The HHS’ Office for Civil Rights persistently enforced HIPAA compliance at the same level as the last three years.
In 2019, 10 HIPAA enforcement actions resulted in the issuance of financial penalties. There were 2 civil monetary penalties and 8 HIPAA violation settlements between covered entities/business associates and OCR.
In total, OCR paid $12,274,000 in fines and settlements. The biggest financial penalties of 2019 involved the potential HIPAA violations by Touchstone Medical Imaging and the University of Rochester Medical Center. The two cases paid £3,000,000 as settlement.
OCR discovered multiple HIPAA Rules violations while looking into different loss/theft incidents that the University of Rochester Medical Center reported. The HIPAA violations included the following: failure in risk analysis and risk management, non-encryption of portable electronic gadgets, and inadequate device and media controls.
Touchstone Medical Imaging encountered a data breach where 307,839 individuals’ PHI were impermissibly disclosed because of an open FTP server online. OCR looked into the incident and found the following violations: failures in risk analysis and business associate agreements, lack of access rights, inability to take action on a security breach, and HIPAA Breach Notification Rule violations.
Sentara Hospitals decided to pay a $2.175 million settlement arising from a 577-record data breach which was initially reported to OCR as having only 8 persons affected. OCR advised Sentara Hospitals to update the breach notification and include the other persons impacted by the mailing error. However, Sentara Hospitals declined. OCR decided the appropriateness of a financial penalty for Sentara Hospitals’ violation of the breach notification rule and requirement of a business associate agreement (BAA) with one vendor.
Jackson Health System (JHS) in Miami, FL was issued a civil monetary penalty of $2.154 million. After a data breach, OCR conducted an investigation and discovered a JHS compliance program problem for many years. The CMP settled HIPAA Security Rule, Privacy Rule, and Breach Notification Rule violations.
Texas Department of Aging and Disability Services was issued a civil monetary penalty of $1,600,000 for multiple HIPAA Rules violations due to an exposed internal application. OCR found out that there were failures in risk analysis, access control, and information system activity tracking, which led to the impermissible PHI disclosure of 6,617 patients.
The NoMoreClipboard subsidiary of Medical Informatics Engineering based in Indiana encountered a serious data breach in 2015. Hackers made use of a compromised username and password to access a server that contains the PHI of 3.5 million people. OCR established there was a risk analysis failure and MIE settled the violation for $100,000. MIE additionally settled a multi-state action case with the state attorneys general for $900,000.
OCR investigated the West Georgia Ambulance based in Carroll County, GA over the reported missing unencrypted laptop computer which contained the 500 patients’ PHI. OCR determined the following violations: a risk analysis failure, no training program for employees on security awareness, and non-implementation of HIPAA Security Rule policies and procedures. The ambulance company paid $65,000 to settle violations.
One financial penalty was a social media HIPAA violation. Elite Dental Associates’ responses to patient feedback on Yelp led to impermissible disclosure of PHI. OCR issued a financial penalty, which was paid $10,000.
OCR likewise started a new HIPAA enforcement project in 2019. There were two settlements with covered entities in regard to HIPAA Right of Access failures. Because Bayfront Health, St. Petersburg and Korunda Medical failed to provide the patient with requested copies of their health data within the required time frame, the two covered entities paid OCR $85,000 to settle the violation cases.
2019 HIPAA Enforcement by State Attorneys General
State attorneys general had also taken action on three HIPAA Rules violations cases against covered entities and business associates. One was Medical Informatics Engineering settlement of a multi-state lawsuit by paying a financial penalty of $900,000.
Premera Blue Cross settled a second multi-state action. The lawsuit was due to a 2015 hacking incident which resulted in 10.4 million records stolen. The investigation discovered multiple HIPAA Rules violations, which required a $10 million financial penalty.
The California attorney general furthermore took legal action on a data breach that impacted 1,991 California citizens. The health insurance company Aetna committed two mailings errors leading to the exposure of highly sensitive information pertaining to HIV and Afib diagnoses of members. Aetna paid $935,000 to settle the case.