Maintaining compliance with all HIPAA Rules has never been more important for a health care business’s success than it is now. Last year, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) concluded an all-time record in Health Insurance Portability and Accountability Act (HIPAA) enforcement activity. In 2018, ten cases were settled by OCR, with an additional case that was granted summary judgement before an Administrative Law Judge (ALJ). The total of these eleven cases exceeded $28.6 million, surpassing the 2016 record of $23.5 million.
HHS’s February 7, 2019 press release regarding the settlements can be found here.
The first HIPAA enforcement activity of 2018 took the form of a $100,000 settlement from Filefax, Inc. An investigation into the company, a medical records maintenance, storage, and delivery services provider, found that Filefax had left an unlocked truck containing protected health information (PHI) in a parking lot, leaving the information unsecured.
Shortly after, OCR settled for $3.5 million with Fresenius Medical Care North America (FMCNA) after the company had filed five breach reports for incidents from February and July of 2012, impacting the electronic protected health information (ePHI) of five covered entities. OCR found that FMCNA, a provider of products and services for patients with chronic kidney failure, had neglected to both properly conduct a risk analysis of the security of the ePHI, and to implement policies intended to safeguard the ePHI. These policies largely should have included procedures regarding encryption and decryption of the ePHI, when needed.
An OCR investigation into The University of Texas MD Anderson Cancer Center (MD Anderson) found that incidents in 2012 and 2013 produced three separate breach reports involving the loss of two unencrypted universal serial bus (USB) drives and an unencrypted laptop having been stolen from a MD Anderson’s employee’s home. The investigation showed negligence on behalf of MD Anderson, who had failed to adopt enterprise-wide policies regarding encryption of ePHI until 2011. However, despite MD Anderson’s own findings that the lack of encryption posed a serious risk to the safety of ePHI, they still failed to encrypt their inventory of electronic devices containing ePHI. An HHS ALJ ruled in favor of OCR, requiring MD Anderson to pay $4.3 million for the HIPAA violations.
The filming of an ABC television network documentary series produced three separate settlements in September with Boston Medical Center (BMC), Brigham and Women’s Hospital (BWH), and Massachusetts General Hospital (MGH), totaling $999,000. The privacy of patients’ PHI was jeopardized when film crews were allowed on premises to film without first receiving authorization from patients.
Also in September, Advanced Care Hospitalists (ACH), a contractor physician group, settled with OCR for $500,000. A breach report filed by ACH confirmed that patient information could be viewed on a billing services’ website, although ACH never had a business associate agreement with the provider of the billing services. ACH had also failed to conduct a risk analysis prior to 2014, even though they had been in business since 2005.
A settlement payment of $125,000 was made by Allergy Associates, a health care practice that specializes in treating individuals with allergies, in October 2018. After a disagreement had occurred between a patient and a doctor with the company, the patient had contacted a local television station to speak about the dispute. When speaking with a reporter, the Allergy Associates doctor disclosed the patient’s PHI without the patient’s authorization.
The single largest individual HIPAA settlement in history also occurred in October, with a payment of $16 million by Anthem, Inc. This payment surpassed the previous record of $5.5 million, made in 2016. A series of cyberattacks on the company in December of 2014 and January of 2015 led to the nation’s largest health data breach in history, when the ePHI of almost 79 million individuals was stolen, including names, social security numbers, and dates of birth, among other information. In addition to the payment, Anthem also agreed to take substantial corrective action to settle any potential violations of the HIPAA Rules that may occur.
OCR settled with Pagosa Springs Medical Center (PSMC), a critical access hospital, for $111,400 in November 2018 due to the impermissible disclosure of the ePHI of 557 individuals. This occurred because PSMC continued to allow remote access to a web-based scheduling calendar to a former employee.
Rounding out the year of lucrative HIPAA enforcement activity, Cottage Health agreed to pay $3 million to OCR and to adopt a corrective action plan in order to settle any potential violations of the HIPAA Rules. Two breach reports were filed by Cottage Health, which operates Santa Barbara Cottage Hospital, Santa Ynez Cottage Hospital, Goleta Valley Cottage Hospital, and Cottage Rehabilitation Hospital, in December of 2013 and December of 2015 regarding breaches of unsecured ePHI. These breaches affected over 62,500 individuals and resulted in sensitive information, including names, addresses, dates of birth, and health conditions, among other information, to be accessible via internet.
For more information regarding HIPAA enforcement activity and compliance, please contact Clinton Mikel, Esq.