2018 turned out to be a year of record fines for HIPAA violations. Over $25 million in fines, with the mean fine being just over $2.5 million. Could your medical entity bear that financial burden? Would it suffer irreparable harm from the adverse publicity? And just what violations did these healthcare entities do to get scrutinized, investigated and penalized?
Since 2016, settlements and fines from the Department of Health and Human Services’ Office for Civil Rights (OCR) have risen substantially. Healthcare entities should expect that this trend may continue and remain committed to avoiding HIPAA security breaches, negligence and failure to follow long-standing policies.
2018 Review of OCR Settlements
Whether your business is a smaller, private entity or a large, public entity, OCR investigations are expensive and potentially damaging to your business’s reputation. Prevention is our best defense – don’t let these errors happen.
- Fresenius Medical Care North America. $3,500,000 – Settlement. Risk analysis failure. Impermissible disclosure of ePHI. No policies covering electronic devices. Insufficient encryption; inadequate security policies; inadequate physical safeguards.
- Filefax, Inc. $100,000 – Settlement. Unauthorized disclosure of PHI.
- University of Texas MD Anderson Cancer Center. $4,348,000 – Civil monetary penalty. Impermissible disclosure of ePHI. No Encryption.
- Massachusetts General Hospital. $515,000 – Settlement. Filming patients without consent.
- Brigham and Women’s Hospital. $384,000 – Settlement. Filming patients without consent.
- Boston Medical Center. $100,000 – Settlement. Filming patients without consent.
- Anthem Inc. $16,000,000 – Settlement. Risk analysis failures. Inadequate review of system activity. Failure to respond to an identified breach. Lacking technical controls to thwart unlawful ePHI access.
- Allergy Associates of Hartford. $125,000 – Settlement. PHI disclosure to a journalist. No sanctions against an employee.
- Advanced Care Hospitalists. $500,000 – Settlement. Unauthorized PHI disclosure. No BAA (business associate agreement). Deficient security measures. No HIPAA fulfillment efforts before April 1, 2014.
- Pagosa Springs Medical Center. $111,400 – Settlement. Failure to end employee access. No Business Associate Agreement (BAA).
Don’t forget about your State’s Attorney General’s Office
Medical entities also saw a rise in fines/monetary penalties from state attorney generals. While the penalties are not always for HIPAA violations, they are still a distraction from your healthcare entity’s mission statement, requiring employees’ time and financial resources devoted to defending you against violation of state laws and HIPAA violations. Some states have become more aggressive in enforcement of HIPAA violations. The Northeastern states – New Jersey, New York, Massachusetts, Connecticut and the District of Columbia – have stepped up their enforcement efforts along with Washington State (who has yet to announce a settlement amount with Aetna). Defendants in these actions include insurance companies, hospitals, medical groups and even a transcription company.
State settlement amounts have ranged from a low of $75,000 to a high of over $1,000,000.
Common sense and training along with competent managed IT services will help ensure that your business is at decreased risk of HIPAA fines and penalties.
The deeper your understanding of the scope of potential HIPAA violations, the less likely you’ll be guilty of violating patient privacy. The Department of Health and Human Services publishes OCR news and bulletins on its website. Details of every action are published on a timely basis, including a PDF of the resolution agreement.
Make it a point to review the OCR website on a monthly basis. This site will provide insight into the actionable behaviors that employees or departments may commit.
Many of these offenses seem obvious in retrospect. Ensure that every employee understands these simple violations.
- Business associate agreement. Ensure that BAA agreements with outside vendors are properly executed and that the vendor owner (or their authorized agent) knows of this agreement.
- Terminated employees. Have a written policy regarding terminated employees so that their access to confidential patient information is terminated immediately. Your HR department and IT services vendor should work in unison to change passwords/deny access as soon as the employee leaves or is terminated.
- Filming patients without consent. Don’t be lured into a major HIPAA violation by television and documentary filmmakers. While upper management and the CEO may feel that being featured in a TV series will bring prestige and goodwill to the facility, patients don’t feel that way and are protected by HIPAA.
- Healthcare entities must be proactive in protecting data. Seemingly simple violations like insufficient encryption, no response to a breach or not providing HIPAA training to employees are not a viable excuse to OCR or state attorney generals.
Cybersecurity may be seen as a burdensome expense – protection of data is expensive, but it protects your business’s ability to recover in the event of a natural disaster or ransomware attack. Many of these settlements and penalties resulted from simple mistakes which would not have been costly to avoid. Be proactive and develop a plan to avoid expensive, avoidable HIPAA violations.
Brian Gray, MCP, is the President at Kraft Technology Group, LLC (KTG), an affiliate of KraftCPAs PLLC. Within his role, Brian is responsible for all aspects of service delivery to our clients. Brian has a decade of experience working for managed service providers. He has worked with clients in a variety of industries, including financial services, accounting, legal, healthcare, manufacturing, and retail.