HIPAA Enforcement: 2017 Year in Review

January 5, 2018 David Holtzman

2017 will go down as a change year for Health Insurance Portability and Accountability Act (HIPAA) enforcement of the Privacy, Security, and Breach Notification Rules. This comes on the heels of 2016, which saw an unprecedented level of enforcement actions, with 13 total settlements and nearly a 300% increase in total collected fines over 2015. In 2017, nine compliance reviews were settled with resolution agreements in addition to a HIPAA enforcement action in which a civil monetary penalty was levied. A total of $19.4 million in fines and penalties were collected in 2017 by OCR through its enforcement actions.

OCR’s enforcement approach has quietly undergone a significant change by resolving enforcement actions informally when the covered entity or business associate corrects its compliance problems, and without the government levying fines or penalties for HIPAA violations. In 2017, over 800 cases will be closed through use of this informal enforcement approach. The number case closures in 2017 through an informal resolution increased by 10% over the number in 2016.

What Did We Learn from OCR HIPAA Enforcement Actions in 2017?

Several themes emerged from OCR enforcement actions that covered entities and business associates should keep in mind to help ensure their compliance with the HIPAA requirements.

  • Performing Risk Analyses is crucial. One of the most consistent themes that has emerged from the resolution agreements and corrective action plans announced by OCR is that HIPAA covered entities and business associates must regularly conduct enterprise-wide information security risk analyses in accordance with the Security Rule to assess risk and vulnerabilities. The Security Rule does not proscribe a specific risk analysis methodology, however CynergisTek recommends performing the risk analysis using the NIST Cybersecurity Framework (NIST-CSF). Unlike some other frameworks, the NIST-CSF has been optimized to meet the requirements of the HIPAA Security Rule.
  • Develop a Risk Management Plan. While conducting a risk analysis is critical, a risk management plan can assure that reasonable safeguards are adopted as a result of the risks or vulnerabilities identified through the risk analysis.
  • Have Business Associate Agreements with vendors. A number of settlements in 2016 and 2017 made headlines when covered entities disclosed PHI to contractors and vendors without first assuring that appropriate safeguards to protect PHI were in place.  The vendor subsequently suffered a breach that resulted in the PHI of individuals being disclosed without authorization in violation of the Privacy Rule. The HIPAA rules require that there be a signed business associate agreement in place prior to the vendor creating, receiving, or maintaining the PHI of the covered entity. An effective vendor management program ensures that third-party vendors have appropriate security safeguards to protect the organization’s PHI, as well as the required business associate agreement.

2017 OCR HIPAA Enforcement Fines and Penalties

Organization Fine Total Link to OCR Settlement
Presence Health $475,000 First HIPAA enforcement action for lack of timely breach notification
MAPFRE $2,200,000 HIPAA settlement demonstrates importance of implementing safeguards for ePHI
Children’s Medical Center of Dallas $3,200,000 Lack of timely action risks security and costs money
Memorial Healthcare System $5,500,000 $5.5 million HIPAA settlement shines light on the importance of audit controls
Metro Community Provider Network $400,000 Overlooking risks leads to breach, $400,000 settlement
Center for Children’s Digestive Health $31,000 No Business Associate Agreement? $31K mistake
CardioNet $2,500,00 $2.5 million settlement shows that not understanding HIPAA requirements creates risk
Memorial Hermann Health System $2,400,000 Texas health system settles potential HIPAA violations for disclosing patient information
St. Luke’s Roosevelt Hospital System $387,200 Careless handling of HIV information jeopardizes patient’s privacy, costs entity $387K
21st Century Oncology $2,300,000 Failure to protect the health records of millions of people costs entity millions of dollars
2017 Total: $19,393,200

Only You Can Prevent HIPAA Enforcement Actions

Healthcare providers, health plan administrators, and business associates should take measures now to identify and fix the gaps that threaten the confidentiality or security of their PHI. In addition, steps to review and replace policies and procedures that are out-of-date or that no longer align to the organization’s business or information system operations. Some best practices to prepare now include:

  • Use OCR’s 2016 audit protocol as a benchmark for evaluating compliance and performance with the requirements of the Privacy, Security, and Breach Notification Rules
  • Make sure you have conducted an information security risk analysis within the last year and that the gaps identified have been transferred to a risk management plan that follows progress to mitigating threats to PHI
  • Subscribe to OCR’s Listserv to keep current with the latest guidance, FAQs and advisories concerning the HIPAA Rules and cybersecurity alerts.
  • Ensure you have access to all required documentation needed to demonstrate compliance with the health information privacy and security rules.
  • Consider conducting a mock audit or use a third-party specialist to make sure you are prepared for an OCR complaint investigation or compliance review.

Please contact us if you have any questions or need help assessing your HIPAA compliance or information security preparedness.

About the Author

David Holtzman

David Holtzman is an executive advisor for CynergisTek. He is considered a subject matter expert in health information privacy policy and compliance issues involving the HIPAA Privacy, Security and Breach Notification Rules. Prior to CynergisTek, Holtzman served on the health information privacy team at the Department of Health & Human Services, Office for Civil Rights (OCR/HHS), where he led many OCR initiatives including the effort to integrate the administration and enforcement of the HIPAA Security Rule, and health information technology policies. David has nearly two-decades of experience in developing, implementing and evaluating health information privacy and security compliance programs from both government and private sector organizations. He is a member of the HHS “CISA 405-d Workgroup”, the Joint Cybersecurity Working Group of the Healthcare Sector Coordinating Council and Co-Chair of the Privacy and Security Workgroup for North Carolina Healthcare Information & Communications Alliance (NCHICA).

Follow on Twitter
Previous Article
Physician practices report lost revenue and patient care disruptions following Allscripts ransomware attack
Physician practices report lost revenue and patient care disruptions following Allscripts ransomware attack

Next Article
HIPAA Enforcement: The 2018 Outlook
HIPAA Enforcement: The 2018 Outlook