The beginning of 2017 has brought a number of HIPAA enforcement actions involving covered entities. These enforcement actions indicate that HHS is continuing recent efforts to step up HIPAA enforcement and levy significant penalties for non-compliance.
- In January, HHS announced that it had reached a $475,000 settlement with a large health care network for failure to make timely required breach notifications as required by the HIPAA Breach Notification Rule. This is the first settlement HHS has reached based on the untimely reporting or notification of a breach. HHS found that the network failed to notify HHS, the affected individuals, and the media within the required 60-day timeframe. Instead, the network made these notifications over 100 days after discovery of the breach. HHS found that the delay was a result of “miscommunications between . . . workforce members.” Under the regulation, each day on which the network failed to make the required notifications could be penalized as a separate violation of HIPAA.
- In January, HHS announced a $2.2 million settlement with a health insurance company after the company filed a breach report indicating that a portable USB device, which contained the PHI of over 2,000 individuals, had been stolen. An HHS investigation found that the company had not conducted a risk analysis, as required by the HIPAA Security Rule, and had not implemented appropriate risk management to safeguard electronic PHI. Furthermore, the company lacked adequate encryption on its laptops and removable storage media.
- In February, HHS announced it had assessed a civil monetary penalty of $3.2 million against Children’s Medical Center of Dallas. The penalty arose out of a 2013 breach report filed by the hospital, reporting the theft of an unencrypted laptop from its premises. However, HHS noted that this was not the first infraction by the hospital. In 2009, the same hospital filed a breach report with HHS noting the loss of an unencrypted, non-password protected blackberry device. HHS’s investigation found that the hospital had not adopted sufficient safeguards following the 2009 breach report and continued to use unencrypted laptops and mobile devices. Moreover, HHS found that the hospital had not implemented recommended risk management plans, including those recommended by the HHS Office of Inspector General, to protect electronic PHI. This penalty is noteworthy because, unlike most of other HIPAA enforcement actions, it did not come as a result of a settlement. HHS explained that while it “prefers to settle cases,” it declined to do so in this case because the covered entity had failed to implement reasonable safeguards following the initial breach.
- Finally, in February, HHS reached a $5.5 million settlement with a health care system after it was found that two employees inappropriately accessed patient information. This improper access led to federal charges for these employees for selling PHI and filing fraudulent tax returns. In its investigation, HHS found that the hospital system had failed to implement proper procedures to review records of information system activity, such as audit logs, access reports, and security incident tracking reports. HHS noted that the covered entity had workforce access policies and procedures in place, but had failed to implement these procedures with respect to reviewing, modifying and terminating users’ rights of access. This settlement should put covered entities and business associates on notice that HHS will look not only at whether the entities have required HIPAA policies in place, but what steps are being taken to implement and operationalize the policies.
This recent enforcement activity indicates that HHS continues to seek significant financial penalties from entities that do not comply with HIPAA’s requirements. Thus, covered entities and business associates should take steps to ensure that their HIPAA compliance programs are up to date and implemented properly.