The U.S. Department of Health and Human Services shattered previous records for enforcing the Health Insurance Portability and Accountability Act in fiscal year 2016, according to an analysis by McDermott Will & Emery health care attorneys.
The HHS Office for Civil Rights extracted a total of $25.6 million in settlement payments between Oct. 1, 2015, and Sept. 30, 2016, more than triple the previous annual record of $7.9 million set in fiscal year 2014, according to the law firm.
In 2016, the OCR also reached 13 settlements, called “resolution agreements,” in HIPAA enforcement actions, a new high for an agency that has never before resolved more than seven HIPAA cases in a fiscal year.
Edward Zacharias and David Quinn Gacioch, partners in McDermott’s Boston office who did the firm’s analysis, said that they have heard directly from HHS officials that a new era of HIPAA enforcement is at hand.
“It’s going to likely keep building on itself,” said Gacioch of the enforcement uptick.
The HHS civil rights office is responsible for enforcing HIPAA, the federal law passed in 1996 that allows individuals to continue their health insurance coverage after ending employment. The law also allows for electronic transfer of medical records. HHS adopted the Privacy, Security and Enforcement Rules under HIPAA in 2003. The rules protect the privacy and security of individuals’ medical information when it is handled by health care providers and insurers.
The HITECH Act, passed in 2009 as part of the Recovery Act providing financial incentives for providers to switch to electronic records, extended some of the same privacy and security rules to medical contractors. In 2013, an HHS Omnibus Rule finalized an updated breach notification standard. Individuals have no private right of action under HIPAA, but the act doesn’t preclude states from passing such laws.
Of nearly 22,500 received by HHS since 2003, however, the department had imposed a formal fine or civil monetary penalty in just one case and reached monetary settlement agreements in six others through 2011, according to congressional testimony by Sen. Al Franken, D-Minnesota, that year.
The OCR has investigated and resolved 24,559 cases through Oct. 31, 2016, requiring changes in privacy practices and corrective actions since 2003, when HIPAA’s privacy rule took effect, according to HHS. Its security rule took effect in 2005. The civil rights office refers matters involving deliberate disclosure or obtaining protected health administration to the Department of Justice for criminal prosecution, and 584 referrals had been made in the same period, according to HHS’s web page on health-information privacy.
Zacharias said that the OCR gave covered entities the intervening years since 2005 to “really understand what the rules require,” and so from the agency’s perspective, the “era of being more lenient” is ending.
External HIPAA compliance pressure
Zacharias added that upped enforcement could also be due to criticism from elsewhere in the federal government. The HHS Office of the Inspector General has published multiple reports criticizing OCR enforcement of HIPAA privacy and security standards as weak, and members of Congress have expressed similar concerns.
According the McDermott data, OCR is recovering more money in its settlements as well—with entities accused of violating HIPAA paying out an average of around $2 million, up from around $850,000 in recent years.
Settlement payments this year included a $5.55 million payout—the largest OCR has ever gotten from a single entity—announced in August from Advocate Health Care Network, a Chicago-area hospital and health care provider network that OCR alleged did not have HIPAA-compliant policies and procedures or sufficient data security, allowing data belonging to about 4 million individuals to be breached. The settlement included a corrective action plan.
McDermott’s analysis also showed that in addition to monetary penalties, all resolutions in 2016 included corrective action plans for the alleged violators to remediate their HIPAA compliance programs.
One trend in corrective action plans that Gacioch said has emerged in recent years is the use of “Reportable Events” provisions, which require real-time reporting of every detected violation of a data privacy and security policy or procedure that falls within the corrective action plan’s scope. He said that the use of this provision “opens up the potential for further regulatory action and the potential for liability that wouldn’t otherwise be there.”
Change will be coming to HHS next year with President-elect Donald Trump’s administration and his nominee to head the agency, Rep. Thomas Price, R-Georgia, a surgeon and foe of the Affordable Care Act, also known as Obamacare. But Zacharias said the uptick in HIPAA enforcement would likely remain regardless.
About 12.5 million medical records were breached between September 2009 and August 2016, according to the Privacy Rights Clearinghouse, a nonprofit education and advocacy group based in San Diego.
“I think cybersecurity is generally a bipartisan issue,” Zacharias said, “so for that reason it’s unlikely that we’re going to see a directive from the administration to cool it on enforcement.”
Have you followed us on Facebook?