Heavy HIPAA Enforcement Efforts!

By Mathew J. Levy, Esq.Zoila Sanchez, J.D., M.P.H.
Email Mathew
Email Zoila

To date, the U.S. Department of Health and Human Services’ Office of Civil Rights (“OCR”) has resolved 98% of nearly 257,000 Health Insurance Portability and Accountability Act (“HIPAA”) Privacy Rule complaints. OCR has settled and imposed civil monetary penalties totaling $130,980,482.00. According to the HIPAA Journal, in recent years OCR’s enforcement efforts increased. Particularly, in 2020, OCR settled nineteen cases. This 2020 increase can be attributed to OCR’s 2019 HIPAA Right of Access Enforcement Initiative.

To avoid HIPAA violation(s), “covered entities” and “business associates” should take a proactive approach instead of a reactive one. “Covered entities” such as hospitals, healthcare providers or health plans and “business associates” (those providing services to covered entities involving protected health information or “PHI” disclosure) generally know their HIPAA obligations, but may not be aware of recent trends in HIPAA enforcement and priorities, and how to prepare accordingly. 

ENFORCEMENT TRENDS

OCR’s 2020 report findings and its commitment to enforcement, as discussed in a previous publication, “OCR’ Audit Report Reveals Concerns That Continue To Guide HIPAA Enforcement,” remains relevant as Physicians and private practices (next to Hospitals) are among the most common violators of HIPAA privacy regulations. 

The top investigated issues in 2020 include: 

  • impermissible uses and disclosures;
  • safeguards including administrative (e.g., conducting risk assessments) and technical (e.g., implementing tools for encryption and decryption); and 
  • access.                                                                                                         

The top HIPAA violations resulting in financial penalties arise from failure to

  • perform an organization-wide risk analysis to identify risks to confidentiality, integrity, and availability of PHI; 
  • enter into a HIPAA-compliant business associate agreement; impermissible disclosures of PHI; delayed breach notifications; and 
  • safeguard PHI.

OCR has continuously pursued egregious violations of HIPAA Rules. Most recently, OCR announced resolution of its twentieth investigation in its HIPAA Right of Access Initiative, resulting in an $80,000 settlement and corrective action plan. Specifically, HHS’ investigation found that Children’s Hospital & Medical Center failed to provide timely access to PHI to the complainant, which violates HIPAA Right of Access requiring covered entities to take action on an access request within 30 days of receipt (alternatively, 60 days if an extension applies). 

HEFTY HIPPA FINES:

Covered Entities: Most striking is a $6.85 million settlement and corrective action plan with a Premera Blue Cross, a health insurer, for noncompliance with the HIPAA risk analysis and risk management failures, and other potential HIPAA violations. The violations impacted 10.4 million patients. 

In January 2021, Excellus Health Plan, Inc. entered into a $5.1 million settlement and corrective action plan to settle potential HIPAA violations for a breach that impacted over 9.3 million people. The health insurer attributed the breach to cyber attackers that gained unauthorized access to its information technology system. Ultimately, OCR determined that the insurer failed to conduct an enterprise-wide risk analysis, to implement risk management, information system activity review, and access controls. 

Business associates: OCR announced at the end of September 2020 a $2.3 Million settlement with the business associate for a data breach attributed to hacking, which impacted 6 million people.

RECOMMENDATIONS: 

Just last month, the New York State Bar Association (“NYSBA”) HIPAA 2021 webinar highlighted OCRs enforcement efforts after OCR’s expressed commitment to increased enforcement following the audit report findings. Notably, NYSBA’s recommendations to stay proactive and avoid penalties include: 

(1) conducting an enterprise-wide risk analysis; 

(2) implementing risk management, information system activity, access and audit controls and 

(3) updating internal compliance plans.


STAY INFORMED 
Familiarize with the issued guidance and update your Compliance Work Plan accordingly.

In addition, it is always helpful to seek advice from a Health Care Attorney for specific concerns.

Importantly, if you are a provider seeking clarification on how these changes may affect you, you can contact Mathew J. Levy at 516-926-3320 or mlevy@weisszarett.com.

Weiss Zarett Brofman Sonnenklar & Levy, P.C. is a Long Island law firm providing a wide array of legal services to the members of the health care industry, including corporate and transactional matters, civil and administrative litigation, healthcare regulatory issues, bankruptcy and creditors’ rights, and commercial real estate transactions.

ATTORNEY ADVERTISING: PRIOR RESULTS DO NOT GUARANTEE FUTURE OUTCOMES.