Big or small, if you are a covered healthcare entity or business associate that handles protected health information (PHI) in any capacity, you should be aware that the U.S. Department of Health and Human Services Office for Civil Rights (OCR) is notably strengthening enforcement and sanctions related to the HIPAA Security and Privacy Rules. In fact, the OCR has recently announced that they are paying closer attention to smaller breach incidents – those involving 500 or fewer people – which in the past may have drawn less scrutiny.
This announcement also comes on the heels of Advocate Health Care Network (Advocate) agreeing to a $5.5 million settlement with the OCR after being flagged for multiple HIPAA violations. This was the largest settlement in the history of HIPAA enforcement actions. All in all, four million patient records were compromised as a result of Advocate’s failure to comply with HIPAA regulations, and the record size of the penalty is likely tied to OCR’s indications that Advocate failed to abide by some of the HIPAA Security Rule’s fundamental requirements.
Increase in HIPAA Settlement Payments is Becoming the New Normal
It wasn’t long ago when the OCR drew some skepticism for only levying “soft enforcement and compliance assistance.” However, the settlement with Advocate came through loud and clear as a resounding message that the OCR is cracking down harder on breaches that violate HIPAA regulations.
Similarly, in July 2016, the Oregon Health and Science University (OHSU) reached a hefty $2.7 million settlement with the OCR for a number of breaches stemming from such incidents as a failure to encrypt laptops, and a failure to encrypt a thumb drive, which was stolen. This large fine was levied after the enforcement agency determined that actions taken by the OHSU to comply with HIPAA security regulations were deficient in scope and effectiveness—and in particular, self-identified risks were not addressed in a timely fashion.
As the Workplace Privacy, Data Management & Security Report advised, covered entities that have put off prioritizing HIPAA compliance steps can’t take for granted that they won’t be flagged with costly penalties, especially as the OCR is conducting additional audits and organizations of all sizes are under their purview. Overall, settlement payments have sharply risen in 2016, with $15 million in settlement payments being made to the HHS over the first seven months of the year.
Why Advocate and OHSU Came Under Fire
As Director Samuels pointed out, there were several required measures that Advocate failed to meet, including the sufficiency of its risk analysis, adequate protection of ePHI stored on laptops (which can be easily lost or stolen), and obtaining a mandatory business associate agreement with a third-party contractor that handled medical billing. In the case of the OHSU, they also failed to obtain a proper business associate agreement before entrusting ePHI to a third-party cloud services vendor.
While all requirements of the HIPAA Security Rule are important, in a number of recent public announcements related to HIPAA enforcement actions, the OCR has specifically called out absent or inadequate risk analyses and issues with business associate agreements. One could interpret this action as being synonymous to the types of aggravating factors that can lead to stiffer sentences in a criminal case.
Of further note is the OCR’s stated view that the OHSU had not addressed documented risks and vulnerabilities in a timely fashion. While risk analysis is an important and required first step towards securing ePHI and complying with the HIPAA Security Rule, the OCR is clearly stating that it expects to see organizations follow through with actions to mitigate identified risks.
OCR Seriousness Extends to Ransomware Attacks
While larger penalties and a broader scope for breach investigations and compliance audits should indicate that the OCR is increasingly serious about enforcing the HIPAA Security Rule, its recently released guidance on the topic of ransomware attacks indicates that it intends to hold covered entities and business associates accountable not only to the letter but also to the spirit of the regulation.
In this notification, the OCR makes clear that it essentially considers ransomware attacks on PHI-containing environments to be HIPAA data breaches by default (with all the incumbent response notification responsibilities, and potential costs) unless a post-event risk assessment solidly points to the contrary. While some in the community have challenged this interpretation, and others have supported it, the bottom line is that it is likely to stick.
For more information, we encourage our readers to download and make use of our new e-guide on this subject.