HIPAA Enforcement 2023: A Year in Review

The landscape of enforcement actions related to the Health Insurance Portability and Accountability Act (HIPAA) provides valuable insights into enforcement priorities, which can vary from year to year. In fact, 2023 was very different than 2022 (“The Year of the Dentist”).  Specifically, in 2023, there was a notable decrease in patients’ right of access matters and the failure to conduct a HIPAA Security risk analysis reemerged as the star of the enforcement show.  Also, there were no dentists in the 2023 resolutions.

The Department of Health and Human Services’ Office for Civil Rights (OCR) announced 13 HIPAA enforcement action resolutions in 2023, amounting to $4,176,500 in total settlements. This is nearly double the amount from 2022 but falls far short of the eight-figure totals seen in 2019 and 2020.

There were a couple of “firsts” in 2023.  OCR announced its first ransomware-related enforcement action.  Also, the New York Attorney General brought and settled the first tracking technologies enforcement action based on OCR’s controversial 2022 guidance.  But the 2023 enforcement year also involved many old favorites:  right of access issues, snooping, disclosing PHI in on-line reviews and many HIPAA Security Rule failures.

Before we dig into the 2023 matters, it is worth doing a side-by-side comparison of HIPAA enforcement over the past five years.

  2023 2022 2021 2020 2019
Announced Resolutions 13 22 14 19 10
Amount collected $4,176,500 $2,170,140 $5,982,150 $13,554,900 $12,274,000
Civil Money Penalties (CMPs) v. Settlements All settlements 2 CMP; 20 settlements 1 CMP; 13 settlements All settlements 2 CMPs; 8 settlements
Most common issue Risk Analysis (6) Right of Access (17) Right of Access (12) Right of Access (11) Risk Analysis (6)
Right of Access $271,500 (4) $859,000 (17) $857,150 (12) $537,500 (11) $170,000 (2)
Risk Analysis $3,555,000 (6) $875,000 (1) $5,125,000 (2) $10,977,400 (6) $8,365,500 (6)

The “Firsts”

First Ransomware Enforcement Action

On October 31, 2023, OCR announced a settlement with Doctor’s Management Service (DMS) regarding a ransomware attack. While this marks OCR’s first enforcement action involving ransomware, its findings and alleged HIPAA Security Rule violations are all too common.

DMS serves as a business associate to many covered entity medical practices.  In 2019, it filed a breach report with OCR indicating that approximately 206,695 individuals were affected by a GandCrab ransomware attack on their network server.  The network intrusion occurred in April 2017, but the criminal actor did not deploy the ransomware until Christmas Eve in 2018, which is when DMS first discovered the issue.

Following an investigation, OCR found that DMS failed to conduct a thorough risk analysis, implement procedures for regularly reviewing information system activity records, and establish reasonable and appropriate policies and procedures.  Had DMS complied with any or all of these requirements, it likely could have reduced the risk or extent of the ransomware attack in the first place.  DMS agreed to a corrective action plan (CAP) and to pay $100,000 to settle the matter.

The important take-away here is that victims of ransomware attacks are not immune from enforcement actions if OCR determines that the organization’s compliance failures contributed to its system’s vulnerabilities.

First Enforcement Action Regarding Tracking Technologies

The New York state Attorney General announced a $300,000 settlement of a HIPAA enforcement action with New York-Presbyterian Hospital (fun fact: Congress gave state Attorneys General the authority to enforce HIPAA). According to the NY AG’s office, advertising tracking technologies on the hospital’s website collected and shared information with third-party tech companies when visitors used the website to search for doctors or book appointments.  Based on guidance from OCR issued in December 2022, the NY AG’s concluded that the hospital failed to properly notify patients about a data breach based on its use of the tracking technologies.

OCR has not yet announced any enforcement actions related to its December 2022 tracking technology guidance.  This is likely because OCR is entangled in litigation with the American Hospital Association over the enforceability of its guidance.  But I suspect that we will see enforcement actions in 2024 involving some egregious uses of tracking technologies.  All healthcare organizations that use tracking technologies on their websites should assess their usage.  I offer recommendations for such an assessment in my article, The Pixel Problem: Tracking Technologies and OCR’s Guidance.

