On July 6, 2011, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced an $865,500 settlement with UCLA Health System, its sixth Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule settlement, and the fourth within a year. This news has only further raised the question that has been stirring since the Mass General and Cignet cases: Has OCR reached a new level of enforcement?
At this time, the chance of an investigation leading to a formal settlement or civil money penalty (CMP) remains remote, but those odds are increasing, especially for large organizations that have experienced a headline-grabbing privacy incident. We will have a better understanding of the new face of enforcement as the proactive audits required by the HITECH Act begin occurring and as we reach the two-year anniversary of the HIPAA breach notification obligations. In the meantime, the recent settlements represent good case studies of privacy events that raise the potential of formal HIPAA settlements and provide covered entities with the opportunity to reassess their compliance programs.
The recent string of settlements highlight that privacy incidents, especially ones that capture the public’s attention, are not without Federal repercussions. Covered entities should pay particular attention to threats and vulnerabilities that could lead to very public incidents, such as information about persons of general interest or large caches of health information that could give rise to a large breach. In the end, a robust and effective compliance program—creating a culture of compliance—is the best means of avoiding breaches in the first place and, as a result, staying out of both the media’s and OCR’s crosshairs.
HIPAA enforcement to date
The following provides information about the timing of the six HIPAA settlements that have occurred to date, plus the sole CMP case of Cignet.
Click here to view the table.
For the first five years in which OCR required compliance with the Privacy Rule, it did not enter into any formal settlements or impose any penalties. OCR reached its first formal settlement in 2008 with Providence Health & Services, its second in 2009 with CVS Pharmacy, Inc., and then four settlements and a CMP within the last twelve months (Rite Aid on July 27, 2010, Management Services Organization Washington (MSO) on Dec. 13, 2010, Cignet on Feb. 4, 2011, Massachusetts General Hospital on Feb. 14, 2011, and UCLA Health System on July 6, 2011). While the number of settlements remains low, there is no question that there has been an unprecedented flurry of activity over the last year.
Of note, the average time from OCR starting an investigation to resolution in these cases has been almost exactly two years (in some cases, the date of the incident is used because the resolution agreement does not indicate when the investigation began). This shows that the investigatory and settlement process is a lengthy one, and we should not expect to see enforcement trends changing instantaneously.
What is particularly striking is the uniformity of most of the cases with respect to the type of covered entities involved. There appear to be two clear outliers: the Cignet case (a CMP imposed on a small covered entity based on a particularly egregious case of noncooperation) and MSO (a settlement with a small covered entity that was part of the resolution of a false claims investigation brought by the Department of Justice and the HHS Office of Inspector General). Other than these outliers, the five remaining settlements have all involved large health care providers (hospital or pharmacy systems) and, most importantly, are all based on headline-grabbing events rather than little-known complaints. The cases involve breaches of large volumes of patient data or particularly sensitive data that caught the media’s attention, improper disposal of prescription information that became the subject of continuing television news coverage, or celebrity snooping cases that were widely publicized.
Two events over the next year may further clarify the degree that OCR is stepping up its enforcement efforts. The first is the two-year anniversary of the HIPAA Breach Notification Rule’s compliance date on Sept. 24, 2011. In light of the average of two years that it takes for an investigation to reach formal settlement, it will be worth watching whether some of the first large breach reports lead to formal settlements or CMPs. Of note, the Breach Notification Rule has the potential to create an enforcement “feedback loop.” OCR appears most likely to seek formal settlements with respect to incidents that garner media attention, and the Breach Notification Rule requires that covered entities self-report large incidents to the media.
The second event is the upcoming HIPAA privacy and security audits, which were discussed in a prior advisory. It is unclear at this time whether such audits will lead to enforcement actions, such as formal settlements. Although OCR may provide some early clues as the audit program begins, it may be years before we learn this answer.
As OCR increases its enforcement efforts under the Privacy Rule, covered entities should assess their HIPAA compliance programs to avoid becoming a target of an investigation. Keeping privacy and security policies and procedures up to date, monitoring the effectiveness of these policies and procedures in practice, and providing ongoing training to ensure that personnel are aware of their HIPAA compliance obligations are all prudent steps for covered entities to take to reduce their exposure under HIPAA. Covered entities should pay particular attention to high risk areas, such as records of persons of general interest or large caches of information.