Report on Patient Privacy 24, no. 11 (November, 2024)
Covered entities (CEs) and business associates (BAs) may receive a “discount” for having recognized security practices (RSPs) in place when the HHS Office for Civil Rights (OCR) calculates financial penalties for Security Rule violations. But which RSPs count, and how much they count, remain a tantalizing mystery.
OCR recently fined Providence Medical Institute (PMI) $240,000, which the agency said reflected a 20% discount, but this merited just four words in documents OCR shared online and officials did not respond to RPP’s requests for more information about this.[1]
For their part, PMI officials told RPP they had hoped to avoid paying a fine but did not answer any other questions, including what the 20% reflects—but they might not know.
RPP has learned that OCR, when calculating a penalty, sends CEs and BAs the language in the 2021 statute that required OCR to consider RSPs and asks for information about the RSPs they had in place during the previous 12 months. Then it sends a letter describing possible fines and the percentage by which they have been reduced for RSPs—but offers no details.
HIPAA old-timers might recognize the Providence name. Although OCR said PMI had no history of noncompliance with HIPAA regulations, a spokesperson for PMI confirmed it is part of what was then called Providence Health & Services, which was involved in OCR’s very first enforcement action against a CE for HIPAA violations, back in 2008.
At that time, Providence agreed to pay $100,000 and implement a three-year corrective action plan (CAP). Providence experienced the loss or theft of four backup tapes, two optical discs and four unencrypted laptops from 2005 to 2006. In total, the incidents compromised the protected health information (PHI) of “over 386,000 patients.”[2]
The 2021 law requires OCR to take RSPs into account when assessing fines, conducting audits and taking other enforcement actions, retroactive to 2016.[3] Agency leaders pledged to issue regulations or at least guidance about how they would do this, but OCR never moved beyond an April 2022 request for information—even in the face of pleading by the American Hospital Association. Instead, OCR posted a 30-minute video on YouTube about this in October 2022.[4]
Most of OCR’s enforcement actions come in the form of negotiated settlement agreements, and these, by definition, generally don’t include any explanation of the calculation behind payment totals. As such, there’s been no evidence that the agency has been taking RSPs into account—but the new penalty against PMI changed that.
In early October, OCR announced the fine, which followed a six-year investigation triggered by three related ransomware attacks that gripped PMI, a nonprofit physician group based in Torrance, California, in 2018.[5] According to its website, PMI has 200 providers, 32 medical offices and seven urgent care centers. PMI is part of Providence Health System, which includes 51 hospitals in seven states and a health plan.
In its March 29 notice of proposed determination posted online, OCR said it gave PMI a 20% discount for having RSPs. This is not mentioned in its news release. OCR cited two HIPAA violations: PMI lacked a BA agreement (BAA) with an IT vendor and had insufficient access controls.
PMI ‘Disappointed’ by Fine
The fine, announced Oct. 3, marked OCR’s fifth enforcement action resolving an investigation that began after a ransomware attack (which, by itself, is not a HIPAA violation). OCR announced two more settlements on Oct. 31, which RPP will cover in a future issue.
As OCR related in the determination letter, on April 18, 2018, PMI filed a breach report noting unauthorized access and encryption of its Center for Orthopaedic Specialists’ (COS) eClinicalWorks electronic medical record system on three consecutive Sundays in 2018—Feb. 18, Feb. 25 and March 4.
“Throughout OCR’s inquiry, PMI maintained full cooperation and transparency. We are disappointed that OCR has chosen to levy penalties despite the circumstances of the violations and PMI’s efforts to adhere to privacy laws,” the PMI spokesperson told RPP. “All patients were notified when the breach occurred and offered no-cost credit and identity protection services to further safeguard their personal information. We have no reason to believe that this information has been misused.”
The spokesperson also noted that “PMI had proactively reported [the attacks] to OCR in 2018,” and said that it “consistently prioritizes the privacy and security of the information entrusted to us, and remains committed to integrity, transparency, and exceeding regulatory and internal standards.”
