Summary of OCR’s HIPAA Enforcement Activities in 2017

The Department of Health and Human Services’ Office for Civil Rights (OCR) and state attorneys general continued to aggressively pursue financial settlements for HIPAA Rules violations in 2017. For the 9 HIPAA settlements and one civil monetary penalty, OCR received the total amount of $19,393,000 from covered entities and business associates. Last 2016, the collected amount from HIPAA-covered entities and business associates as payment for 12 settlements amounted to $25,505,300. The HIPAA-covered entities and their business associates that have paid OCR financial penalties are listed in the table below.

Covered Entity Amount Type Violation Type
Memorial Healthcare System $5,500,000 Settlement Insufficient ePHI Access Controls
Children’s Medical Center of Dallas $3,200,000 Civil Monetary Penalty Impermissible Disclosure of ePHI
Cardionet $2,500,000 Settlement Impermissible Disclosure of PHI
Memorial Hermann Health System $2,400,000 Settlement Careless Handling of PHI
21st Century Oncology $2,300,000 Settlement Multiple HIPAA Violations
MAPFRE Life Insurance Company of Puerto Rico $2,200,000 Settlement Impermissible Disclosure of ePHI
Presense Health $475,000 Settlement Delayed Breach Notifications
Metro Community Provider Network $400,000 Settlement Lack of Security Management Process
St. Luke’s-Roosevelt Hospital Center Inc. $387,000 Settlement Unauthorized Disclosure of PHI
The Center for Children’s Digestive Health $31,000 Settlement Lack of a Business Associate Agreement

The OCR’s HIPAA enforcement activities for 2017 indicate that many covered entities still fail in complying with the HIPAA Rules to: keep PHI secure on portable devices, conduct an organization-wide risk assessment, implement a security risk management process and sign HIPAA-compliant business associate agreements with all vendors. From 2016 to 2017, many covered entities still fail to send breach notifications promptly. For the first time in 2017, OCR demanded a settlement for this common HIPAA violation, which is delaying breach notifications.

OCR started the second phase of its HIPAA-compliance desk audit program in late 2016. The results of the compliance audits are yet to be released. But OCR already announced the preliminary findings. The completeness of compliance by covered entities was rated from 1 to 5. A rating of 1 means the covered entity complied fully with all HIPAA Rules. A rating of 5 means the covered entity did not make any effort to comply with HIPAA Rules.  The preliminary findings of the HIPAA compliance audits are listed in the table below. The compliance audits will continue until 2018. Entities that have not attempted to comply with HIPAA rules at all will face financial penalties.

HIPAA Rule Compliance Controls Audited Covered Entities Given Rating of 5 Covered Entities Given Rating of 1
Breach Notification Rule (103 audits) Timeliness of Breach Notifications 15 67
Breach Notification Rule (103 audits) Content of Breach Notifications 9 14
Privacy Rule (103 audits) Right to Access PHI 11 1
Privacy Rule (103 audits) Notice of Privacy Practices 16 2
Privacy Rule (103 audits) Electronic Notice 15 59
Security Rule (63 audits) Risk Analysis 13 0
Security Rule (63 audits) Risk Management 17 1

State attorneys general assist the OCR enforce HIPAA Rules. They can impose fines when HIPAA laws are violated through the HITECH Act but most choose to pursue violations under state laws for privacy breaches. See the settlements made by HIPAA covered entities in 2017

Covered Entity State Amount Individuals affected Reason
Cottage Health System California $2,000,000 More than 54,000 Failure to Safeguard Personal Information
Horizon Healthcare Services Inc., New Jersey $1,100,000 3.7 million Failure to Safeguard Personal Information
SAManage USA, Inc. Vermont $264,000 660 Exposure of PHI on Internet
CoPilot Provider Support Services, Inc. New York $130,000 221,178 Late Breach Notifications
Multi-State Billing Services Massachusetts $100,000 2,600 Failure to Safeguard Personal Information
About Christine Garcia 1304 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at https://twitter.com/ChrisCalHIPAA