January 29, 2020

January 28, 2020

Subscribe to Latest Legal News and Analysis

January 27, 2020

Subscribe to Latest Legal News and Analysis

Bah, Humbug! HIPAA Compliance Isn’t Getting Any Easier

As we look back on 2017, one message is clear: don’t be a Scrooge when it comes to HIPAA compliance. With ever-evolving security threats and unrelenting enforcement, regulated entities must maintain a spirit of compliance that lasts the whole year through.  It is in that spirit – and with apologies to Charles Dickens – that our HIPAA year in review is brought to you by the ghosts of HIPAA Past, HIPAA Present and HIPAA Yet to Come.

The Ghost of HIPAA Past

2017 continued to be haunted by large-scale data breaches.  As reported by our Privacy & Security colleagues, Equifax announced one of the largest breaches in US history in September, which involved highly sensitive information such as social security numbers and birth dates.  The Equifax breach didn’t involve health information, but in July, OCR sent a clear message regarding the importance of health information security and ratcheted up the fear factor associated with its HIPAA Breach Reporting Tool (HBRT), commonly referred to as the HIPAA “Wall of Shame.” The updates make it easier to search and view information about data breaches and make it harder for offenders to hide in the aftermath of a breach. 

It was similarly terrifying that 2017 required guidance on HIPAA and natural disasters, but in the aftermath of several large-scale natural disasters, OCR issued guidance to remind health care providers of how health information may be used and shared in a crisis, consistent with HIPAA standards.

The Ghost of HIPAA Present

Aggressive HIPAA enforcement remained an ever-present reality in 2017 and there were a number of notable settlements imposed on regulated entities large and small:

  • OCR settled its first enforcement action for a health care provider’s failure to timely report a breach to OCR, affected individuals, and the media. It cost the health care company $475,000.

  • In April, OCR announced a tiny $31,000 settlement with a small health care provider for failing to produce a BAA with one of its business associates, and, just four days later, a separate $2.5 million settlement with a larger healthcare company for failing to implement sufficient HIPAA policies and procedures.

  • Memorial Hermann, a large health system, settled potential HIPAA violationswith OCR for $2.4 million after publicly disclosing a patient’s name in the title of a press release regarding an incident at one of its clinics.

The Ghost of HIPAA Yet to Come

Of course, the Ghost of HIPAA Yet to Come is the scariest one of all. Iliana Peters, formerly OCR’s Senior Advisor for HIPAA Compliance and Enforcement, and presently OCR’s Acting Deputy Director for Health Information Privacy, provided insight into HIPAA enforcement trends and OCR’s current and future agenda at the 2017 Health Care Compliance Association’s annual “Compliance Institute.”  One of the highlights of Ms. Peters’ presentation was the anticipated implementation of HITECH Act provisions requiring a percentage of civil monetary penalties or settlements collected by OCR to be shared with individuals affected by a HIPAA violation. Given OCR’s willingness to impose seven-figure fines, it is likely that this development will incentivize data breach victims and others aggrieved by the privacy or security failures of a covered entity or business associate, and increase the stakes for non-compliance.  Ms. Peters’ presentation also referenced implementation of controversial updates to the HIPAA accounting rules which were passed as part of HITECH, but have yet to be implemented.

It’s not all doom and gloom on the horizon, however.  Earlier this week, OCR released a new set of tools and initiatives to help fight the nation’s current opioid crisis and implement the 21st Century Cures Act.  These tools support critical federal policy goals with the potential to have a significant, positive impact on health care.  OCR has promised additional guidance in the coming months.  So as 2017 winds down, there is reason to be hopeful for regulated entities that are willing to take advantage of available guidance and to learn from the mistakes of the past.  Everything that we learned in 2017 can be used to support HIPAA compliance in the months and years ahead.  So on that positive note, we wish everyone happy holidays and a 2018 that is free from the specter of non-compliance.

©1994-2020 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.


About this Author

Dianne Borque, Health Care, licensure, risk management, attorney, Mintz
Of Counsel

Dianne advises a variety of health care clients on a broad range of issues, including licensure, regulatory, contractual, and risk management matters, and patient care. As former in-house counsel to an academic medical center, a large part of her practice involves counseling researchers and research sponsors in matters related to FDA and OHRP regulated clinical research, including patient consent, access to and use of tissue and associated patient information, and the Institutional Review Board process. In addition, Dianne currently serves as a Vice Chair of AHLA's...

(617) 348-1614
Sarah Beth S. Kuyers, Mintz Levin, nonprofit affiliation lawyer, health care systems attorney

Sarah Beth’s practice involves a variety of regulatory, transactional, and enforcement defense matters for clinical laboratories, hospitals, pharmacies, insurers, and other health care clients.

Sarah Beth routinely advises clients on a wide variety of federal and state health care regulatory issues, including anti-kickback and self-referral laws, licensure and scope of practice rules, telemedicine, certificate of need applications, food and drug law, and HIPAA compliance. She also handles licensure and regulatory filings for clinical laboratories and other health care providers.

On the transactional side, Sarah Beth provides regulatory counsel for mergers and acquisitions involving pharmacies, pharmacy benefit managers, and other health care providers. She has assisted clients with due diligence, licensing, change of ownership, and contract drafting and negotiation.

Sarah Beth’s enforcement defense experience includes representing health care clients in criminal and administrative actions brought by federal and state agencies for potential violations of the federal anti-kickback statute, the Stark Law, and the False Claims Act. She has also has experience in internal investigations and compliance programs.

Sarah Beth actively participates in Mintz’s pro bono program. Currently, Sarah Beth represents children seeking Special Immigrant Juvenile (SIJ) Status from the U.S. Citizenship and Immigration Services. The SIJ program is available for foreign children who have been abused, abandoned, and neglected and have come to the United States.

Ellen L. Janos, Health care attorney, mintz levin law firm,Digital Health PBMs & Pharmacies Hospitals & Health Systems Post-Acute & Long-Term Care Retail & Urgent Care Physician Organizations

Ellen utilizes her in-depth knowledge of health care regulation to assist clients with government audits and investigations, M&A and financing transactions, and corporate compliance activities. She also provides strategic advice to traditional health care providers, investors, and start-ups on telehealth initiatives as well as the traditional practice of medicine across multiple states. Ellen often comments on developments in telehealth, HIPAA, and the corporate practice of medicine. As an assistant attorney general for the Commonwealth of Massachusetts, Ellen represented state...