities were required to pay OCR a total of $4.8 million, with $3.3 million covered by New York-Presbyterian Hospital and the remainder by Columbia University. The previous largest HIPAA settlement for a single entity was agreed with Cignet Health ($4.3 million) for denying 41 patients access to their health records.
2017 has started with an early settlement with Presence Health. The $475,000 settlement was solely based on delayed breach notifications – The first time that a settlement has been agreed solely for a HIPAA Breach Notification Rule violation.
Looking forward into 2017 and beyond, the future of HIPAA enforcement activities is unclear. The new administration may cut funding for OCR which would likely have an impact on HIPAA enforcement.
This year will see the completion of the long-delayed second round of HIPAA compliance audits, although it is unlikely that a permanent audit program will commence this year.
Last year, Jocelyn Samuels said OCR will remain “laser-focused on breaches occurring at health care entities,” and that OCR is committed to “maintain an effective enforcement program that addresses industry-wide noncompliance and provides corrective action to protect the greatest number of individuals.”
However, Jocelyn Samuels will be standing down as head of OCR and it is currently unclear who will take her place. While there are a number of suitable candidates for the position, incoming president Trump has a lot on his hands and the appointment of an OCR director is likely to be relatively low down the to do list. When a new OCR director is appointed, we may find that he/she has different priorities for the OCR’s budget.
What we can expect to see in 2017 is a continuation of enforcement actions that have already commenced. HIPAA breach investigations take time to conduct and settlements even longer. The 2016 HIPAA settlements are the result of data breach investigations that were conducted in 2012-2013. The dramatic increase in data breaches in 2014 – and HIPAA violations that caused those breaches – may well see 2017 become another record-breaking year for HIPAA settlements.
The post OCR HIPAA Enforcement: Summary of 2016 HIPAA Settlements appeared first on HIPAA Journal.