Beyond 2017 HIPAA Enforcement Action..What Comes Next..

There has been much speculation over the past nine months regarding what the future of HIPAA enforcement action will be under the Trump administration. Many observers have suggested that HIPAA enforcement action may decrease under President Trump’s general policies of less government intrusion in private business enterprises. Based on HIPAA enforcement activities this year, that does not seem to be the case.

2017 has clearly demonstrated that The U.S. Department of Health and Human Services (HHS) is aggressively stepping up its enforcement action. This would be a very good time for healthcare organizations (Covered Entities and their Business Associates) to analyze their HIPAA Privacy and Security compliance program and make certain they are meeting federal, as well as their particular state requirements. As of June 2017, nearly 170,000,000 American's PHI has been unlawfully disclosed in data breaches greatly increasing their risk of identity and medical identity theft, that staggering number represents more than half of the U.S. population. HHS is now reporting more than 2,000 complaints per month, a significant increase since 2015.

As of September 2017, The Office of Civil Rights (OCR), the federal agency that enforces HIPAA, has agreed to eight settlements with covered entities to resolve HIPAA violations discovered during investigations of complaints and data breaches and has issued one civil monetary penalty.

2017 HIPAA Enforcement Actions

?   Memorial Healthcare System – $5.5 million

?   Children’s Medical Center of Dallas- $3.2 million (Civil monetary penalty)

?   CardioNet – $2.5 million

?   Memorial Hermann Health System (MHHS) – $2.4 million

?   MAPFRE Life Insurance Company of Puerto Rico – $2.2 million

?   Presence Health – $475,000

?   Metro Community Provider Network – $400,000

?   Luke’s-Roosevelt Hospital Center Inc. – $387,000

?   The Center for Children’s Digestive Health – $31,000

Anthem, the United States’ largest for-profit healthcare company, has been forced to watch from the sidelines while their astronomical data breach has played itself out in the courtroom. In June of this year, Anthem agreed to pay the highest ever settlement of $115 million for its massive data breach in 2015 that affected a record-shattering 79 million individuals. As part of the settlement, the company denies any wrongdoing or that any individuals were harmed as a result of the attack. This breach began as a phishing campaign and was the catastrophic result of one employee impulsively opening an email they shouldn’t have and the failure of Anthem to take prompt, appropriate and effective corrective action in response. While investigators now believe that this attack was orchestrated by a foreign nation, the sophistication of the attack was not from the phishing email but from the ability of the malware to move throughout the IT infrastructure and access critical databases and remain undetected for quite some time. This massive breach and its impact does highlight the critical importance of comprehensive and frequent security awareness training for all employees of healthcare organizations. There are important cybersecurity lessons to be learned here for other organizations, as well, not just HIPAA Covered Entities.

The human element remains the weakest link and greatest risk in HIPAA related issues and unlawful disclosures.

As to what the future holds, just last week, speaking at the 10th annual "Safeguarding Health Information" HIPAA conference, Roger Severino, the new Director of Health and Human Services Office for Civil Rights (OCR) stated that his top enforcement priority for 2018 is to find a "big, juicy, egregious" breach case to use as an example from which others can learn.

2016 also saw a considerable increase in HIPAA enforcement resolution agreements and monetary penalties. At the end of 2016, the OCR logged over $20 million in fines for HIPAA violations from 15 enforcement actions with monetary penalties — a sharp increase in comparison to 2015 penalties which were just over $6 million from just 6 resolution agreements. The per entity fines have increased as well; they have increased from about $850K in recent years to $5.55 million in 2016.

In 2017, we saw the second highest ever penalty with Memorial Healthcare System – $5.5 million. For those keeping track, the highest ever fine was levied in 2016 for $5.55 million to Advocate Health Care to settle multiple data protection violations over a three-year period.

Also, in late 2015, the Office of the Inspector General released findings of a study that recommended a stronger enforcement and follow-up from the OCR for HIPAA violations:

“OCR should strengthen its follow-up of breaches of PHI reported by covered entities. OCR investigated the large breaches, as required, and in almost all of the closed large-breach cases, it determined that covered entities were noncompliant with at least one HIPAA standard. Although OCR documented corrective action for most of the closed large-breach cases in which it made determinations of noncompliance, 23 percent of cases had incomplete documentation of corrective actions taken by covered entities.”

It is unclear at this time whether a permanent HIPAA auditing program, recommended by the Office of Inspector General, will go into effect under the current administration. Many believe it is on hold until the new HHS Director, Thomas Price, M.D., appointed in February 2017, makes a decision on the direction HIPAA enforcement action will take. No one can predict with any certainty, but indications are that there will be little change in the aggressive enforcement action undertaken so far.

Investigators looking into breaches have reported what they generally find is that these breaches were not accidents. What contributed to the breach of thousands, if not tens of thousands of records, was systemic noncompliance over periods of many years.

