Recent HIPAA Enforcement Settlements Show More Prompt OCR Action

Historically, it often takes the Department of Health and Human Services’ Office for Civil Rights (OCR) five or more years to complete an investigation, bring an enforcement action and announce a resolution.  That’s changing.  We first saw the move to more expedient enforcement in patient-initiated right of action complaints.  But there’s also been increased speed in resolving complex, self-reported breaches.  Just last week, OCR announced two settlements based on breach reports filed in 2017.  

In a resolution OCR announced on October 30, 2020, the City of New Haven agreed to pay $202,400 and to enter a corrective action plan based on a terminated employee’s access of 498 patient records.  OCR’s investigation revealed that after being fired, the former employee used her work key to enter her former office, download electronic patient records and remove physical files.  Records of the 498 patients contained names, addresses, dates of birth, race/ethnicity, gender, and sexually transmitted disease test results.

OCR concluded that the City of New Haven improperly disclosed the information described above, lacked privacy policies, had not performed a risk analysis, had no process for terminating former employee access, and failed to assign a unique identifier for tracking users.

Aetna’s settlement of $1,000,000 and a corrective action plan arose from three separate self-reported breaches in 2017.  The first involved plan-related documents on members that were accessible on-line without login credentials and were indexed by various web search engines.  This impacted 5,002 individuals. 

In the second reported breach, Aetna mailed benefit notices to members using window envelopes, which exposed the words “HIV medications.”  This breach affected 11,887 individuals.  The third reported 2017 breach involved 1,600 research study participants who received a mailing with the name and logo of the atrial fibrillation research study (the study in which they were participating) prominently displayed on the envelope. 

After an investigation, OCR concluded that Aetna failed to evaluate the impact of operational changes on the security of electronic protected health information (ePHI), failed to implement identity verification procedures, failed to limit PHI disclosures to the minimum necessary, and failed to implement appropriate administrative, technical, and physical safeguards to protect the privacy of PHI.

For those of you keeping score, there have been 15 settlements announced so far this year with the total amount of all settlements at $13,413,900.  There have been no announced civil monetary penalties yet.  This year’s total after just 10 months exceeds 2019’s total by more than $1 million.  Further, the total number of enforcement action resolutions so far in 2020 is 50% greater than 2019.