An attorney from the Office for Civil Rights of the U.S. Department of Health and Human Services (HHS) recently disclosed that covered entities could face increased scrutiny for HIPAA violations in 2014. Specifically, the attorney warned that HHS could issue more penalties for HIPAA violations and enter into more settlement agreements in the next year alone than the health care industry has seen to date. The statement from HHS is particularly ominous when one considers the following statistic: HHS imposed $3.5 million in penalties related to five separate HIPAA violations in 2013; in the first half of 2014, however, HHS has already entered into five settlement agreements and issued more than $7 million in penalties. The dramatic uptick in HIPAA enforcement by HHS underscores how serious the agency is about cracking down on HIPAA violations and verifies the statement made by the HHS attorney earlier this year.
HHS Continues to Target Large Covered Entities and Large Data Breaches
In May 2014, HHS entered into its largest HIPAA violation settlement agreement when New York-Presbyterian Hospital (NYP) and Columbia University (CU) agreed to a collective $4.8 million penalty.1 The underlying HIPAA violation occurred when a CU physician attempted to deactivate a personally-owned computer server on NYP and CU’s shared network. As a result of the physician’s actions, electronic protected health information (e-PHI) became accessible on internet search engines, which HHS attributed to the shared network’s deficient security policies and technical safeguards. Following an investigation, HHS concluded that NYP and CU had not developed or implemented an adequate risk management plan, had outdated privacy and security policies and training, did not maintain proper technical safeguards, and did not have the appropriate policies and procedures for authorizing access to e-PHI.2 Violations such as these, which at their core are a result of inadequate privacy and/or security safeguards that can be easily addressed, typically result in larger penalties and more complex settlement agreements with HHS.
HHS is Increasing its Focus on Smaller Covered Entities
Although large breaches such as the one seen in the NYP/CU matter have routinely caught the attention of both HHS and the media in recent years, smaller breaches – and smaller providers – have flown somewhat under the radar. This clearly is no longer the case. For instance, in June 2014, HHS entered into an $800,000 settlement agreement with Parkview Health System, Inc. (Parkview), a nonprofit health care system that serves northeast Indiana and northwest Ohio.3 The underlying breach occurred when several Parkview employees left 71 cardboard boxes containing approximately 5,000 to 8,000 patients’ medical records outside of a physician’s home, despite knowing the physician was not home at the time. Upon discovering the unattended records, the physician, who had requested the records in order to transfer her patients to new providers, filed a complaint with HHS.4 Parkview’s settlement agreement included a corrective action plan that requires the covered entity to implement privacy and security policies and procedures and educate its workforce on HIPAA compliance to ensure that future unintentional disclosure of PHI is avoided. In addition to the $800,000 penalty imposed by HHS, complying with the corrective action plan will cost Parkview significant time and expense.
The impermissible use and disclosure of PHI and e-PHI (whether paper or electronic), as well as the lack of appropriate safeguards to prevent against such inappropriate use and disclosure, is capturing the attention of HHS now more than ever. In light of this fact, and considering the HHS attorney’s enhanced enforcement forecast, covered entities and business associates should reexamine and renew existing policies and procedures, conduct a risk analysis to detect vulnerabilities, and train employees and staff that have access to PHI about preventing HIPAA violations and avoiding costly penalties and about corrective action plans that could be imposed should a breach occur.
*Thank you to Summer Associate Sydney Normil for her contributions to this article.
1 The HHS press release discussing the settlement can be found here.
2 The HHS and the New York Presbyterian Hospital Resolution Agreement can be found here.
3 The HHS press release discussing the settlement can be found here.
4 The HHS and Parkview Resolution Agreement can be found here.