Organizations are given some latitude; they are not expected to be perfect. They must, however, take HIPAA compliance seriously, demonstrate clear and conscientious efforts, and that means far more than a check-box compliance program. Many smaller CE’s make the incorrect assumption that as a smaller entity they need not worry about HIPAA compliance, audits, penalties and enforcement actions, when in fact nothing could be further than the truth, private practices actually receive the highest degree of scrutiny from OCR, the Wall of Shame reflects the violations and breaches of smaller and individual private practices as well as larger entities, but keep in mind the Wall of Shame site only represents breaches affecting 500 patients or more. In one HIPAA violation case of a small practice, a dermatology practice lost an unencrypted flash drive that contained protected health information (PHI). The group was fined $150,000 and was required to install a corrective action plan. The smaller breaches and violations simply do not get the same publicity and media attention, for they are not as sensational as the cases with multi-million dollar penalties. HIPAA compliance is a requirement for all Covered Entities and their Business Associates, no matter the size. All covered entities have an ethical and legal responsibility to be in compliance and protect the private, protected health and other confidential data of their patients.

This year has also seen some of the first ever audits and penalties involving Business Associates. HHS has also announced they were staffing up regional offices to follow up with smaller and medium entities and their patient HIPAA complaints, violations, and breaches.

In the resolution agreements, corrective actions are recommended with a 3-year monitoring agreement in addition to the monetary payment. Risk assessment, revision of policies and procedures, breach protocols, proper management of paper records, as well as electronic devices and data, improvements with cybersecurity systems and training, more compliant communications, disaster recovery plans, adequate documentation and authorizations by CE's, BA agreements, and more aggressive workforce and BA training are generally required in these agreements.

These things are obviously quite important to OCR and need to be increased because they are so frequently included in the corrective action plan. Training must be conducted annually, as a minimum requirement, and more often as issues arise. Business Associates MUST understand what they are signing and receive training on their requirements and obligations under the agreement, as well as the Rule; execution of the document alone is insufficient.

I often see that these mandated and critical agreements are signed without even being read or had their contents explained by administrators. In addition, they must be updated annually.

In many of these OCR investigated cases, the offending organizations were aware of the issues and violations but took minimal action, or in some cases, no action at all. Risk assessment procedures, revised policies and procedures, documentation and breach procedures, Business Associate agreements, proper management of electronic devices, comprehensive employee and BA training on cybersecurity issues, disaster recovery plans, workforce and Business Associate privacy AND security training need improvement in nearly every single case.

Covered Entities should also be cautious of vendors that promote HIPAA Certification. The U.S. Department of Health and Human Services does not recognize ANY HIPAA certification.

No single product, technology, or policy can provide complete HIPAA compliance or protection. We are frequently asked, "Can you make me HIPAA compliant?" We can give you the tools, systems, policies, agreements, training, protocols and processes to become HIPAA compliant, but the ultimate responsibility begins and ends with you and your organization. We can provide you the tools and help you execute them, but the proper ongoing management of them rests squarely upon your shoulders. HIPAA compliance is only achieved through people, those who manage, implement and control the tools, systems, processes, employees, vendors, contractors, data and technologies.

Far too many CE's mistakenly believe that their IT systems and processes handle all their HIPAA compliance issues, when in fact the IT system security is only one part of a comprehensive HIPAA Privacy and Security compliance program.  

It is unrealistic for any Covered Entity to believe that any IT system, no matter how sophisticated, complex, or costly can provide security within the walls of the organization. 

The fact is that the majority of breaches are caused by internal human error or design, not external hackers. Key HR systems and processes are absolutely required; this is not an area where employers can afford to cut corners. The risk to your organization and patients is much too great.

Your employees can be your first line of defense. Selection, screening, onboarding, training, as well as your disciplinary and separation processes, are critical steps in the prevention of unlawful disclosures and breaches.

Maintaining the privacy and security of patient health data is a complex undertaking that involves every employee and business associate of a healthcare organization, every aspect of its IT system, personnel processes, as well as every vendor, partner, and insurer that works with the organization.

The bottom line is simply this: OCR resolves most cases without fines and issues fines to the most egregious cases, those who have clear compliance omissions, repeated violations, and particularly those who have had ongoing knowledge of internal issues and fail to take corrective action (Children’s Medical Center of Dallas is one prime example); those that are guilty of willful neglect. 

The stronger and the more conscientious your compliance efforts with HIPAA, the less likely you’ll be hit with a monetary penalty by OCR.

Roya Camille Keyan, a former healthcare agency administrator, mental healthcare practitioner, compliance officer, and national auditor is the Founder and CEO, of HR Advisory Group Ltd, a national human resource, healthcare and executive search consultancy, with a targeted and dedicated emphasis toward HIPAA compliance and programming. HR Advisory Group Ltd was established in Tulsa, Oklahoma in 2005, and has been headquartered in Dallas, Texas since late 2016.