HIPAA Enforcement: A Reality CheckA Look at How Most HIPAA Investigations End Up
While HIPAA settlements with large financial penalties grab headlines, the vast majority of such settlements tied to breaches and other complaints call for no such penalties, the Department of Health and Human Services confirms. Instead, they simply spell out corrective action plans or offer technical assistance. And some 60 percent of HIPAA complaints are ultimately dismissed because there's no grounds for regulatory action.
Since 2008, there have been just 21 HHS Office for Civil Rights resolution agreements that included financial payments, plus one case that involved a civil monetary penalty, which is considered more punitive. But those settlements in the wake of a wide variety of breaches have been powerful reminders to healthcare organizations and their business associates about HIPAA compliance missteps that need to be corrected or avoided.
Recent Enforcement Cases
In the latest enforcement activity, HHS' Office for Civil Rights recently announced an $800,000 HIPAA settlement with Indiana-based community health system Parkview Healthcare for a 2009 breach involving paper medical record dumping and affecting between 5,000 and 8,000 patients. That settlement follows a $4.8 million resolution agreement revealed in May involving two New York healthcare organizations - New York-Presbyterian Hospital and Columbia University. The OCR investigation into that incident, which involved unsecured patient data on a network and affected about 6,800 patients, uncovered other HIPAA compliance issues, including the lack of a risk analysis and failure to implement appropriate security policies.
Back in 2011, OCR issued its only "civil monetary penalty" to date - a $4.3 million fine against Cignet Health. In that case, the organization refused to provide patients with their medical information and then refused to cooperate with investigators, OCR says. The agency is still trying to collect the penalty from Cignet.
Since the HIPAA compliance date in April 2003, HHS has received more than 95,000 complaints about HIPAA violations, an OCR spokeswoman tells Information Security Media Group. Of those, "we have resolved 95 percent of complaints received, or over 90,411," she says. Cases being investigated by OCR include the 1,045 major breaches listed as of June 25 on HHS' "wall of shame" website, which includes incidents since September 2009 affecting 500 or more individuals.
In total, those major breaches have impacted about 31.8 million individuals. About three dozen breaches have been added to the HHS list over the last month (see Health Breach Tally Tops 1,000 Incidents).
Of the 1,045 major breaches on the wall of shame, 751 OCR investigations are completed, the office reports. Those closed cases include 460 with corrective action plans; 71 cases where no HIPAA violations were found; 67 with technical assistance provided by OCR; and an array of other "closure types," ranging from 47 "consolidated compliance reviews" to situations where monitoring by OCR is being required, officials say.
Almost 40 percent of the nearly 100,000 HIPAA cases investigated by OCR have ended up with corrective action plans or technical assistance from the agency that focus on improving compliance and don't involve monetary payments.
Corrective action plans often include organizations agreeing to improve their security policies and procedures, conducting a thorough risk analysis, encrypting devices and retraining employees. As an outcome to investigations, OCR also frequently provides technical assistance to organizations, such as help understanding the requirements of the HIPAA breach notification rule or tips for safeguarding protected health information.
The remaining HIPAA investigations that have been closed by OCR to date - nearly 60 percent - ended up with OCR finding no violation occurred or regulators determining that the complaint did not present an eligible case for enforcement.
"I believe we should not be so quick to assume that every reportable breach, even a large breach that affects more than 500 individuals, can be assumed to have a cause that indicates that the covered entity or business associate had not complied with the requirements of the Privacy, Security or Breach Notification Rule," notes David Holtzman, a former OCR senior adviser who left the agency in January to join security consulting firm CynergisTek as vice president of compliance.
"As we have seen time and time again, an organization can have implemented reasonable and appropriate measures to safeguard protected health information only to have criminals use cutting edge technology to make bad things happen," he adds.
In the 10 years that OCR has been enforcing the HIPAA rules, most valid complaints and compliance reviews have been resolved informally through voluntary corrective action by covered entities or business associates, Holtzman notes.
Other Enforcement Entities
It's also important to note that OCR isn't the only enforcement agency that can issue HIPAA related penalties. Healthcare organizations and business associates also need to be mindful of state authorities that can take action for health data privacy violations.
In fact, among the breaches recently posted on the HHS "wall of shame" is a 2013 incident in Puerto Rico involving a paper mailing error by insurer Triple S Salud that affected more than 56,000 individuals.
The incident prompted a local government agency to issue a fine of $6.8 million to Triple S, which an agency official says is being appealed by the insurer in federal court.
The OCR spokeswoman tells ISMG that OCR is also still investigating that Puerto Rican breach, but she declines to disclose the status of that case.
Sending a Message
Some security experts say they aren't surprised by the relatively small number of monetary enforcement actions that OCR has taken, considering the heavy volume of complaints and breach reports the agency receives.
The 21 settlement agreements have included a mix of cases involving large and small healthcare organizations, as well as a wide scope of breach incidents including those involving paper, electronic records, unencrypted devices, improper access, and investigative findings that include a lack of risk assessments being performed, poor security policies and controls, and inadequate workforce training.
"OCR also wants to include a broad variety of organization types," notes Dan Berger, CEO of security consulting firm Redspin. "For example, one recent addition to the breach list was an investigation of a stolen laptop from a mobile dental van. I'd categorize some of these investigations as intelligence gathering. OCR is trying hard to address the issue of there being so many small practices. It is challenge both for them to comply and for HHS and OCR to help educate," he says.
All of OCR's enforcement activities serve an important purpose, Holtzman says.
"I believe that OCR's active enforcement efforts, as well as the much publicized ramping up in preparation for Phase 2 of the HIPAA/HITECH audit program is having an impact on the health care sector," he says.
"In addition, the efforts of state regulators and attorney generals ... combined with class action lawsuits for money damages arising out of breaches, are attracting a lot of attention," he notes.