Other HIPAA Security Rule-Related Settlements

The Big Settlements

The highest settlement amount in 2023 involved LA Health Plan, the nation’s largest publicly operated health plan.  OCR opened an investigation after reading a 2014 on-line media article revealing that some LA Health Plan members could see information about other members when they logged into their accounts.  LA Health Plan reported that fewer than 500 individuals were affected.

OCR initiated a separate investigation after LA Health Plan reported in 2019 that some members received the membership cards of other members.  It estimated that 1,498 members were affected.

OCR found several alleged violations including failure to perform a proper risk analysis, inadequate security measures and system monitoring, and improper PHI disclosure. LA Health Plan agreed to pay $1.3 million and implement a CAP.

Coming in at number two, Banner Health, a large multi-state provider, reported to OCR that a hacker accessed detailed information on over 2.8 million patients. OCR alleged HIPAA Security Rule violations, including failure to conduct a thorough risk analysis, monitor system activity, ensure proper access, and implement technical security measures. Banner Health agreed to pay $1.25 million and undertake a CAP.

Email Access

A phishing attack on the email account of an owner at Lafourche Medical Group, LLC (LMG) caused access to the information of 34,862 patients.  OCR found that LMG never conducted a risk analysis and never implemented HIPAA Security Rule policies and procedures.  LMG agreed to pay $480,000 and to enter a CAP to settle the matter.

There are three important take-aways from this matter: (1) do not store PHI in email accounts as they are vulnerable to phishing attacks; consider archiving emails every 90 or 120 days and take other steps to limit the amount of PHI available in email; (2) use multifactor authentication on all email accounts to reduce the likelihood of falling victim to a phishing attack; and (3) it is expensive to ignore HIPAA Security Rule requirements; LMG never implemented HIPAA Security requirements and paid handsomely for it.

Server Accessible on the Internet

Two business associates filed breach reports with OCR indicating that PHI on a server was unsecure and accessible on the internet.  MedEvolve settled its case, affecting 230,572 individuals, by paying $350,000 and entering a CAP.  iHealth Solutions paid $75,000 and entered a CAP for an incident involving the exfiltration of 267 individuals’ information. In both cases, OCR’s investigation uncovered the lack of a risk analysis (MedEvolve also failed to have a business associate agreement with a subcontractor).

HIPAA Privacy Rule

Right of Access

In 2019, OCR prioritized claims regarding patients’ right to access their records[i]  under the HIPAA Privacy Rule. Since then, OCR has resolved 46 right of access claims, the highest among all categories of HIPAA enforcement. While Right of Access enforcement in 2023 decreased from previous years, it still constituted 30% of all enforcement actions.  Typically initiated by patient complaints, these cases generally involve failing to respond to requests for records, not providing timely access or charging excessive fees.

Here is a summary of the four right of access enforcement action resolutions in 2023:

  • A lab provided copies of requested records nearly 200 days late and only after the personal representative of a patient’s estate filed a complaint with OCR. Settlement: $16,500 and a CAP.
  • A father of three minors complained to OCR that a licensed professional counselor (LPC) did not provide copies of his children’s medical records. OCR sent the LPC a technical assistance letter. A technical assistance letter describes the complaint, explains the compliance obligations under HIPAA and then administratively closes the matter.  The father filed a second complaint after the LPC did not respond to another request.  Settlement: $15,000 and a CAP.
  • A patient complained three times to OCR that UnitedHealthcare Insurance Company (UHIC) failed to provide copies of records. UHIC claimed that an employee error caused the compliance oversight.  Settlement: $80,000 and a CAP.
  • Six complaints were filed with OCR regarding Optum Medical Care of New Jersey, P.C. (Optum) alleging that it took Optum between 84 and 231 days to provide the requested records. Settlement:  $160,000 and a CAP.

In my opinion, right of access issues pose one of the greatest risks of a HIPAA enforcement action for healthcare providers of all sizes and types.  The good news is that avoiding these issues is relatively simple.  Know and follow the rules.  A basic overview of the right of access rules can be found in our short video series.  Also, below are some right of access best practices:

