Between June and November 2016, the Department of Health and Human Services Office of Civil Rights (HHS OCR) has announced seven high-dollar settlements to resolve alleged violations of the HIPAA privacy, security, and breach notification rules by both covered entities and business associates. Penalties ranged from $400,000 to $5.5 million (the largest HIPAA settlement to date against a single entity). In addition to announcements that OCR intends to increase scrutiny of data breaches involving fewer than 500 individuals and HHS OCR’s ongoing HIPAA audit program, these settlements underscore the importance of HIPAA compliance both for covered entities and for business associates.
It is important to note that while one or more data breaches were the initial catalyst for each of these investigations, once HHS OCR initiates an inquiry, the agency does not necessarily limit its attention to the facts of that breach. HHS OCR can examine all aspects of compliance with the Privacy, Security, and Breach notification rules. The substantial penalties that can result from an HHS OCR inquiry do not necessarily turn on the size of the underlying data breach. For example, a $650,000 settlement in June resulted from an investigation prompted by a breach affecting 412 individuals. Size can matter, however. The largest HIPAA settlement to date, $5.5 million, followed a breach affecting approximately 4 million individuals.
The seven recent settlements, from the highest civil penalty amount to the lowest, addressed a range of alleged HIPAA violations:
The seven settlements underscore several important points for all covered entities and business associates to review with counsel and with their privacy and data security teams: