A Close Look at U.S., U.K. PenaltiesFrequent Fines vs. Resolution Agreements
When it comes to doling out penalties in the wake of health information breaches, the United Kingdom favors issuing frequent fines for relatively smaller violations, while the United States takes a "less is more" approach, entering comprehensive resolution agreements for a handful of breaches that include financial settlements.
The U.K.'s high-profile action calls attention to the government's low tolerance for privacy violations. Among the latest cases was a Â£175,000 ($274,000 U.S.) fine for mistakenly posting online sensitive personal information about nearly 1,400 employees of a community health service trust; a Â£60,000 ($94,000) fine for the mismailing of medical records and a Â£90,000 ($136,000) fine for patient lists being faxed repeatedly to the wrong recipient.
The largest U.K. fine so far, Â£325,000 ($508,000), stemmed from a 2010 incident involving the sale on the Internet of hard drives containing sensitive health information on tens of thousands of individuals.
In the U.K., penalties have also been levied against individuals involved with health data breaches, including more than Â£1,500 in penalties and other fees changed in January to a former health worker who pleaded guilty to unlawfully obtaining patient information by accessing the medical records of five members of her ex-husband's family to obtain their new telephone numbers.
The U.S. Approach
By comparison, U.S. authorities have announced a total of nine resolution agreements since 2008 with a total of $8.8 million in settlement payments.
Only one case so far, against the clinic Cignet Health, has involved a civil penalty for a HIPAA privacy violation. But that case did not stem from a breach; it dealt with Cignet's refusal to provide patients with copies of their medical information, and then refusal to cooperate with federal investigators. The penalty totaled $4.3 million.
In June, OCR grabbed headlines when it announced a resolution agreement, with the Alaska Department of Health and Social Services that included a $1.7 million settlement. While a stolen USB drive potentially containing data on 501 Medicaid beneficiaries sparked the case, the penalty was tied to pattern of HIPAA non-compliance, including lack of risk assessments and staff training, discovered during OCR's investigation of the lost device incident.
The other two U.S. resolution agreements this year were a $1.5 million settlement with BlueCrossBlueShield Tennessee related to the theft of 57 unencrypted disk drives containing personal health information for 1 million patients; and a $100,000 settlement with Phoenix Cardiac Surgery, P.C , which posted patient information on a web-based calendar.
OCR's focus is to commit resources to resolution agreements with corrective action plans, says Susan McAndrew, the office's deputy director of health information privacy. Resolution agreements "draw attention of individuals to problem areas" to help prevent other, similar breaches, McAndrew says.
HIPAA enables OCR to issue civil penalties when a settlement cannot be reached, she notes. But no breach cases have resulted in a civil penalty so far.
One way OCR is attempting to build interest in breach prevention is to post a list of major incidents to its website. The hope is that the potential adverse publicity from the postings will lead organizations to improve their security efforts.
A major focus of the U.S.'s resolution agreements is a corrective action plan that spells out, in detail, a game plan for preventing future breaches.
The U.K. also demands that missteps be fixed, says Greg Jones, a spokesman for Information Commissioner's Office, the U.K.'s independent agency which enforces data privacy for individuals.
"We expect organizations to have taken action to ensure that security issues identified during a data breach are resolved in order to prevent a similar breach in the future," he says. "In situations where we still believe further measures are required, we can issue the organization with an undertaking which explains the measures we require them to introduce to improve their compliance with the UK Data Protection Act."
For example on April 30, Anneurin Bevan Health Board in the U.K. was issued with a monetary penalty of Â£70,000 following an incident where a sensitive report - containing explicit details relating to a patient's health - was sent to the wrong person, Jones says. "On the same day, the organization also signed an 'undertaking' to improve their compliance with the Act, which explained a number of further measures that we required them to introduce in order to keep their patients' information secure," he says.
See: Breach Penalties: Comparing U.S., U.K., for an analysis of the U.K. and U.S. crackdowns on health information breaches.