The Director of the Department of Health and Human Services’ Office for Civil Rights (OCR), Roger Severino, expressed his desires to find a suitably large HIPAA breach to set make an example of and teach other healthcare organizations on the dangers of failing to follow HIPAA Rules. He went as far as saying that finding such a “big, juicy, egregious” breach will be his enforcement priority for 2017.
Severino made the statement at the ‘Safeguarding Health Information’ conference. The conference is run by jointly by OCR and NIST, and brings together government officials and those in private industry to discuss healthcare cybersecurity.
During his statement, Severino said “I have to balance that law enforcement instinct with the educational component that we do… I really want to make sure people come into compliance without us having to enforce. I want to underscore that.”
When OCR decides which cases of HIPAA violations it will pursue, it does considers the opportunity to use the case as an educational tool to remind covered entities of the need to comply with specific aspects of HIPAA Rules. Hence Severino’s desire to find a particularly notable HIPAA breach to warn industry about the dangers of violating HIPAA Rules.
Severino was not specific on which part of HIPAA legislation that his OCR is hoping to highlight in the coming few months. Severino said, “Just because you are small doesn’t mean we’re not looking and that you are safe if you are violating the law. You won’t be.”
Severino went on to talk about the increasing number of complains that the OCR receives in relation to HIPAA violations. More than 20,000 complaints about security incidents and privacy violations are reported to the organisation each year. OCR employs staff dedicated to issuing technical assistance to help covered entities comply with HIPAA Rules. By providing this assistance, OCR hopes to significantly reduce the number of complaints and cultivate a “culture of compliance” throughout the country.
The majority of HIPAA violations are resolved through technical assistance and voluntary compliance. However, in cases of particular egregious breaches of HIPAA Rules, financial penalties may be levied against the covered entity. The size of the financial penalty is calculated based on the nature of the breach, the number of people affected, the size of the organisation, their response to the breach, and other factors.
So far in 2017, OCR has agreed eight settlements with covered entities to resolve HIPAA violations discovered during investigations of complaints and data breaches and has issued one civil monetary penalty. These are, in order of size;
- Memorial Healthcare System ($5.5 million)
- Children’s Medical Center of Dallas ($3.2 million, civil monetary penalty)
- Cardionet – $2.5 million
- Memorial Hermann Health System (MHHS) ($2.4 million)
- MAPFRE Life Insurance Company of Puerto Rico ($2.2 million)
- Presense Health ($475,000)
- Metro Community Provider Network ($400,000)
- Luke’s-Roosevelt Hospital Center Inc. ($387,000)
- The Center for Children’s Digestive Health ($31,000)
Memorial Healthcare System, a health system consisting of 6 hospitals and various other facilities in South Florida, faced the largest financial penalty of any HIPAA covered entity in 2017. The settlement of $5.5 million resolved potential violations of HIPAA Rules relating to the impermissible accessing of ePHI by employees and the impermissible disclosure of PHI to affiliated physician office staff.The OCR used this settlement to highlight the importance of audit controls and the need to carefully monitor who has access to the ePHI.
Cardionet was fined $2.5 million for multiple potential violations of HIPAA Rules. The breach resulted from the theft of an unencrypted laptop computer from healthcare services provider. The integrity of 1,391 patient records was compromised as a result of the breach. OCR used this as an educational opportunity for covered entities on the importance of conducting a comprehensive risk assessment and of addressing vulnerabilities to the confidentiality of ePHI.
The OCR announced $2.4 million settlement with Memorial Hermann Health System following HIPAA violations discovered during the investigation of an impermissible disclosure of a patient’s ePHI in a press release and during subsequent meetings with advocacy groups and state representatives.
In January, a $2.2 million settlement was agreed with MAPFRE Life Insurance Company of Puerto Rico. The PHI of 2,209 customers was compromised following the theft of an unencrypted pen drive containing the sensitive data. The investigation revealed multiple violations of HIPAA Rules including the failure to conduct a thorough and accurate risk assessment, the failure to implement a security awareness training program, the failure to encrypt ePHI and the failure to implement appropriate policies to safeguard ePHI.
The OCR issued civil monetary penalty against Children’s Medical Center of Dallas was issued for the impermissible disclosure of ePHI and multiple failures to comply with the HIPAA Security Rule over several years. Due to the organisation’s repeated violations HIPAA Rules, around 3,800 records in total. These were lost in several incidents, such as when unencrypted Blackberry device was lost in 2009 and when an unencrypted laptop containing 2,462 records was misplaced in 2013.