Could Big HIPAA Settlements Be Coming?

Privacy Attorney Adam Greene on Enforcement Trends
Could Big HIPAA Settlements Be Coming?
Adam Greene

Federal regulators will likely announce a number of eye-popping financial settlements for HIPAA violations later this year as a result of breach investigations, predicts privacy attorney Adam Greene.

So far this year, the Department of Health and Human Services' Office for Civil Rights hasn't revealed any HIPAA settlement agreements with covered entities or business associates. But in an interview with Information Security Media Group during the HIMSS 2015 conference in Chicago, Greene predicts a big change in the second half of the year.

"We've heard anecdotally that [OCR] has a significant pipeline of unprecedented settlement agreements, meaning particularly high amounts [of financial penalties] and a particularly large number," says Greene, who formerly worked at OCR. "So it wouldn't be surprising for us to start seeing in the latter part of this year some really surprising settlement agreements with respect to potential record-breaking [financial penalties]. I think the delay, this gap in settlement agreements, relates to the change in leadership at OCR and for that new leadership to get settled in."

Last July, Jocelyn Samuels was named the new director of OCR. Samuels, who was formerly acting assistant attorney general for the Civil Rights Division at the U.S. Department of Justice, replaced Leon Rodriguez, who was named director of U.S. Citizenship and Immigration Services, a unit of the Department of Homeland Security.

In 2014, OCR announced six resolution agreements involving monetary penalties for cases involving violations of HIPAA. The biggest enforcement action was in May 2014, when OCR announced a $4.8 million settlement with New York-Presbyterian Hospital and Columbia University. That case involved a breach of unsecured patient data on a network, affecting about 6,800 patients.

As for potential OCR settlements with business associates, who became directly liable for HIPAA compliance under the HIPAA Omnibus Rule, Greene doesn't expect OCR action until next year.

"We see that [the time between] an actual [HIPAA] incident happening and an actual settlement agreement tends to be two to three years. And business associates were not being held liable by HHS for [HIPAA] compliance until September 2013," he notes. "So it seems that if you had a breach by a business associate at the end of 2013, that could lead to an investigation of the business associate ... and we could see the fruition of that investigation by the end of this year, but more likely next year."

In the interview, Greene also discusses:

  • What's likely to come next in OCR's plans for a permanent HIPAA compliance audit program, which has been on hold since 2012;
  • The OCR enforcement activities that organizations should be most worried about;
  • Why the Centers for Medicare and Medicaid Services is proposing to lower the requirements for patients electronically accessing their health records in Stages 1 and 2 of the HITECH Act "meaningful use" financial incentive program for electronic health records.

As a partner at the law firm Davis Wright Tremaine LLP in Washington, Greene specializes in HIPAA and HITECH Act issues. He formerly was senior health information technology and privacy specialist at the HHS Office for Civil Rights, where he played a significant role in administering and enforcing the HIPAA privacy, security and breach notification rules.

Additional Summit Insight:
Hear from more industry influencers, earn CPE credits, and network with leaders of technology at our global events. Learn more at our Fraud & Breach Prevention Events site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.