Since January 2017, the Department of Health and Human Services Office of Civil Rights (OCR) has entered into two Resolution Agreements for HIPAA violations, one Resolution Agreement for failure to timely report a breach, and one of only three Civil Money Penalties (CMP) imposed for HIPAA violations since 2009. In 2016, OCR entered into 12 Resolution Agreements. That was at least double the number in prior years.
Lesson One: If you are investigated by OCR for a HIPAA violation, be responsive.
Failure to timely respond to OCR notices may result in full imposition of CMP. Children’s Medical Center of Dallas was unable to reach a resolution with HHS and delayed requesting a hearing before an ALJ on the proposed CMP. The organization was required to pay the full CMP and could not assert affirmative defenses, arguments for waiver or reduction of the CMP, or appeal the CMP. Resolution Agreements are substantially less than the full CMP which is based on a fine assessed for each day of the violation. For a violation classified as “reasonable cause” (as opposed to “willful”), the minimum fine is $1000 per day with a calendar year cap of $1,500,000. OCR does not limit violations to the breach, but typically finds additional violations; some stretching over several years. In settlement discussions, OCR considers the financial condition of the organization; an important mitigating factor for small or distressed facilities. This is not considered in assessing CMPs.
Lesson Two: Conduct a comprehensive security risk analysis and implement corrections.
Overwhelmingly, the top violation found by OCR was failure to complete an accurate and comprehensive enterprise wide security risk analysis (“SRA”), implement an enterprise wide security risk management process and corrections to identified risks and vulnerabilities. Absence of a SRA was a factor considered by OCR in proposing the settlement amount and corrective action plan reached in many Resolution Agreements. In the Resolution Agreement with Memorial Healthcare System, OCR noted violations that extended into the organized health care association (OHCA) when an affiliated physician group’s former employee login was used for over a year to access PHI to commit fraud. OCR recognized that the absence of a SRA, including all affiliated organizations within the OHCA, was a significant omission. Inadequate system audits and access controls would have been identified and could have prevented the breach.
Lesson Four: Encryption and device tracking.
More than half of the 2016-2017 Resolution Agreements addressed the failure to encrypt and then track mobile and portable devices on which ePHI is stored. If encryption is not implemented, then you must document the reason, and the alternative equivalent used. Monitoring movement of mobile and portable devices is a critical safeguard. In each instance, the loss or theft of the device occurred because it was left in an insecure or unmonitored location.
Lesson Five: Business Associate identification and management is critical.
One of the largest settlements to date, $5.5 million reached with Advocate Health, was based in part on failure to have a business associate agreement with a billing company service provider. A covered entity, as well as its business associates, is liable for the HIPAA violation of the business associate. It is important not only to enter into business associate agreements but to also monitor and verify a business associate’s HIPAA compliance.
Other Enforcement Risks: False Claims Act and overpayment risks are associated with HITECH meaningful use attestation of HIPAA compliance.
Not only may failures in HIPAA compliance result in an investigation by the OCR, you may also be at risk in audits by the Department of Health and Human Services Office of Inspector General (OIG), False Claims Act actions or for Medicare Overpayments initiated by the government or whistleblowers. Payment of an incentive under the HITECH EHR Incentive program is conditioned on certification of compliance with specific HIPAA technical security requirements, including performing a security risk analysis. This may also be a material factor going forward in the amount of reimbursement paid by CMS. The OIG 2017 Work Plan specifically targets audits of EHR incentive recipients “to determine whether they adequately protect electronic health information.”