Although the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) may yet announce one or two year-end settlements, it appears that 2019 will be known more for the implementation of changes in HIPAA enforcement policy than for any of the particular matters that OCR resolved. Last April, OCR announced that it would lower the maximum penalties assessed for most categories of HIPAA violations. Previously, the same maximum $1.5 million cap applied to all categories of violations, regardless of severity. The new policy lowered the limit to:
- $25,000, when an entity does not know and would not have known of the violation when exercising reasonable diligence.
- $100,000 when the violation is due to reasonable cause.
- $250,000 when the violation arises from willful neglect, but is corrected.
Only violations that result from willful neglect and are not corrected remain subject to the $1.5 million cap.
It initially appeared that the new enforcement policy was producing a dramatic reduction in all settlement amounts. A settlement reached before (although announced after) publication of the new policy resulted in a $3 million penalty payment, while the penalty amounts for the first few settlements that followed the guidance never topped $100,000. However, as 2019 progressed, OCR announced a number of larger settlements. For example:
- OCR imposed a penalty of approximately $2.15 million against Jackson Health System for violations that included staff members’ unauthorized access to the protected health information (PHI) of a professional athlete, the unauthorized access by an employee of records of more than 24,000 patients (records that were eventually sold), and the loss of certain patient records. The Health System waived its right to a hearing and did not contest OCR’s Notice of Proposed Determination.
- OCR imposed a penalty of $1.6 million against the Texas Health and Human Services Commission after it discovered a vulnerability in a web application designed to collect and report information for Medicaid waiver programs. The Commission discovered the breach when an unauthorized user reported gaining access to the application without entering credentials. Following an investigation, OCR determined that PHI had been placed on a public server that allowed an undetermined number of unauthorized users to view names, Social Security numbers, Medicaid numbers and treatment information of approximately 6,500 individuals.
- OCR secured a settlement of $3 million with the University of Rochester Medical Center (URMC) after URMC reported that a flash drive containing PHI was lost and an unencrypted laptop that contained PHI was subsequently stolen from a treatment facility. Following an investigation, OCR determined that URMC had failed to conduct a thorough risk analysis of vulnerabilities of the electronic PHI (ePHI) in its possession and to implement sufficient policies and procedures safeguarding the movement of hardware and media containing ePHI within and outside of the facility, including a failure to sufficiently encrypt ePHI.
- Sentara Hospitals agreed to pay approximately $2.2 million to settle allegations that it inappropriately disclosed PHI of 577 patients when it mailed the billing statements for these patients to the wrong addresses. Sentara reported the breach to OCR, but incorrectly limited its report to eight individuals based on its erroneous understanding that it was required to report breaches only if they disclosed specific medical information, such as a patient’s diagnosis or treatment. In addition, Sentara failed to report all affected individuals even after OCR advised it of its requirement to report all violations.
In total, half of the announced OCR actions involved more than $1.5 million in penalties (it is worth keeping in mind that the annual cap applies per type of violation, so multiple types of violations may result in assessments that exceed the $1.5 million per-type cap), while the remaining half ranged from $10,000 to $100,000. Two of the smaller settlements involved OCR’s first enforcement actions related to its Right of Access Initiative, which focuses on the rights of individuals to receive copies of their medical records in a timely manner without being overcharged. Both of those actions resulted in settlements of $85,000.
2019 continued a trend set in prior years by starting slowly. Eight of the ten assessments announced by OCR occurred after mid-September.
Absent any late-breaking announcements for actions resolved at the end of last year, the total assessments for 2019 will amount to a little more than $12 million. That amount is less than half the record-setting amount of 2018, although the number of actions resolved was similar. It is difficult to assess how much of this decrease is attributable to the new enforcement policy. 2018 appears to have been an anomaly with more than half of the assessments arising from the $16 million settlement with Anthem.
Given the sharp division between large and small settlements, it appears that OCR is making distinctions that place violations in different categories of severity and that treat certain violations as being of the same or a different type. At this time, there is only a small sample space with limited information as to how OCR is making these distinctions. OCR announcements for situations where they assessed penalties without reaching an agreement provide significantly greater information on how OCR views certain matters, but still leave much to speculation.
Ultimately, parsing out what leads to larger vs. smaller penalties should not guide an entity’s approach on how to address HIPAA’s privacy and security requirements. Health care providers, health benefit plans, healthcare clearinghouses, and their respective business associates ought to take diligent measures to safeguard PHI and otherwise comply with HIPAA. If a violation does occur, it should be addressed promptly and thoroughly to minimize the harm to individuals and to prevent it from happening again. And, even though the penalties may be relatively small, those subject to HIPAA should aim to respond timely and appropriately to an individual’s request for records.