The agency assigned to implement HIPAA compliance is the Department of Health and Human Services’ Office for Civil Rights. Only a handful of HIPAA violations were issued financial penalties prior to 2016. Then, the number of issued financial fines doubled in 2016 and 2017 saw considerably more enforcement actions.
2018 began with only some financial penalties issued. There were talks about the slowing down of OCR on its enforcement actions. However, there were some settlements in the second half of 2018, including the biggest HIPAA penalty issued.
The Beazley Breach Insights Report released a short while ago reviewed the enforcement actions of OCR in 2018. It uncovered the enforcement activities of OCR on healthcare organizations. There were $100,000 to $16 million in settlements and civil monetary penalties in 2018. The average financial penalty was $2.8 million, an amount that is bigger than the average of $1.9 million in 2017.
The Beazley Breach Response (BBR) group similarly learned that HIPAA case investigations of OCR take more time to resolve. Cases at this time take 4.3 years to resolve, which is longer than the 3.6 years in 2018.
The Beazley report is cautioning healthcare organizations that a major breach is not the only reason for starting an OCR investigation. OCR is presently checking all breach reports and is analyzing trends that would denote non-compliance.
One example is the Fresenius Medical Care case. This provider encountered five breaches that impacted less than 250 records, but the pattern recognized revealed there was non-compliance and it ended in a $3.5 million settlement.
There were a number of common themes in 2018’s HIPAA enforcement activities. One of the most usual is the non-compliance of covered entities to conducting a risk analysis. Covered entities have to undertake and report security risk analyses on a regular basis. They ought to produce risk management plans to manage vulnerabilities and reduce them to the ideal level.
Access controls must be set up and maintained. It is a good measure to encrypt all ePHi. If the entity chooses not to use encryption, there must be adequate documentation and use of optional safety measures. The settlements also focus on how critical it is to have business associate agreements (BAAs) when vendors get PHI access.
Though there were numerous Security Rule breakdowns, the number of HIPAA settlements in 2018 highlight how important it is to protect patient rights and follow the HIPAA Privacy Rule. There were settlements of a couple of privacy violation cases including taking videos of patients and sharing PHI without acquiring patient authorization.