A Year in Review: HIPAA Enforcement in 2019

While there is still a chance that the Department of Health and Human Services’ Office for Civil Rights (OCR) will announce a 2019 enforcement case in early 2020, like it did last year, it appears that the 2019 HIPAA enforcement year is over with a lot less fanfare (and cash) than last year.  The total in settlements and penalties for 2019 is $12.2 million, which is substantially less than OCR’s highest ever total of $28.7 million just one year ago.  But it’s simple to account for the discrepancy; 2018 was the year of the $16 million Anthem settlement.

Although 2019 did not involve any Anthem-sized settlements or penalties, there were several notable takeaways.  First, failing to perform an adequate risk analysis remains a top reason for enforcement.  Second, OCR made clear that neither small providers nor state agencies are immune from enforcement actions.  Third, OCR was serious when it proclaimed that right of access claims would be an enforcement priority.  Finally, OCR is not afraid to use its authority to impose civil money penalties when the parties cannot reach a settlement.

Below is a brief description of each enforcement matter with a link to additional information about each on HHS’s website.

  • With less than two days left in 2019, OCR announced that a small, rural Georgia ambulance provider agreed to pay $65,000 to settle claims of multiple HIPAA Security Rule violations.  The ambulance company filed a breach report in 2013 reporting that an unencrypted laptop containing the information of exactly 500 patients fell off the bumper of an ambulance and was not recovered.  This report triggered an investigation, which revealed that the ambulance company had not performed a risk analysis, did not have a security training program and failed to implement Security Rule policies or procedures. 
  • OCR announced its second right of access settlement on December 12, 2019 for $85,000 against a small provider in Florida, making good on its promise to prioritize claims by patients who could not access their medical records as required under HIPAA.  Notably, this settlement is based on a patient complaint filed in March 2019.  OCR is moving swiftly on these claims and, in this matter, even gave the provider the opportunity to correct its error by providing technical assistance but the provider refused to comply.
  • Sentara, a hospital system in Virginia and North Carolina, agreed to pay $2.175 million to settle claims that it didn’t meet HIPAA breach notification requirements and didn’t have a business associate agreement with its parent company, which provided billing and other services.  In 2017, Sentara sent 577 bills to the incorrect patients.  Sentara reported only 8 of those breaches to DHHS because it believed that detailed medical information must be involved to constitute a breach.  For such a large health system, this kind of error is surprising. It’s also worth noting that OCR seems to be acting on complaints more swiftly than in the past.  This claim resolved in fewer than 3 years.
  • On November 7, 2019, OCR publicized a $1.6 million civil money penalty (CMP) against a state Medicaid and social service agency in Texas for placing assistance applications of more than 6,600 individuals on a public server. The CMP is based on a lack of access and audit controls and a failure to conduct an agency-wide risk analysis.  
  • Two days earlier, OCR revealed a $3 million settlement with the University of Rochester Medical Center for systemic HIPAA security issues including a lost and unencrypted flash drive and laptop, failure to conduct an accurate and thorough risk analysis, failure to implement appropriate security measures to address vulnerabilities and failure to have adequate policies to protect electronic protected health information (PHI).
  • About two weeks before the CMP against the Texas state agency, OCR announced a $2.15 million CMP against a non-profit academic medical center in Florida, Jackson Health Systems (JHS).  According to OCR, JHS had numerous and substantial issues over several years such as inappropriate employee access and disclosure of PHI (including disclosure of an NFL player’s injury on social media and an employee’s sale of thousands of patients’ PHI), inadequate risk analyses, failure to follow up on recommendations related to risks, and failure to timely report multiple breaches. The Notice of Proposed Determination, setting forth all the findings of fact and the method for calculating the CMP, is worth a read.
  • A Dallas dental provider agreed to pay $10,000 because it responded to patients’ reviews on Yelp and included patient information in the response. If providers want to use social media, they must have policies on how to do so and must never disclose PHI, even if the patient discloses details about the care and services.
  • On September 9, 2019, OCR announced its first settlement of a right of access claim. A healthcare provider took more than 9 months to provide requested fetal monitoring records to the mother and it had to pay $85,000 to settle the claim. Unlike other OCR enforcement actions that take years to reach the settlement phase, this action was based on a complaint filed in August 2018 and signals OCR’s commitment to prioritizing right to access issues.
  • Medical Informatics Engineering, Inc., a business associate, agreed to pay $100,000 for failing to conduct a comprehensive risk analysis.  The software and electronic medical record service provider filed a breach report regarding the compromise of the records of 3.5 million people.  OCR discovered the failure to perform the risk analysis during its investigation.  
  • OCR publicized its first and largest settlement of the year on May 6, 2019.  A Tennessee-based diagnostic medical imaging company agreed to pay $3,000,000 to settle claims relating to a breach involving 300,000 patients.  OCR found that the company waited months before investigating reports from the FBI that PHI was visible on the internet. In addition, the company failed to perform an adequate risk analysis and did not have business associate agreements in place with IT vendors.