What Comes Up, Must Go Down: Regulatory Trends and HIPAA

by ih-coc admin

by Jay Hodes, President - Colington Consulting 

Enforcement of HIPAA mandates by the HHS Office for Civil Rights (OCR) are more aggressive than ever before, “totaling $28.7 million from enforcement actions” in 2018, an increase of 22% from the last record total of $23.5 million in 2016.  According to an OCR press release, 2018 saw that office establish “an all-time record year” in HIPAA enforcement activity, settling “10 cases” and being “granted summary judgment in a case before an Administrative Law Judge.” One of these 10 cases was the watershed HIPAA settlement with Anthem, Inc. for $16 million.

OCR Settlements* and Judgement** for 2018

Jan - FileFax*  -  $100,000

Jan - Fresenius Medical Care* - $3,500,000

Jun - MD Anderson** - $4,348,000

Aug  - Boston Medical Center*  -  $100,000

Sep - Brigham & Women’s Hospital* - $384,000

Sep - Mass. General Hospital* - $515,000

Sep - Advanced Care Hospitalists* - $500,000

Oct - Allergy Associates of Hartford* - $125,000

Oct - Anthem, Inc* - $16,000,000

Nov - Pagosa Springs* - $111,400

Dec - Cottage Health* - $3,000,000

Total – Settlements & Judgement:  $28,683,400

While the current administration did and continues to tout a posture of deregulation, the reality on the ground for organizations that must comply with HIPAA is that OCR has only strengthened its enforcement mechanisms, showing very little tolerance for security and privacy breaches arising from:

  •      The mismanagement, or lack of proper storage, transmission, or disposal of patient PHI and ePHI.
  •      An incomplete or missing Business Associate Agreement (BAA) made with any and all vendors who might be considered a Business Associates (BA) under HIPAA.
  •      Cyberattacks via successful email phishing attempts targeting not just Covered Entity (CE) workers or employees, but also workers or employees of any vendor affiliated with the  CE.
  •     Incompatible or insufficient risk analysis and risk management processes on the part of the CE.

 Out of these 11 instances of verified HIPAA violations,

  •      6 CEs were found to have mismanaged or improperly stored, transmitted, or disposed of patient PHI and ePHI (Fresenius Medical Care North America, FileFax, Inc., MD Anderson, Allergy Associates of Hartford, Pagosa Springs, and Cottage Health)
  •      3 CEs did not have a BAA in place to manage vendors who are considered to be BAs under HIPAA (Advanced Care Hospitalists, Pagosa Springs, and Cottage Health)  
  •      1 CE experienced an email phishing cyber-attack (Anthem, Inc.) 
  •      4 CEs made PHI or patient privacy vulnerable by exposing the same via TV shows, interviews, or recordings (Allergy Associates of Hartford, Boston Medical Center, Brigham and Women’s Hospital, and Massachusetts General Hospital)
  •      4 CEs lacked HIPAA-mandated risk assessment, risk analysis, risk notification, or risk management protocols (Cottage Health, MD Anderson, Advanced Care Hospitalists, and Fresenius Medical Care North America)

From this analysis, it can be ascertained that CEs and BAs can avoid facing settlements and judgements due to violations of the HIPAA Privacy Rule and the HIPAA Security Rule by instituting the following “golden rules” and ensuring their staff are fully trained in the same:

  • Do have robust and comprehensive plan to assess, identify, report, respond, and manage all security or privacy risks.
  • Do ensure a signed and completed BAA is on file for all BAs
  • Do have highly specific protocols in place governing the collection, storage, transmission, and disposal of patient PHI and ePHI.

Best practices include annual and periodic training for their workforce, conducting the required security risk assessment in an ongoing/periodic manner, and internally enforcing HIPAA policies and procedures to cover the organization’s security management processes. 

Organizations, large and small, must be aware of the aggressive posture of enforcement and record settlement amounts under OCR and this current administration. My advice for any organization is to conduct a thorough evaluation of the current HIPAA compliance in place. Make sure all the requirements are covered.  If a compliance program is not is place, consider outsourcing and let a consultant do the heavy lifting.  Often times, a consultant can get the program in place much quicker than relying on the organization’s internal staff.