HIPAA Compliance Lessons From 2019 Enforcement Trends

*Distributed by Law360 on January 22, 2020 and included in its Health Law and Cybersecurity and Privacy Law newsletters. This article is based on my earlier HIPAA 2019 Year in Review blog post.

While there is still a chance that the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) will announce a 2019 enforcement resolution in early 2020, like it did last year, it appears that the 2019 HIPAA enforcement year is over with a lot less fanfare (and cash) than last year.  The total in settlements and penalties for 2019 is $12.2 million, which is substantially less than OCR’s highest ever total of $28.7 million just one year ago.  But it’s simple to account for the discrepancy; 2018 was the year of the $16 million Anthem settlement.

Although the 2019 enforcement year did not involve any Anthem-sized settlements or penalties, there were several notable takeaways. 

First, failing to perform an adequate risk analysis as required under the HIPAA Security Rule remains the top reason for enforcement.  Six out of the ten enforcement action resolutions involved claims of a failure to conduct an adequate risk analysis.  Other common Security Rule compliance issues included failures to address identified vulnerabilities and lack of acceptable policies and procedures to safeguard electronic protected health information (PHI). 

Without question, the Security Rule-related failures in 2019 were far more expensive than the other violations.  For the year’s six Security Rule enforcement actions, OCR recovered $8,365,000 in settlements and penalties, which accounts for nearly 70% of the 2019 total.[1]

Second, OCR was serious when it proclaimed that right of access claims would be an enforcement priority.  Unlike the Security Rule failures that we see year in and year out, right of access has not been a common enforcement theme.  As healthcare becomes much more consumer-focused, patients are requesting access to their records like never before.  And they have the right to do so. 45 CFR §164.524(b)(1); see also 42 USC §17935(e) (right to obtain a copy in electronic format and to direct transmission to a third party).  According to a recent study, however, more than half of all healthcare providers are not compliant with right of access requirements.  This lack of compliance triggered OCR’s new right of access enforcement priority.

Two of the ten 2019 enforcement action resolutions involved right of access claims.  On September 9, 2019, OCR announced its settlement with a 480-bed hospital that took more than 9 months to provide requested fetal monitoring records to the mother.  The provider agreed to pay $85,000 to settle the claim. Unlike other OCR enforcement actions that take years to reach the settlement phase, this action was based on a complaint filed in August 2018 and demonstrates OCR’s commitment to prioritizing right of access issues.

Just three months later, OCR publicized its second right of access settlement, also for $85,000, against Korunda Medical, a primary care and interventional pain management provider that serves about 2,000 patients a year.  Korunda Medical failed to comply with a patient’s request to have medical records sent in a specific electronic format to a third party.  Further, when it finally complied, the provider overcharged the patient for the copies.  Less than two weeks after the patient’s initial March 8, 2019 complaint, OCR provided technical assistance to Korunda Medical.  The provider, however, ignored the technical assistance and the patient filed a second complaint.  OCR launched an investigation on May 8, 2019 and announced the settlement on December 12, 2019, which is lightning-fast enforcement compared to most other HIPAA enforcement actions.  

OCR is evaluating all right of access claims and expeditiously pursuing those with merit regardless of the size or intent of the provider.  Further, OCR may first offer technical assistance, as it did with Korunda Medical.  Such technical assistance gives providers an opportunity to correct compliance issues without penalties; therefore, providers should take seriously and act immediately on OCR’s technical assistance.  In all likelihood, OCR’s prompt action and relatively sizable penalty against Korunda Medical resulted from the provider’s failure to take OCR’s technical assistance seriously. 

Third, the 2019 enforcement year also showed that OCR is not afraid to use its authority to impose civil money penalties (CMPs) when the parties do not reach a settlement.  OCR resolves most HIPAA enforcement actions by settlement.   Two of the ten enforcement actions in 2019 resulted in CMPs, which is a higher percentage than in years past.  OCR announced a $2.15 million CMP against a non-profit academic medical center in Florida, Jackson Health Systems (JHS) in late October.  JHS experienced numerous and substantial issues over several years such as inappropriate employee access and disclosure of PHI (including disclosure of an NFL player’s injury on social media and an employee’s sale of thousands of patients’ PHI), inadequate risk analyses, failure to follow up on recommendations related to risks, and failure to timely report multiple breaches.

Two weeks later, OCR publicized a $1.6 million CMP against a state Medicaid and social service agency in Texas for placing assistance applications of more than 6,600 individuals on a public server. The CMP was based on a lack of access and audit controls and a failure to conduct an agency-wide risk analysis. 

It is unclear why neither the state agency nor the non-profit academic medical center settled the enforcement actions.  The Notice of Proposed Determination from OCR in each case indicated that OCR attempted to resolve both matters by informal means (JHS, Texas state agency).

A final lesson from 2019 is that smaller providers are not immune from enforcement actions.  While a $65,000 settlement may not seem staggering, to a small, rural Georgia ambulance provider, it is just as substantial as a seven-figure settlement for a larger provider.  Additionally, the $10,000 settlement paid by a Dallas dental provider for responding to a patient’s review on Yelp not only reminds providers that social media can be dangerous without clear policies but it also signals that OCR is watching all provider types and sizes.  Finally, as discussed above, one of the two right of access claims involved a smaller provider. 

As for HIPAA enforcement in 2020, there is no question that OCR will be just as active (and possibly more) than it was in 2019.  HIPAA Security Rule compliance likely will be the headliner again.  Also, expect to see a continued focus on a patient’s right of access.  I anticipate that OCR will send more technical assistance communications to providers based on patient complaints for right of access as well as other issues.  And I expect to see higher settlement amounts and penalties for providers who ignore those communications.  Finally, I believe that OCR will continue to resolve enforcement actions more swiftly and, in particular, providers can expect a very quick turnaround on right of access claims, which do not require substantial investigative efforts or resources.   

[1]  The total amount of settlements and penalties for all six actions is $9,865,000 but the civil money penalty (CMP) in one of those actions was based on both Privacy Rule and Security Rule failures.  In that enforcement action, the CMP totaled $2,154,000.  Pursuant to 45 CFR § 160.404, OCR determined that the failure to notify HHS of a breach for 31 days amounted to willful neglect and imposed the maximum penalty of $1,500,000.  For the two Security Rule violations, which occurred for 919 days and 921 days respectively, OCR assigned the much lower “reasonable cause” penalty tier.  With the $1,000 per day penalty and annual calendar maximum of $100,000, those Security Rule violations resulted in a penalty of $654,000.