The U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) announced that 2018 was an all-time record year for Health Insurance Portability and Accountability Act (“HIPAA”) enforcement activity.   Enforcement actions in 2018 resulted in the assessment of  $28.7 million in civil money penalties.  Enforcement activity focused primarily on breaches of electronic protected health information (ePHI).

Under 45 C.F.R. 164.308, a covered entity must conduct “accurate and thorough assessment[s] of the potential risks and vulnerabilities . . . of [ePHI].”  The final settlement of the year occurred in December 2018. In that settlement, Cottage Health agreed to pay $3 million to OCR and agreed to adopt a corrective action plan to remedy violations of the HIPAA Rules. The alleged violations pertained to December 2013 and December 2015 compromises of unsecured ePHI that implicated data of over 62, 500 individuals. The ePHI breached included patient names, addresses, dates of birth, Social Security numbers, diagnoses, conditions, lab results, and other treatment information.  OCR concluded that Cottage Health failed to conduct risk assessments and failed to implement security measures to reduce vulnerabilities.  In September 2018, OCR settled with Advanced Care Hospitals (ACH), a contractor physician group, for $500,000 after ACH reported that ACH patient information was viewable on a medical billing services’ website.  The OCR investigation revealed that ACH lacked the required business associate agreement with the billing service provider, that it had not conducted a risk assessment, and that it had not implemented security measures or HIPAA policies or procedures before 2014.  And, in October 2018, Anthem, Inc. paid $16 million (the largest HIPAA penalty ever assessed by OCR) after the largest health data breach in history.  Anthem discovered that malicious actors accessed its network through undetected, continuous and targeted attacks to extract data and had infiltrated the system through spear phishing emails.

Another enforcement theme in 2018 focused on physical theft of PHI or devices containing ePHI.  In January 2018, OCR settled with a medical records maintenance, storage, and delivery services provider, Filefax, Inc., after finding that Filefax left PHI in an unlocked truck in the Filefax parking lot and granted permission to unauthorized individuals to remove PHI.   Additionally, in June 2018, an Administrative Law Judge ruled in favor of OCR and required the University of Texas MD Anderson Cancer Center to pay $4.3 million in civil penalties for HIPAA violations after a theft of an unencrypted laptop from the residence of an employee and the loss of two USB thumb drives.

OCR’s record-breaking enforcement activities in 2018 serve as a reminder to covered entities and business associates to conduct frequent and meaningful assessment of the security of any PHI they hold, to swiftly remediate any vulnerabilities discovered, and to carefully document the assessment, remediation, and general HIPAA policies and procedures.

This blog post is part of our ongoing coverage of HIPAA issues, which includes, among others: