Recent activity by the U.S. Department of Health and Human Services (HHS) signals a significant and sustained uptick in HIPAA enforcement and associated penalties. First, the agency has pursued random audits, the results of which it intends to use to build an ongoing audit program and protocol. That protocol will support HHS’s efforts to comply with the HITECH Act, which made such audits mandatory. The audits cover the HIPAA Privacy, Security, and Breach Notification Rules to evaluate covered entities’ compliance with their provisions. The results of the first 20 audits have been published, and indicate that the majority of findings (65%) pertain to incomplete implementation of the Security Rule. Eighty percent of those were attributable to health care providers, as opposed to health care clearinghouses or health plans. The audits intentionally target covered entities of various types and sizes and this pilot phase will continue through 2012. The initial audit protocol was recently published by HHS and is available at this link.
Around the same time, on June 26, 2012, HHS announced its most recent HIPAA enforcement settlement. The target entity was the Alaska Department of Health and Human Services (DHHS), marking HHS’s first HIPAA enforcement against a state agency. The action followed a security breach Alaska DHHS reported involving a stolen USB drive that may have contained ePHI. HHS’s wide-ranging investigation uncovered multiple reported shortcomings, and the resultant settlement included an agreement to implement a corrective action plan and pay a settlement amount of $1.7 million.
Prior to that, on April 17, HHS announced that it settled a HIPAA violation alleged against Phoenix Cardiac Surgery, P.C. That case was the first significant HIPAA enforcement action involving a physician practice. The practice agreed to pay a $100,000 settlement amount and implement a corrective action plan to come into full HIPAA compliance under agency oversight. The compliance review followed an individual complaint to HHS regarding the practice’s use of an Internet-based, publicly available calendar that revealed individually identifiable health information. Significantly, and like the action against Alaska DHHS, many of the violations cited were not directly related to the initial complaint, signaling the type of comprehensive evaluation that has become increasingly common when HHS pursues a compliance review after a complaint or security breach.
Multiple HIPAA resolutions have been reached with HHS in recent years, including settlement payments from $865,000-$2.25 million and one civil monetary penalty of $4.3 million. These actions provide a clear picture of the results HIPAA covered entities can expect if a security breach or an individual complaint causes the agency to investigate and uncover general failure to implement the many dozens of provisions contained in the Privacy, Security, and Breach Notification Rules.
HIPAA enforcement by states also has continued to escalate. Just a few weeks prior to releasing its own audit protocol, HHS published the materials it used to train state attorneys general on their newly-obtained right to enforce HIPAA. That material is available here. To date, at least four states have pursued HIPAA enforcement actions, the most recent having been settled by Minnesota for $2.5 Million. Covered entities should anticipate the trend of increased state enforcement will continue as reported security breaches, HHS audits and individual complaints continue to uncover compliance problems signaling that pursuing such enforcement is often fruitful.