By George F. Indest III, J.D., M.P.A., LL.M., Board Certified by The Florida Bar in Health Law
In September 2020, the Department of Health and Human Services (HHS) announced three settlements to resolve alleged violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. The settlements, totaling $10.6 million, stem from data breaches in which hackers were able to access and obtain individuals’ protected health information (PHI) from U.S. health providers. Combined, the three hacking incidents compromised the health information of more than 16 million patients.
Summary of the HIPAA Security Rule Settlements.
On September 21, 2020, the Office of Civil Rights, or OCR, the division of HHS which receives and investigates HIPAA complaints, announced a settlement with an orthopedic clinic in Georgia. The clinic agreed to pay $1.5 million after a 2016 hacking incident that compromised over 200,000 patient records. Part of the settlement included a Corrective Action Plan, or CAP, which the clinic agreed to adopt, to help prevent future breaches of privacy. Click here to view the resolution agreement and Corrective Action Plan (CAP).
On September 24, 2020, the OCR publicized a settlement with an information technology (IT) and health information management company. The business agreed to pay $2.3 million to settle claims of systemic security rule violations relating to a 2014 hacking incident impacting the personal health information (PHI) of more than 6 million individuals. Click here to read the settlement agreement.
Days later, the OCR released information about a $6.85 million settlement with Premera Blue Cross, the largest health plan in the Pacific Northwest. The settlement, the second largest to date, related to a 2015 cyber-attack which exposed the health information of more than 10 million individuals. To read the resolution agreement in full, click here.
In regard to these settlements, the OCR alleged that the following security rule violations had occurred:
1. Failure to conduct an adequate and thorough risk analysis;
2. Failure to implement sufficient mechanisms to record and examine system activities;
3. Failure to enter into business associate agreements with vendors with access to electronic protected health information;
4. Failure to implement reasonable security measures to reduce risks and vulnerabilities;
5. Failure to respond to and document a known security incident;
6. Failure to implement technical policies and procedures regarding access; and
7. Failure to implement procedures to regularly review system activity logs and reports.
Readers could use the above as a compliance checklist to make sure their own systems of records are being properly protected.
Consequences of HIPAA Rule Noncompliance.
The HIPAA Security Rule establishes a set of national standards for confidentiality, integrity, and availability of e-PHI. HHS is responsible for administering and enforcing these standards, along with enforcement of the HIPAA Privacy Rule. Therefore, the agency may conduct complaint investigations and compliance reviews. To learn more details about the HIPAA Security Rule, click here.
HHS looks for systems failures, prior breaches, missing risk analyses, or absence of or inadequate HIPAA policies. Without question, any compliance violations will result in an enforcement action. And as these three settlements have demonstrated, enforcement can be costly.
Don’t Wait Until It’s Too Late, Protect Yourself from HIPAA Security Rule Compliance Violations.
Businesses and organizations need to acknowledge the need to act and create a HIPAA security rule compliance plan. Locating existing security policies and the last completed risk analysis is an essential step in compliance. If it’s been over a year, perform or update risk analysis to identify risks or vulnerabilities on all systems that contain any e-PHI. Security rule compliance requires regular attention and detailed records. Take steps now to help protect e-PHI from data breaches, and avoid millions of dollars in settlements or fines.
Contact a Health Law Attorney Experienced in Defending HIPAA Complaints and Violations.
The Health Law Firm represent physicians, medical groups, nursing homes, home health agencies, pharmacies, hospitals, and other healthcare providers and institutions to investigate and defend alleged HIPAA complaints and violations and prepare Corrective Action Plans (CAPs). Our attorneys regularly defend OCR HIPAA audits, defend in HIPAA complaint investigations, assist in preparing a HIPAA Risk Analyses, defend in federal administrative actions and administrative hearing cases, and defend in civil or administrative litigation of HIPAA/breach of medical confidentiality law suits.
For more information about HIPAA violations, electronic health records or corrective action plans (CAPs) please visit our website at www.TheHealthLawFirm.com or call (407) 331-6620 or toll-free (888) 331-6620.
Kraus, Anna and Carrier, Tara. “HHS Announces Multiple HIPAA Settlements Related to Data Breaches and the Right of Access Initiative.” Lexology. (October 6, 2020). Web.
Castricone, Dena. “The Crushing Cost Of HIPAA Security Rule Noncompliance.” Law360. (October 1, 2020). Web.
About the Author: George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law. He is the President and Managing Partner of The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. www.TheHealthLawFirm.com The Health Law Firm, 1101 Douglas Ave. Suite 1000, Altamonte Springs, FL 32714, Phone: (407) 331-6620 Toll-Free: (888) 331-6620.
The Health Law Firm” is a registered fictitious business name of and a registered service mark of The Health Law Firm, P.A., a Florida professional service corporation, since 1999.
Copyright © 2021 The Health Law