The Department of Health and Human Services and its Office of Civil Rights (OCR) are capping off a very active 2016. In the last 6 months, the OCR has released a new audit protocol, announced new rounds of HIPAA audits, and stepped up enforcement. The flurry of activity comes after a prolonged period of anticipation in which Covered Entities and Business Associates were working to ensure that their data protection practices comply with the new set of HIPAA Omnibus rules. The OCR has made clear that it is not focused merely on large institutions or hospital systems. In August, the OCR announced that breaches affecting fewer than 500 individuals will be subject to investigation by its regional offices. Thus, even entities with small incidents or small amounts of protected health information (PHI), such as employee health plans, could see a higher rate of enforcement and a higher possibility of major fines if they fail to comply with HIPAA. Also within the OCR’s sights are Business Associates, as the Omnibus rule empowered the OCR to directly investigate and enforce Business Associates’ compliance with HIPAA’s requirements that the Omnibus rule extended to these entities.
Catholic Health Care Services Settlement
Consistent with its new focus on small incidents, the OCR’s enforcement activity also has increased significantly. Earlier this summer, the OCR reached a $650,000 settlement with Catholic Health Care Services (CHCS), a Business Associate to several nursing homes, regarding alleged violations of the HIPAA Security Rule that resulted in the compromise of the protected health information of 412 individuals. The incident that led to the settlement occurred when a CHCS-issued iPhone that contained PHI was stolen. The phone was unencrypted and not protected by a password. The OCR investigated the incident and determined that CHCS failed to take any steps to protect the data on the iPhone, which the OCR alleged was a violation of HIPAA’s Security Rule. The resulting settlement is notable both because it was the first levied directly against a Business Associate and because the incident impacted a relatively small number of individuals. While the fine might appear large, the OCR stressed that the amount reflected a consideration of CHCS’s status as a non-profit and CHCS’s focus on providing services to underserved populations in Philadelphia. OCR’s consideration of these factors suggests that the OCR could impose even greater fines on for-profit entities for similar infractions.
Advocate Health Care Settlement
For larger incidents, the OCR has started levying larger fines. For example, in August 2016, the HHS announced its largest settlement to date with Advocate Health Care for $5.55M. The OCR alleged that Advocate Health Care failed to implement and maintain a HIPAA compliance program by failing to adequately address breaches. The specific HIPAA compliance issues included: failure to conduct risk assessments after security incidents, inadequate implementation of access controls, failure to obtain Business Associate agreements, and failure to take mitigating steps following the impermissible disclosures of PHI. According to the OCR press release those breaches affected the PHI of nearly 4 million people. The combination of an alleged significant violation and a high number of impacted individuals gave rise to the large fine.
Our Take
The OCR is clearly seeking to establish itself as a major player in the privacy enforcement space. It is now clear that the OCR’s enforcement actions may target institutional failures to establish effective HIPAA compliance programs, as well as small incidents experienced by smaller Covered Entities and Business Associates. As the OCR continues to audit HIPAA Covered Entities and Business Associates, organizations should be prepared to see larger and more frequent fines, as well as increased scrutiny for violations. To reduce the risk of enforcement, Covered Entities and Business Associates must invest significant resources into assessing their compliance with HIPAA and aggressively addressing any gaps in compliance.
To subscribe for updates from our Data Protection Report blog, visit the email sign-up page.
