2019 Year in Review: Notable Changes in Law, Policy, and Enforcement of HIPAA
According to a December 20, 2019 Report by HIPAA Journal, nearly 39 million health care data breaches had been reported to the U.S. Department of Health and Human Services (“DHHS”), Office of Civil Rights (“OCR”) by the end of November 2019. This is a staggering number, especially considering that this is more than double what was reported in all of 2018. This appears to be part of an exponentially growing number of breach reports since, as we reported last year, 2018’s breach reports were already three times greater than what was reported in 2017.
This article explores some of the trends that can be attributed to the growing number of breaches and how the OCR has responded to the difficulties experienced by healthcare entities (“Covered Entities”) covered by the security and confidentiality requirements applicable to protected health information (“PHI”) under the Health Insurance Portability and Accountability Act of 1996 and 45 CFR Parts 160 and 164, as amended by the Health Information Technology for Economic and Clinical Health Act (“HITECH”) (collectively referred to hereinafter as “HIPAA”).
Hacking/IT Incidents Continue to Grow
The increase in breach reports appears to be related to a continued growth in breaches caused by third-party hacking, ransomware, and related malware incidents (collectively, “Hacking/IT Incidents”). For instance, in 2019, a third-party collection agency specializing in delinquent healthcare accounts had a data security incident in which an unauthorized user had access to the agency’s computer systems and, in turn, the PHI of those Covered Entities (hospitals, health systems, etc.) that contracted with the agency, a “Business Associate” to each of its Covered Entity clients. As a result of the incident, the PHI of tens of millions of patients were impacted and the agency’s clients became subject to HIPAA enforcement action and civil suits filed by their impacted patients in both state and federal courts. Given the continued growth of Hacking/IT Incidents, Covered Entities would be well advised to strengthen their IT systems to withstand foreign and domestic attacks by adopting the Best Practices described in our prior blog referenced above.
OCR Revises Penalty Amounts to Align with Culpability
In April 2019, the OCR published a Notification of Enforcement of Discretion explaining a change in policy revising the OCR’s interpretation of the HITECH Act. The OCR revisions: (i) decreased the limits for the annual penalties, and (ii) implemented a sliding scale to be applied to instances in which the entity was less culpable (i.e., No knowledge, Reasonable Cause, and Willful Neglect that was corrected). Therefore, if a Covered Entity can show that it had policies and procedures in place to prevent HIPAA breaches and the Covered Entity routinely followed such policies and procedures, the penalties imposed against the Covered Entity would be less than they would have been if no such policies and procedures were in place. However, if the OCR finds that a Covered Entity willfully neglected its obligations and failed to correct known inadequacies in its HIPAA policies or procedures, the OCR will continue to penalize such Covered Entities with high dollar amounts. As highlighted in following tables comparing the penalties before and after the Notification of Enforcement Discretion, the OCR is moving from a system where all types of culpability could lead to an annual penalty of maximum of $1,500,000 to one where the annual limits for less culpable offenses is between $25,000 and $250,000. The following summary charts showing the change in penalty tiers were included in the above referenced notification.
Soon after the Notification of Enforcement of Discretion was published, the OCR made public a Press Release and Notice of Final Determination which provided an example of how the OCR would exercise this new policy in connection with a series of incidents and failures by Jackson Health System (“JHS”). For one of the failures, the OCR fined JHS the maximum annual penalty for the highest level of culpability, $1.5 million. Notably, it appears that OCR’s overriding concern with JHS was “wide-spread and longstanding deficiencies in protecting PHI” since these deficiencies continued between 2012 and 2018 without effective remediation. In other words, the OCR found that JHS was acting with Willful Neglect that remained uncorrected. For several other failures where JHS was less culpable, the reduced annual penalty limits under the new policy capped the assessed penalties to only $100,000 per year despite the actual penalties being as much as three times that per year. Ultimately, JHS was spared approximately $1.2 million in fines under the new policy.
More recently, HHS reported in a November 5, 2019 Press Release that the OCR entered into a $3 million HIPAA Settlement Agreement with the University of Rochester Medical Center (“URMC”) for multiple lapses (2010, 2013, 2017) in the encryption of mobile devices. As described in the Press Release, “Despite the previous OCR investigation, and URMC’s own identification of a lack of encryption as a high risk to ePHI, URMC permitted the continued use of unencrypted mobile devices.” Since the URMC case was settled, details of how the OCR came to the amount of $3 million were not provided. Nonetheless, it appears safe to assume that for each of the repeated offenses in 2013 and 2017, URMC was fined $1.5 million dollars as the annual limit for culpability.
Right of Access Initiative
In the earlier part of 2019, the OCR announced the Right of Access Initiative, promising to vigorously enforce the rights of patients to get access to their medical records promptly, without being overcharged, and in the readily producible format of their choice. In our October 17, 2019 blog post, in the first enforcement action by the OCR under this new initiative. In that case, Bayfront Health St. Petersburg (“Bayfront”), an academic medical center in St. Petersburg, Florida, failed to provide a patient with timely access to the patient’s designated record set. In December, the OCR announced that it had settled a second case under the Right of Access Initiative with Korunda Medical, LLC (“Korunda”). Similar to Bayfront, Korunda repeatedly failed to provide timely access to medical records. In addition, Korunda also failed to provide the records in the requested electronic format and charged more than the reasonably cost-based fees allowed under HIPAA. Notably, in BOTH cases, the OCR found that the violation of HIPAA’s right of access guarantee warranted an $85,000 financial penalty, as well as the imposition of a corrective action plan. While there are only a couple of known enforcement actions under the Right of Access Initiative to date, it appears that Covered Entities may expect at least an $85,000 penalty along with a corrective action plan if they fail to provide timely access to a patient’s medical records.
Responding to Social Media Reviews Can Lead to Penalties
While it might not necessarily be part of a new trend or initiative by the OCR, there was a press release dated October 2, 2019 that signaled OCR’s position on how Covered Entities should react to social media reviews. The details of this case are not entirely clear, but it appears that the patient at issue posted a negative review of Elite Dental Associates, Dallas (“Elite”) on Elite’s Yelp page and Elite responded to the review with the patient’s PHI. Subsequent to a complaint by the patient, the OCR found that Elite had also revealed the PHI of several other patients on Yelp. Although Elite was only subjected to a low penalty of $10,000 and a corrective action plan, this incident should serve as a warning to other stakeholders that Covered Entities may not reveal any PHI on social media without the proper authorizations. Notably, it appears that there is no leniency to the Covered Entity in situations where the patient takes the first step by posting a review on a social media site. A Covered Entity remains prohibited from responding in any way that improperly discloses PHI, regardless of any prior disclosures by the patient on social media.