In 2019, the Department of Health and Human Services’ Office for Civil Rights (OCR) issued 10 financial penalties and one civil monetary penalty. OCR received a total of $12,274,000 for the settlement of HIPAA violation cases with an average of $1,022,833. OCR reached a settlement with 9 entities, 2018 had 8.
HIPAA Enforcement in 2019 by the HHS’ Office for Civil Rights
Specifically egregious violations will get financial penalties, however, a few of the HIPAA settlements in 2019 give experience into OCRs chosen way of handling noncompliance. Even after discovering HIPAA violations, OCR wants to resolve cases by means of voluntary compliance and by giving technical support. If after providing technical support and covered entities still don’t take action on OCR’s guidance, they will be issued financial penalties.
This has happened in two of the latest HIPAA enforcement actions. OCR investigated two covered entities for compliance after receiving notifications about data breaches. OCR found HIPAA rules violations in the two incidents. OCR opted to give technical support to the two entities instead of issuing financial penalties, however, the covered entities did not take action and so got a financial penalty.
Sentara Hospitals did not agree with OCR’s guidance and did not update its breach report to indicate the exact number of patients impacted. West Georgia Ambulance was given technical guidance and did not take the required steps to home deal with noncompliance areas determined by OCR.
If OCR says that there are problems with an entity’s HIPAA compliance, or gives technical guidance, it is best to take action on that guidance immediately. Not taking corrective action will surely attract financial penalties and bad publicity, plus the requirement to alter policies and procedures in accordance with the guidance.
Two important HIPAA enforcement updates in 2019 were:
1. OCR’s new interpretation of specifications for HIPAA penalties under the Health Information Technology for Economic and Clinical Health (HITECH) Act
The HITECH Act of 2009 required higher penalties for HIPAA violations. On January 25, 2013, the HHS enforced an interim final rule and followed a revised penalty structure. Back then, there were inconsistencies considered in the terminology of the HITECH Act regarding the penalty tiers. OCR decided that the most reasonable interpretation of the HITECH Act requirements was to have an identical $1,500,000 maximum penalty per violation category per year in all four penalty tiers.
In April 2019, OCR introduced a notice of enforcement discretion concerning the penalties. After reviewing the HITECH Act, maximum penalties were adjusted to $25,000 for tier 1, $100,000 for tier 2, and $250,000 for tier 3.
2. Launch of a new HIPAA Right of Access enforcement initiative
This initiative targeted organizations that were charging patients excessively for copies of their healthcare records and those that did not provide patients copies of their medical records promptly in the format the patient requested.
Citizen Health conducted a study that highlighted the extent of noncompliance. 51% of healthcare organizations did not comply fully with the HIPAA Right of Access. Common failures include:
- delays in giving copies of medical records
- not sending the PHI to the patient’s nominated representatives or health applications
- not giving a copy of medical records in the requested digital format
- charging more for copies of medical records
To date, the two HIPAA Right of Action settlements had $85,000 penalties under OCR’s enforcement initiative. These enforcement actions clearly show healthcare companies that violation of the HIPAA Right of Access won’t be left forgotten.
Besides the Right of Access violations, other areas of noncompliance will get financial penalties, particularly the failure to do a comprehensive, company-wide risk analysis and the HIPAA Breach Notification Rule violations.
HIPAA Compliance Issues Cited in 2019 Enforcement Actions
- Risk Analysis – 5 cases
- Breach Notifications – 3 cases
- Access Controls – 2 cases
- Business Associate Agreements – 2 cases
- HIPAA Right of Access – 2 cases
- Security Rule Policies and Procedures – 2 cases
- Device and Media Controls -1 case
- Failure to Respond to a Security Incident -1 case
- Information System Activity Monitoring – 1 case
- No Encryption – 1 case
- Notices of Privacy Practices – 1 case
- Privacy Rule Policies and Procedures – 1 case
- Risk Management – 1 case
- Security Awareness Training for Employees -1 case
- Social Media Disclosures – 1 case
OCR’s HIPAA enforcement in 2019 additionally clearly showed that even without a data breach, OCR will launch a compliance investigation on all breaches impacting 500 or higher records to know if noncompliance was the reason for the breach. However, OCR also investigates complaints and starts a compliance review as in the case of the two HIPAA Right of Access initiative enforcement actions.