  • Timely respond to all patient records requests and communicate with patients when there is a delay.  Silence from a provider is one of the best ways to ensure that a patient will file a complaint.  Unless state law requires a quicker response, under HIPAA, providers have 30 days to provide the requested records[ii] or a written explanation as to why they are not providing records.[iii]  Depending on state law, HIPAA also allows for a one-time 30-day extension if the provider notifies the patient within the initial 30-day period.[iv]
  • Take all communications received from OCR seriously.  If OCR sends a technical assistance letter, pay attention to it.  If OCR calls or sends an email, respond as soon as possible.
  • Treat personal representatives of patients appropriately.  Several of the right of access matters between 2020 and 2023 involved a personal representative requesting records.  Under HIPAA, a lawful healthcare decision maker for the patient must be treated as the patient with respect to access to records, subject to some limited exceptions.[v]
  • Be sure that you are not overcharging for copies of medical records.  A provider can charge a patient only a reasonable, cost-based fee for copies regardless of state laws on allowable per page fees.  Those state laws take a backseat to the rules under HIPAA.
  • Don’t withhold records because of unpaid bills.

Disclosing PHI without an Authorization

OCR read an Associated Press article featuring a medical center’s response to COVID-19, which included photos and details about three patients.  St. Joseph’s Medical Center (SJMC) allowed a reporter to observe these patients’ treatment and access clinical information without written authorization from the patients. SJMC agreed to settle the matter for $80,000 and to implement a CAP.

Snooping

Security guards at Yakima Valley Memorial Hospital (YVMH) regularly snooped into patient records.  As reported by YVMH, 23 security guards working in the emergency department accessed the medical records of 419 individuals without a job-related purpose.  Typically, snooping issues are limited to one or two employees.  The fact that 23 security guards were involved signifies systemic culture, compliance and training issues.  YVMH agreed to pay $240,000 and to enter a CAP.

There are several important lessons here: (1) snooping is an issue that all covered entities should actively address; (2) policies, training and establishing a culture of confidentiality are critical for ALL employees, not just clinical employees; and (3) OCR is studying and acting on all breach reports, not just those involving more than 500 individuals.

2023 Not the Brightest Bulb in the Box Award “Winner”

The not-so-coveted Not the Brightest Bulb In the Box Award (NBBIB) for 2023 goes to a psychiatric provider that apparently has not read any of my articles on responding to negative online reviews and missed the story on two of last year’s NBBIB recipients (both dentists).

Manasa Health Center, LLC improperly disclosed the PHI of four patients in response to their negative reviews posted on Google Reviews.  According to OCR’s limited description, Manasa’s response included mental health diagnosis and treatment information.  Manasa agreed to pay $30,000 and to enter a CAP to settle the matter. As a psychiatric provider, Manasa should have been much more sensitive to confidentiality concerns.

Let me be clear about responding to negative online reviews – it is NEVER appropriate to disclose any PHI in an on-line response.  Never.  Ever.  If the provider feels compelled to respond, consider something like: “We’re sorry to learn that you did not have a good experience.  Please feel free to contact X in our office. We’d like to have the opportunity to discuss this with you directly.”  If the provider regularly uses social media, it should have a policy outlining how it will ensure HIPAA compliance.

There are plenty of good reasons for providers to ensure that their HIPAA compliance programs are in order; not the least of which is that no one wants to win the “Not the Brightest Bulb in the Box” Award.

Conclusion

Don’t let the relatively small number of enforcement actions in 2023 lull you into a sense of complacency.  For 2024, I anticipate a much bigger enforcement year in both settlement amounts and number of actions.[vi]  Expect the focus on HIPAA Security Rule compliance to be more intense given the cybersecurity threat landscape but don’t expect OCR to forget about right of access or other issues.  Finally, I think we will hear a lot more about tracking technology enforcement in 2024 from OCR and state AGs.

To reduce the risk of enforcement actions, focus on the areas receiving the most attention.  Ask whether your organization has performed a security risk analysis and, if so, ask whether it has taken steps to address identified issues.  Review the right of access policies and assess responses to patient requests.  Be proactive and you are much less likely to be the target of an enforcement action.

[i]               45 CFR § 164.524.

[ii]           45 CFR §164.524(b)(2)(i).

[iii]          45 CFR § 164.524(d).

[iv]          45 CFR § 164.524(b)(2)(ii).  Note that OCR has proposed changes to both the initial 30-day window and the 30-day extension in the new proposed changes to the HIPAA Privacy Rule seek to reduce the response window to 15 days.

[v]           45 CFR § 164.502(g).

[vi]          As I am finishing up this article, OCR just announced the first settlement of 2024 – $4.75 million for HIPAA Security Rule failures, already eclipsing the total for 2023.