November 18, 2017

November 17, 2017

Subscribe to Latest Legal News and Analysis

November 16, 2017

Subscribe to Latest Legal News and Analysis

November 15, 2017

Subscribe to Latest Legal News and Analysis

Lessons Learned from 2017 OCR HIPAA Enforcement Actions

So far 2017 is proving to be an active year for Health Insurance Portability and Accountability Act (HIPAA) enforcement. This comes on the heels of 2016, which saw an unprecedented level of enforcement actions, with 13 total settlements and nearly a 300 percent increase in total collected fines over 2015. To date in 2017, nine actions have been settled and the average settlement amount continues to outpace 2016.

clipboard, stethoscope, formThree Tips to Help Reduce the Risk of a HIPAA Violation

Several themes have emerged from these enforcement actions that HIPAA-regulated entities should be mindful of to help reduce the risk of a HIPAA violation occurring and to reduce the potential resulting fine in the event of enforcement.

1. Conduct Risk Analyses Regularly. One of the most consistent themes that has emerged from the 2017 settlement and corrective action plans announced by the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) is that organizations subject to HIPAA must regularly conduct risk analyses in accordance with the Security Rule to assess risk and vulnerabilities in an organization’s ePHI environment. The Security Rule does not proscribe a specific risk analysis methodology given that the analysis will vary depending on an organization’s size and capabilities. However, the risk analysis should comply with available OCR guidance, including the Guidance on Risk Analysis Requirements under the HIPAA Security Rule.

[A] lack of risk management not only costs individuals the security of their data, but it can also cost covered entities a sizable fine.
– OCR Acting Director Robinsue Frohboese

2. Implement a Risk Management Plan and Reasonable Safeguards. While conducting a risk analysis is critical, equally important is the risk management plan and the reasonable safeguards an organization adopts in light of any risks or vulnerabilities that are identified in the risk analysis. For example, OCR assessed a $3.2 million civil monetary penalty against a hospital in February, after noting that the hospital continued to use unencrypted devices even after reporting a breach in 2009 involving the loss of an unencrypted, non-password protected device. Note that the issuance of a penalty is rare, as most OCR enforcement actions result in a settlement, not a penalty. Here, however, the hospital chose to pay the penalty as opposed to negotiate with OCR.

chart, settlements, money3. Report Breaches in Timely Manner. A settlement announced in January made headlines as the first HIPAA settlement based on the untimely reporting or notification of a breach under the HIPAA Breach Notification Rule. OCR found that the healthcare network failed, with unreasonable delay, to notify OCR, the affected individuals, and the media within the required 60-day timeframe. Instead, the notifications were made over 100 days after discovery of the breach. This settlement highlights the importance of having clear policies and procedures that workforce members have been trained on in order to respond within HIPAA’s breach notification timeframes.

OCR Updated Web Tool

OCR recently announced the release of an updated web tool to provide enhanced transparency to the HIPAA breach reporting tool. New features include: 1) breaches currently under investigation and reported within the last 24 months; 2) an archive of all older data breaches; 3) tips for consumers; and 4) navigation to additional breach information.

© 2017 Foley & Lardner LLP

TRENDING LEGAL ANALYSIS


About this Author

Jennifer Rathburn, Foley Lardner Law Firm, Healthcare and Privacy Attorney
Partner

Jennifer L. Rathburn is a partner with Foley & Lardner LLP. Ms. Rathburn focuses on counseling clients on data protection programs, data incident management, and breach response and recovery, as well as the monetization of data, the Health Insurance Portability and Accountability Act (HIPAA), and other privacy and security issues. She is one of the founders of the Midwest Cyber Security Alliance and has a deep understanding of the complex risk, operational, and legal issues companies must address to maintain the confidentiality of, access to, and integrity of their...

414-297-5864
Jennifer Hennessy, Foley Lardner Law Firm, Privacy Security and Healthcare Attorney
Associate

Jennifer J. Hennessy is a privacy and security and health care regulatory attorney with Foley & Lardner LLP. Her practice includes advising businesses on compliance with state and federal data privacy and security laws. She assists covered entities and business associates in complying with the HIPAA Privacy and Security Rules, and also advises businesses and individuals on compliance with state data privacy laws and federal law 42 C.F.R. Part 2, Confidentiality of Alcohol and Drug Abuse Treatment Records. She frequently guides clients through data incident management and the entire breach notification process, from the early stages of the investigation to the notification of affected individuals and state and federal government regulators. Her depth of experience in this area allows her to provide clients with practical and business-oriented solutions in the event of a data incident and in its aftermath. Prior to joining Foley, Ms. Hennessy was a health law associate with a large U.S. law firm based in Milwaukee.

617-502-3211
Julia Kadish, Foley Lardner Law Firm, Technology Drafting Attorney
Associate

Julia (Julie) Kadish is an associate with Foley & Lardner LLP where her practice focuses on drafting and reviewing technology agreements across a variety of industries, and counseling clients on privacy and data security matters, including data breach response and preparedness. She also has experience implementing corporate compliance programs from an initial risk assessment to implementation, training, and annual audits. Ms. Kadish is a Certified Information Privacy Professional (CIPP/US).

312-832-4911