In a flurry of recent activity, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has announced eight resolution agreements since September 15, 2020. These resolution agreements settle alleged HIPAA violations by a range of organizations, from small psychiatric care providers to a large health insurer, and have affected covered entities and business associates alike. The settlement payments range widely as well, from a low of $3,500 to a second-highest-ever $6.85 million. However, the bases for the resolution agreements align with the areas that have received consistent emphasis from OCR in recent years.
Right of Access
On September 15, 2020, HHS announced it has settled five investigations brought under its HIPAA Right of Access Initiative, in a continuation of earlier activity. The HIPAA Right of Access Initiative is intended to support individuals’ right to access their health records at a reasonable cost and in a reasonable timeframe. According to OCR Director, Roger Severino, “[p]atients can’t take charge of their health care decisions, without timely access to their own medical information.” Notably, all of the settlements were relatively small (the highest by far was $70,000), as were most of the affected providers. However, this emphasizes OCR’s efforts to “send a message” about compliance with the HIPAA regulations, particularly with regard to the right of access.
Security Rule Compliance & Business Associate Agreements
In a settlement that is notable for the combination of the size of the payment and the affected provider type, OCR announced on September 21, 2020, a settlement with Athens Orthopedic Clinic PA (“Athens Orthopedic”). The resolution agreement resolved alleged HIPAA violations discovered after Athens Orthopedic, a covered entity, suffered a data breach.
On June 26, 2016, a journalist notified Athens Orthopedic that a database of its patient records may have been posted online for sale. On June 28, 2016, a hacker contacted Athens Orthopedic demanding money in exchange for a promise to return, and not further disclose, the database it had stolen. A subsequent computer forensic analysis determined that the hacker had obtained a vendor’s credentials to Athens Orthopedic’s system and used them to gain access on June 14, 2016. The hacker continued to access protected health information (PHI) for over a month until July 16, 2016, resulting in a breach of the personal, medical, and financial information of 208,557 individuals. According to Severino, “[h]acking is the number one source of large health care data breaches.”
HHS subsequently investigated Athens Orthopedic, and alleged the following HIPAA violations, among others: (i) failure to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI; (ii) failure to implement sufficient hardware, software, and procedural mechanisms that record and examine activity in information systems that contain or use ePHI; (iii) failure to enter into business associate agreements with three of its business associates; and (iv) failure to provide its entire workforce with HIPAA training and maintain copies of its HIPAA policies and procedures.
As part of the settlement with HHS, Athens Orthopedic agreed to pay HHS $1.5 million and comply with a Corrective Action Plan (CAP). The CAP requires Athens Orthopedic to review its relationships with all vendors and third party service providers to identify business associates that require a business associate agreement. The CAP also requires Athens Orthopedic to conduct an enterprise-wide analysis of security risks and vulnerabilities that incorporates all electronic equipment, data systems, programs and applications controlled, administered, owned, or shared by Athens Orthopedic that contain, store, transmit or receive ePHI. Athens Orthopedic must provide the results of this risk analysis to HHS and make any changes to its processes HHS recommends.
The recent settlement agreements underscore that HIPAA compliance is critical for organizations of all sizes that handle PHI. Covered entities and business associates should take into consideration areas of OCR focus when implementing and monitoring their HIPAA compliance programs. Patients’ access to their own PHI, compliance with the requirements of the Security Rule, compliant business associate agreements, and implementing policies, procedures, and training have been recurring themes in OCR’s enforcement efforts. The recent activity may be an indication that OCR is redirecting focus back to its regular enforcement activities following a lull in the first half of the year, potentially influenced by the COVID-19 public health emergency. As providers adjust to the “new normal” and look ahead, it is important to review HIPAA compliance measures as well.