2018 ended up being a record year for HIPAA enforcement actions. According to the Office for Civil Rights (OCR) 10 cases were settled and granted summary judgments in a case before an Administrative Law Judge totaling over $28 million from enforcement actions, far surpassing the previous record of just over $23 million in 2016. As part of the recent announcement, OCR provided a HIPAA summary of 2018 settlements and judgments:
•January 2018, OCR settled for $100,000 with Filefax, Inc., and for $3.5 million with Fresenius Medical Care North America. Both were required to adopt a corrective action plan.
•June 2018, an HHS Administrative Law Judge ruled in favor of OCR and required the University of Texas MD Anderson Cancer Center to pay $4.3 million in civil money penalties and adopt a corrective action plan for HIPAA violations.
•September 2018, OCR announced that it has reached separate settlements totaling $999,000 with Boston Medical Center, Brigham and Women’s Hospital, and Massachusetts General Hospital (this was the privacy of patients’ PHI violation resulting from the filming of an ABC television network documentary). OCR also settled with Advanced Care Hospitalists for $500,000 in a separate and unrelated enforcement action.
•October 2018, OCR settled with Allergy Associates, for $125,000 – which was a small amount – compared to the largest settlement to date that occurred with Anthem, Inc. who paid $16 million to OCR after a series of cyber attacks led to the largest U.S. health data breach in history!
•November 2018, Pagosa Springs Medical Center paid $111,400 to OCR to settle potential HIPAA violations.
•December 2018, OCR Cottage Health agreed to pay $3 million to OCR and to adopt a substantial corrective action plan to settle potential violations of the HIPAA Rules
The majority of organizations entering settlements with the OCR failed to conduct a thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of the ePHI. In other words, they did not perform a Security Risk Analysis (SRA) at all or failed to complete one that was sufficient for HIPAA regulations. It is also apparent many of these same organizations failed to obtain or maintain current business associate agreements with their contractors. Therefore, it is recommended an initial SRA is completed and subsequent reviews thereafter not ever be considered optional. In fact, a HIPAA Complaint SRA may be a healthcare organization’s best defense in the event of an OCR investigation.