After a relatively slow first six months, 2018 turned into an active year for HIPAA enforcement, with the Department of Health and Human Services’ (HHS) Office of Civil Rights (OCR) announcing the largest-ever HIPAA settlement ($16 million) with Anthem in October 2018. The 2018 resolutions highlighted several compliance points that have received consistent focus from OCR, including the importance of utilizing compliant business associate agreements, conducting enterprise-wide security risk assessments, and remediating identified vulnerabilities. Other notable 2018 HIPAA activity included the pending Ciox ligation (challenging, in part, HHS guidance on fees that providers may charge to produce copies of patient medical records), and the HHS HIPAA request for information on improving care coordination and reducing the regulatory burdens of the HIPAA Rules (responses were due by February 12, 2019). These developments highlight areas of recent HIPAA activity and can be instructive in identifying compliance focus areas for the year ahead.
2018 Resolution Agreements and Civil Money Penalties: Enforcement Trends and Compliance Pointers
Excluding the record $16 million settlement with Anthem, the average OCR penalties over the past three years have been approximately $1.7 million, with a range of $25,000 to $5.55 million. The fees imposed in 2018 were consistent with this trend, with fees (other than the Anthem settlement) that ranged from $100,000 to the year’s second-highest settlement of $4.3 million. 2018 saw eight resolution agreements and one ALJ ruling in favor of OCR. Each of the eight settlement agreements was also accompanied by a corrective action plan. Detailed information on the resolutions and ALJ ruling can be found on HHS’s Resolution Agreements and Civil Money Penalties website, and OCR has also released a summary of all 2018 OCR HIPAA settlements and judgments.
Some key enforcement trends and compliance pointers that can be gleaned from the 2018 settlement agreements include:
Compliant Business Associate Agreements must be signed with every business associate (from Google to individual contactors).
Security Risk Assessments (SRA) must be conducted and updated on an enterprise-wide basis.
Remediating identified vulnerabilities is a critical part of HIPAA compliance and is the action step following the completion of an SRA.
HIPAA eclipses self-defense: Covered Entities cannot reveal PHI in a manner not permitted by HIPAA, even if the patient puts the information at issue (e.g., by speaking to media, online review, posting to social media, etc.) and even if the patient’s comments are not flattering to the Covered Entity.
OCR has significant discretion in its settlement authority, and settlements are highly circumstance-specific (e.g., a breach affecting 79 million individuals resulted in a $16 million settlement, or an average of approximately $0.20 per person, whereas another breach which affected 1 individual resulted in a settlement of $125,000).
Other Notable Developments
In addition to the year’s settlement activity, 2018 saw other notable HIPAA developments, including:
Pending Ciox Litigation. Ciox Health, LLC (“Ciox”), a release of information (“ROI”) vendor that contracts with hospitals and other healthcare providers to fulfill requests for copies of medical records, filed suit against the U.S. Department of Health and Human Services (“HHS”) in the U.S. District Court for the District of Columbia on January 8, 2018 (docket number 1:18-cv-00040). In its complaint, Ciox challenges HHS rules, guidance, and enforcement related to producing copies of medical records and fees that providers may charge. Among other arguments, Ciox alleges that the guidance exceeds the authority granted to HHS by statute. Ciox may face some difficulty in pursuing the litigation, with HHS arguing in its Motion to Dismiss that Ciox lacks standing to bring the suit because the rules and guidance apply to “covered entities” (e.g., healthcare providers) and not to their “business associate” vendors, like Ciox. However, any outcome in the case will be significant for providers and ROI vendors, and oral argument is currently set for April 10, 2019.
HIPAA RFI: On December 14, 2018, OCR issued an RFI requesting input to assist OCR in identifying provisions of the HIPAA privacy and security regulations that may impede the transformation to value-based health care or that limit or discourage coordinated care among individuals and covered entities (including hospitals, physicians, and other providers, payors, and insurers), without meaningfully contributing to the protection of the privacy or security of individuals' PHI. The RFI requested information on whether and how the rules could be revised to promote these goals, while preserving and protecting the privacy and security of such information and individuals' rights with respect to it. Responses were due on or before February 12, 2019, and regulations.gov reports that 1,326 comments were received.
2018 was another active year for HIPAA developments, and the year’s activity points to several areas on which Covered Entities and Business Associates should focus their 2019 HIPAA compliance efforts. With the Ciox litigation and response to the RFI submissions pending, there are already potential changes to watch for in 2019, in addition to any resolution agreements that may be forthcoming over the course of the year.