PMI bought the orthopedic group at issue in 2016 and was using its IT vendor until the May 2019 conclusion of what amounted to a protracted, three-year integration process, according to the March 29 notice. The attacks, the third of which was perpetrated via “remote desktop access to COS’s systems through administrator credentials that had been compromised during one of the first two attacks,” were all by the same source that OCR did not identify.
The agency said the initial attack began “after a workforce member clicked on a phishing email.” In the first two incidents, PMI had backup tapes and was able to restore its systems “within days,” according to OCR, which did not address how PMI recovered from the third attack.
OCR Sought Evidence of RSPs in 2021
In each instance, “compromised data included ePHI [electronic protected health information] belonging to 85,000 individuals. The compromised ePHI included names, addresses, dates of birth, driver’s license numbers, Social Security numbers, lab results, medications, treatment information, credit card information, bank account numbers, and other financial information,” OCR said.
As OCR’s notice states, “Public Law 116-3218 requires that OCR consider RSPs that HIPAA covered entities adequately demonstrate had been in place for a period of not less than the previous 12 months when determining a civil money penalty. On August 25, 2021, OCR submitted a data request providing an opportunity for PMI to adequately demonstrate that it had RSPs in place. PMI responded to OCR’s data request on October 6, 2021. Upon examination of all the data, policies and procedures, OCR determined that PMI’s response adequately demonstrated that it had RSPs in place for the previous 12 months in alignment with Section 405(d) of the Cybersecurity Act of 2015 (CSA).”
The $240,000 fine reflects a number of adjustments, including for RSPs. Both violations incurred daily fines of $1,379 that were each capped at $100,000 per year, based on the reasonable cause penalty tier.
OCR said PMI lacked a BAA from July 2016 until June 15, 2018, but, by law, it could only go back six years from the date of the proposed determination. Thus, it calculated the BAA fine for the period of April to June 2018 (total fine of $103,425, capped at $100,000). OCR said PMI lacked access controls for 417 days over a two-year period, which it capped at $200,000.
The agency then reduced the $300,000 fine by a “20% reduction for RSPs: $240,000.”
This is not the only HIPAA-related recent development of note. Triggered by the Change Healthcare breach and what he considers OCR’s overall lax enforcement, Sen. Ron Wyden, D-Ore., introduced a bill increasing fines OCR can impose, requiring it to restart its security audit program and mandating HIPAA compliance attestations that could land a CE or BA officer in prison for false statements should it later be found that the organization was not in compliance.[6]
In addition, OCR Director Melanie Fontes Rainer announced the agency is beginning an enforcement initiative based on CEs or BAs that fail to conduct an appropriate risk analysis, and it issued two such settlements.[7]
1 U.S. Department of Health and Human Services, “Providence Medical Institute Notice of Proposed Determination,” March 29, 2024, content last reviewed October 3, 2024, https://bit.ly/3TWwLQy.
2 U.S. Department of Health and Human Services, “Resolution Agreement: HHS, Providence Health & Services Agree on Corrective Action Plan to Protect Health Information,” July 16, 2008, content last reviewed December 23, 2022, https://bit.ly/3YdQWKV.
3 Theresa Defino, “Congress Gives Organizations a Break on HIPAA Fines,” Report on Patient Privacy 21, no. 1 (January 2021), https://bit.ly/40u9R76.
4 Theresa Defino, “OCR Shares Information About Recognized Security Practices, Clarifies No ‘Safe Harbor,”’ Report on Patient Privacy 22, no. 12 (December 2022), https://bit.ly/3Aqa54y.
5 U.S. Department of Health and Human Services, “HHS Office for Civil Rights Imposes a $240,000 Civil Monetary Penalty Against Providence Medical Institute in HIPAA Ransomware Cybersecurity Investigation,” news release, October 3, 2024, https://bit.ly/3Ne25GQ.
6 U.S. Department of Health and Human Services, “Resolution Agreement: HHS, Providence Health & Services Agree on Corrective Action Plan to Protect Health Information.”
7 Jane Anderson, “OCR Targets Shoddy Risk Analyses in Rebranded `Enforcement Initiative,’” Report on Patient Privacy 24, no. 11 (November 2024).
[View source.]
