The Department of Health and Human Services’ Office for Civil Rights has enforced compliance with the Health Insurance Portability and Accountability Act (HIPAA) more aggressively in recent years. While there was a downturn in enforcement actions in 2021, the number of settlements and civil monetary penalties imposed on HIPAA-regulated entities is still well above average, as this graph from HIPAA Journal shows.
Many of the HIPAA fines imposed since 2019 have been for violations of the HIPAA Right of Access – An enforcement drive that is still in effect. The HIPAA Right of Access allows individuals to inspect and obtain a copy of the protected health information held by a HIPAA-covered entity. When such a request is received, a HIPAA-covered entity must provide access or a copy of the requested information within a reasonable amount of time – no later than 30 days from receipt of a written request (there is the possibility of a 30-day extension in limited circumstances).
Former OCR Director Roger Severino was at the helm of OCR during this new enforcement drive. During his tenure, OCR broke several HIPAA enforcement records including imposing OCR’s largest-ever HIPAA fine – The $16 million financial penalty for Anthem Inc. to resolve HIPAA violations uncovered during the investigation of its 78.8 million record data breach – and the most HIPAA penalties to imposed in a single year – the 19 penalties imposed by OCR in 2020.
Clearwater recently had a discussion with Severino for a webinar in relation to the future of data privacy and privacy law in healthcare. During the webinar, Severino explained that prior to OCR launching this enforcement drive, the HIPAA Right of Access was one of the most underenforced areas of HIPAA. Many healthcare organizations were simply ignoring this important HIPAA right and were not providing patients with the requested records, even though providing patients with their medical records is important for coordination of care, helps patients take a more active role in their own healthcare, and allows them to check their medical records for errors. Severino said he believed one of the main reasons for widespread non-compliance with this important HIPAA right is because there was a lack of enforcement. That has now changed.
Severino also explained that HIPAA enforcement actions are not so much about punishing organizations for non-compliance, instead, they are concerned with ensuring the HIPAA Rules are followed to create a culture of compliance, although there are exceptions in cases of particularly egregious violations.
Severino also provided insights into the re-interpretation of the penalty structure for HIPAA violations. The HITECH Act called for changes to HIPAA penalties, which were interpreted at the time as requiring the same maximum penalty for each class of violation. OCR re-interpreted this requirement and reduced the penalty caps in three of the four penalty tiers, with the changes applied through a notice of enforcement discretion. This was in response to a contested case involving a civil monetary penalty, where the covered entity alleged OCR exceeded its authority and issued an unreasonable penalty. After the change to the penalty structure, Severino explained that the emphasis in enforcement largely shifted to cases of willful neglect of the HIPAA Rules, rather than imposing penalties for reasonable cause, which is easier to prove. This is an important outcome of the change to the penalty structure.
Since the record breaking-year of HIPAA enforcement, there have been fewer penalties issued, which can be partly explained by the pandemic and the resultant shift in OCR’s focus. Severino explained that when he vacated the post there were many HIPAA Right of Access cases remaining, so the financial penalties for non-compliance with this important HIPAA provision may well continue, although the new OCR director, Lisa Pino, may well choose to take enforcement in a different direction. One area where enforcement has been virtually non-existent relates to the Breach Notification Rule. There have been many recent data breaches where HIPAA-regulated entities have issued notifications many months after protected health information has been exposed or stolen. That could well be an area where OCR chooses to enforce compliance, to ensure that breach victims are notified promptly to give them the opportunity to take steps to protect themselves against financial harm.