The Crushing Cost of HIPAA Security Rule Non-Compliance

*Distributed by Law360 on October 2, 2020 and included in its Health Law and Cybersecurity and Privacy Law newsletters.

Between September 21st and 25th, the Department of Health and Human Service’s Office for Civil Rights (OCR) announced settlements totaling $10.6 million with three organizations for alleged systemic Health Insurance Portability and Accountability Act (HIPAA) Security Rule violations.  In each of the three cases, the entity self-reported a hacking incident.  Combined, the hacking incidents compromised the health information of more than 16 million people. 

To put the $10.6 million weekly total into perspective, in all of 2019, OCR collected just over $12 million in total settlements and penalties in all HIPAA enforcement actions.  It’s no secret that OCR has been cracking down on Security Rule violations over the past several years with several seven and eight-figure settlements, but three in one week is unprecedented.

Here’s a recap:

On September 21, 2020, OCR announced a settlement with an orthopedic clinic in Georgia, which employs fewer than 400 people and serves about 138,000 patients each year.  The clinic agreed to pay $1.5 million after a 2016 hacking incident that compromised over 200,000 patient records.  The hacker gained access to a vendor’s credentials and began accessing the clinic’s system on June 14, 2016.  Although the clinic terminated the compromised credentials on June 27, 2016, it did not effectively stop the intrusion until about three weeks later.

OCR alleged the following Security Rule violations:

  • failure to conduct an adequate and thorough risk analysis;
  • failure to implement sufficient mechanisms to record and examine system activities;
  • failure to enter into business associate agreements with vendors with access to electronic protected health information (ePHI); and  
  • failure to implement reasonable security measures to reduce risks and vulnerabilities.

Two days later, OCR publicized a settlement with an IT and health information management business associate.  The business associate agreed to pay $2.3 million to settle claims of systemic Security Rule violations relating to a 2014 hacking incident impacting 237 covered entities and the ePHI of more than 6 million individuals.  A hacker compromised administrative credentials and remotely accessed the business associate’s information system through its virtual private network.  The business associate learned about the incident from the FBI.

OCR alleged the following Security Rule violations:

  • failure to conduct an accurate and thorough risk analysis;
  • failure to respond to and document a known security incident;
  • failure to implement technical policies and procedures regarding access; and
  • failure to implement procedures to regularly review system activity logs and reports.

By week’s end, OCR released information about a $6.85 million settlement with Premera Blue Cross (the second largest HIPAA settlement to date) for a 2015 cyber-attack exposing the information of more than 10 million individuals.  The hackers gained access to the insurer’s network through an email phishing campaign, which installed malware on a system in the network on May 5, 2014.  The unauthorized access went undetected until January 29, 2015.

OCR alleged the following Security Rule violations:

  • failure to conduct an accurate and thorough risk analysis;
  • failure to implement reasonable security measures to reduce risks and vulnerabilities; and
  • failure to implement reasonable mechanisms that record and examine system activity.

Notably, OCR found that the clinic, business associate and insurer each failed to conduct an adequate and thorough risk analysis, which OCR’s most common Security Rule finding.      

HIPAA Security Rule Enforcement Trends

While three enforcement settlements in one week totaling more than $10 million is not common, expensive Security Rule violations are not new.  Earlier in 2020, OCR announced three other Security Rule settlements, including actions against two small providers (March 2, 2020, July 23, 2020 and July 27, 2020).  The settlement amounts for those three actions totaled $1.165 million.  Two of those three actions included an alleged failure to conduct an accurate and thorough risk analysis. 

There have been five other announced settlement so far in 2020, but those actions all involved HIPAA Privacy Rule right of access claims.  While just over 50% of the announced resolutions this year involve alleged Security Rule violations, more than 90% of the total settlement amounts are tied to the Security Rule.

These trends continue from 2019.  Last year, failing to perform an adequate risk analysis was the top reason for a HIPAA enforcement action.  Six out of the ten enforcement action resolutions that year involved claims related to Security Rule issues and all of them included an alleged failure to conduct an adequate risk analysis.  While accounting for only 60% of the enforcement actions, the Security Rule-related settlements and penalties accounted for about 70% of the total amount collected in 2019. 

Why is HIPAA Security Rule Non-compliance So Common?

Security Rule compliance continues to be an area where many covered entities and business associates struggle.  The HIPAA Privacy Rule took effect in 2003 – two years before the Security Rule.  Covered entities generally have a much better grasp of the Privacy Rule as well as a commitment to complying with it.  Given that the Privacy Rule was such a big lift in 2003, maybe folks were just tired when the Security Rule took effect in 2005.  Or maybe the Security Rule’s requirement for “reasonable” security measures without much specific direction made the head-in-the-sand approach more appealing than trying to comply.  Or maybe the rapid changes in technology between 2005 and today made it (and continue to make it) seemingly impossible to understand what constitutes reasonable security measures.  Or maybe it’s all of the above.

Whatever the reason, covered entities and business associates can no longer afford non-compliance.  Incidents will happen, including hacking incidents.  And when those incidents result in breaches, as they often do, self-reporting obligations make it much easier for OCR to select targets for investigation.  During an investigation, Security Rule compliance will be a focus and systemic failures or missing risk analyses or policies will be easy to spot.  Without question, those findings will result in an enforcement action.  And as 2020 has demonstrated so far, enforcement is expensive. 

There is no better time than the present for organizations to acknowledge the need to act and create a plan for HIPAA Security Rule compliance.  Start by dusting off any security policies and locate the last risk analysis.  Examine the policies in light of current practices and regulatory requirements.  Then, if it has been more than a year, perform a risk analysis or update the last risk analysis to identify risks or vulnerabilities on all systems that contain any ePHI.  Next, act on the findings.  Because a risk analysis must involve an examination of all Security Rule requirements, the results will be an important roadmap to compliance.     

Like most compliance functions, Security Rule compliance will never be a “check the box” project.  It requires regular attention.  Taking steps now and developing a continuous assessment process will help protect ePHI, avoid millions of dollars in settlements or fines and avoid headaches and bad press.  

Join me and Sammy De La O, of IT Direct, for a three-part webinar series on HIPAA Security and Cybersecurity on October 13, 21 and 29.  In Part II of the series, we will do an in-depth exploration of the risk analysis requirement and how best to comply with it.