The Department of Health and Human Services’ Office for Civil Rights (OCR) has stepped up its enforcement activities in recent years, and 2016 was a very busy year in Health Insurance Portability and Accountability Act (HIPAA) enforcement activity. In fact, last year saw unprecedented levels of enforcement actions, fines and aggregate HIPAA penalties being assessed. This past year also saw HHS OCR launch Phase 2 of its HIPAA Privacy, Security and Breach Notification Audit program.
According to Law360, in 2016, payments of $23 million were made to OCR to resolve potential noncompliance with HIPAA Security and Privacy rules, which represents a 300 percent increase over the previous annual record of $7.4 million in 2014. There were 13 enforcement actions in 2016, a significant increase over the previous annual record of seven actions. In August, as previously reported by Healthcare Informatics, OCR announced the largest settlement to date, as Advocate Health Care Network agreed to pay $5.55 million in a settlement with HHS stemming from data breaches affecting the protected health information (PHI) of 4 million people.
And, so far this year, the upswing in HIPAA enforcement activity has continued. In February, Hollywood, Fla.-based Memorial Healthcare Systems (MHS) agreed to pay HHS $5.5 million to settle potential HIPAA violations stemming from two health system employees inappropriately accessing patient information. Additionally, in February, OCR fined Children’s Medical Center of Dallas $3.2 million due to data breaches resulting from the losses of encrypted mobile devices that contained unsecured ePHI of about 6,260 individuals, as reported by Healthcare Informatics.
There is a distinction between a settlement and a civil money penalty. In the case of Children’s Medical Center of Dallas, the fine was the result of what OCR described as the hospital’s non-compliance “over many years with multiple standards of the HIPAA Security Rule.” Further, OCR officials stated that despite Children's knowledge about the risk of maintaining unencrypted ePHI on its devices as far back as 2007, Children's issued unencrypted BlackBerry devices to nurses and allowed its workforce members to continue using unencrypted laptops and other mobile devices until 2013.
To date, it is unclear what the new Trump administration’s priorities will be with regard to HIPAA enforcement, yet the enforcement activities in 2016 and so far in 2017 should serve as a wake-up call to healthcare organizations regarding the importance of safeguarding PHI. And beyond complying with HIPAA Security and Privacy rules to avoid OCR penalties, security best practices also can help mitigate the risk of data breaches. David Holtzman, vice president of compliance strategies at CynergisTek, an Austin, Texas-based cybersecurity consulting firm, notes that surveys of consumer attitudes have consistently shown that patients lose trust in healthcare organizations that have breaches. “A healthcare organization is only as good as the trust its patients put in it,” he says.
Holtzman previously served on the health information privacy team at the Department of Health and Human Services’ Office for Civil Rights (OCR/HHS), where he served as the senior advisor for health information technology and the HIPAA Security Rule. He recently spoke with Healthcare Informatics Associate Editor Heather Landi about HIPAA compliance issues, data security and why hospital executives need to sit up and take notice of OCR’s enforcement activity.
Last year, we saw record levels of enforcement actions from OCR. Why did we see a rise in enforcement action last year and will this continue?
I would actually pin this back to the middle of 2015 when we began to notice an uptick in the OCR’s enforcement activity, and quite frankly, to give credit where credit is due, then-OCR director Jocelyn Samuels made it a priority to engage in a more aggressive stance to resolving enforcement actions at OCR with formal enforcement. OCR has always had the authority to enforce the HIPAA privacy and security and now the breach notification rules. Prior to the passage of the HITECH Act (The Health Information Technology for Economic and Clinical Health Act), OCR was directed to attempt to resolve matters informally through voluntary compliance. And the HITECH Act, with its increase of penalties for HIPAA violations, also directed that the agency would be able to keep any fines or penalties collected for use for health information privacy enforcement or education, and also required the agency to levy a penalty when it found willful neglect.
There also has been an increase in cyber criminals targeting the healthcare industry. Is the rise in OCR enforcement activity correlated to that?
Get the latest information on Cybersecurity and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.