The Department of Health and Human Services’ Office for Civil Rights has stepped up its enforcement activities in recent years, and 2016 HIPAA settlements were at record levels. In total, payments of $22,855,300 were made to OCR in 2016 to resolve alleged HIPAA violations. Seven settlements were in excess of $1,500,000.
In 2016, OCR settled alleged HIPAA violations with 12 healthcare organizations. Last year also saw an Administrative Law Judge rule that civil monetary penalties previously imposed on a covered entity – Lincare Inc. – by OCR were lawful, bringing the total to thirteen for 2016. Lincare was only the second healthcare organization required to pay a civil monetary penalty for violations of the Health Insurance Portability and Accountability Act. All other organizations opted to settle with OCR voluntarily.
Financial penalties are not always appropriate. OCR prefers to settle potential HIPAA violations using non-punitive measures. Financial penalties are reserved for the most severe violations of HIPAA Rules, when widespread non-compliance is discovered, or in cases where healthcare organizations have blatantly disregarded HIPAA Rules.
While largescale breaches of PHI may warrant financial penalties and will have an impact on the final settlement amount, OCR has resorted to financial penalties when relatively few individuals have been impacted by healthcare data breaches. This year has seen two settlements with organizations for breaches that have impacted fewer than 500 individuals – New York Presbyterian Hospital and Catholic Health Care Services of the Archdiocese of Philadelphia – and one civil monetary penalty – Lincare Inc.
A summary of 2016 HIPAA settlements with the Office for Civil Rights is detailed in the table below:
Summary of 2016 HIPAA Settlements
| Covered Entity | Date | Amount | Breach that triggered OCR investigation | Individuals impacted |
| University of Massachusetts Amherst (UMass) | November, 2016 | $650,000 | Malware infection | 1,670 |
| St. Joseph Health | October, 2016 | $2,140,500 | PHI made available through search engines | 31,800 |
| Care New England Health System | September, 2016 | $400,000 | Loss of two unencrypted backup tapes | 14,000 |
| Advocate Health Care Network | August, 2016 | $5,550,000 | Theft of desktop computers, loss of laptop, improper access of data at business associate | 3,994,175 (combined total of three separate breaches) |
| University of Mississippi Medical Center | July, 2016 | $2,750,000 | Unprotected network drive | 10.,000 |
| Oregon Health & Science University | July, 2016 | $2,700,000 | Loss of unencrypted laptop / Storage on cloud server without BAA | 4,361 (combined total of two breaches) |
| Catholic Health Care Services of the Archdiocese of Philadelphia | June, 2016 | $650,000
|
Theft of mobile device | 412 (Combined total) |
| New York Presbyterian Hospital
|
April, 2016 | $2,200,000 | Filming of patients by TV crew | Unconfirmed |
| Raleigh Orthopaedic Clinic, P.A. of North Carolina | April, 2016 | $750,000 | Improper disclosure to business associate | 17,300 |
| Feinstein Institute for Medical Research | March, 2016 | $3,900,000 | Improper disclosure of research participants’ PHI | 13,000 |
| North Memorial Health Care of Minnesota | March, 2016 | $1,550,000 | Theft of laptop computer / Improper disclosure to business associate (discovered during investigation) | 299,401 |
| Complete P.T., Pool & Land Physical Therapy, Inc. | February, 2016 | $25,000 | Improper disclosure of PHI (website testimonials) | Unconfirmed |
| Lincare, Inc.
|
February, 2016* | $239,800 | Improper disclosure (unprotected documents) | 278 |
*Civil monetary penalty confirmed as lawful by an administrative law judge
The largest HIPAA settlement of 2016 – and the largest HIPAA settlement ever agreed with a single covered entity – was announced in August. OCR agreed to settle potential HIPAA violations with Advocate Health Care Network for $5.5 million.
The previous largest HIPAA settlements were agreed with New York-Presbyterian Hospital and Columbia University after PHI was accidentally indexed by search engines. The two entities were required to pay OCR a total of $4.8 million, with $3.3 million covered by New York-Presbyterian Hospital and the remainder by Columbia University. The previous largest HIPAA settlement for a single entity was agreed with Cignet Health ($4.3 million) for denying 41 patients access to their health records.
2017 has started with an early settlement with Presence Health. The $475,000 settlement was solely based on delayed breach notifications – The first time that a settlement has been agreed solely for a HIPAA Breach Notification Rule violation.
Looking forward into 2017 and beyond, the future of HIPAA enforcement activities is unclear. The new administration may cut funding for OCR which would likely have an impact on HIPAA enforcement.
This year will see the completion of the long-delayed second round of HIPAA compliance audits, although it is unlikely that a permanent audit program will commence this year.
Last year, Jocelyn Samuels said OCR will remain “laser-focused on breaches occurring at health care entities,” and that OCR is committed to “maintain an effective enforcement program that addresses industry-wide noncompliance and provides corrective action to protect the greatest number of individuals.”
However, Jocelyn Samuels will be standing down as head of OCR and it is currently unclear who will take her place. While there are a number of suitable candidates for the position, incoming president Trump has a lot on his hands and the appointment of an OCR director is likely to be relatively low down the to do list. When a new OCR director is appointed, we may find that he/she has different priorities for the OCR’s budget.
What we can expect to see in 2017 is a continuation of enforcement actions that have already commenced. HIPAA breach investigations take time to conduct and settlements even longer. The 2016 HIPAA settlements are the result of data breach investigations that were conducted in 2012-2013. The dramatic increase in data breaches in 2014 – and HIPAA violations that caused those breaches – may well see 2017 become another record-breaking year for HIPAA settlements.
The post OCR HIPAA Enforcement: Summary of 2016 HIPAA Settlements appeared first on HIPAA Journal.