HIPAA violation cases are very common, despite increased enforcement efforts. While we often speak about how to avoid violating HIPAA and the need to introduce HIPAA compliant procedures and behaviors among employees, it is important to be aware of the consequences that can follow HIPAA violations. Generally, HIPAA violation cases are investigated and pursued by the Department of Health and Human Services’ Office or Civil Rights (OCR). These investigations can arise following reports of violations submitted by employees or patients, or as a result of data breaches being advised to OCR. In some cases, state attorneys general or even the Department of Justice may conduct their own investigations.
Recent years have seen an increase in the number of HIPAA violation cases that have led to monetary penalties. Many of these have been in the form of settlements. As of the end of January 2018, the Department of Health and Human Services had received over 173,000 complaints of HIPAA violations. Almost 170,000 of these cases have been resolved by the OCR. While only 53 cases have resulted in fines or settlements, as opposed to over 25,000 that were resolved through corrective action or technical assistance, the total amount of money healthcare organizations have paid out totals over $75 million, or an average of around $1.5 million per financial resolution.
As the OCR investigates all manner of organizations, from national chains to private clinics, such a penalty could have a serious impact or even completely close a business.
Most Common Issues
The most frequent reported violations OCR investigates are:
- Impermissible uses and disclosures of protected health information
- Lack of safeguards of protected health information
- Lack of patient access to their protected health information;
- Lack of administrative safeguards of electronic protected health information
- Use or disclosure of more than the minimum necessary protected health information
Recent Violation Cases
Some recent violations highlighted on the OCR website include a defunct company’s receiver having to pay a settlement, a medical services company paying millions following breaches, and a breach of a single patient’s PHI leading to a settlement of almost $400,000.
Filefax, a company that stored, maintained, and delivered medical records for HIPAA covered entities, was closed down at the same time as an OCR investigation was underway. A receiver was appointed to liquidate the assets. The OCR’s investigation concluded that PHI had been carelessly handled by it having been left in an unlocked vehicle, it having been transported by unauthorized individuals, and it having been left unsecured outside of a Filefax facility. These offenses constitute impermissible disclosures and affected 2,150 people.
Due to these actions, even though the company was no longer in operation, the receiver of the company has agreed to pay a $100,000 settlement and has undertaken to dispose of PHI that still exists at the Filefax facility in a HIPAA compliant manner.
Fresenius Medical Care North America (FMCNA), who run a network of dialysis facilities, outpatient cardiac and vascular labs, and urgent care centers, have agreed to pay a settlement of $3.5 million following breaches at five of its facilities. During investigation by the OCR, it was found that FMCNA “failed to conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of all of its ePHI” and that they “impermissibly disclosed the ePHI of patients by providing unauthorized access for a purpose not permitted by the Privacy Rule”.
FMCNA must implement a corrective action plan to remedy the many problems as well as paying the monetary settlement. Both the FMCNA and Filefax settlements were announced in February 2018 and the amounts can be added on to the $75 million in monetary penalties mentioned above.
St. Luke’s-Roosevelt Hospital Center Inc. received a strong reminder of the importance of correctly transmitting PHI following a breach that affected a single individual. The OCR ruled that one of St. Luke’s entities had “impermissibly faxed the patient’s PHI to his employer rather than sending it to the requested personal post office box”. The records sent contained “sensitive information concerning HIV status, medical care, sexually transmitted diseases, medications, sexual orientation, mental health diagnosis, and physical abuse”. The investigation also found that a related breach had previously occurred but the issue had not been adequately addressed by the compliance program aimed at preventing such impermissible disclosures. St. Luke’s settled the case for $387,200.
The Importance of Compliance
As can be seen from these three recent cases, HIPAA violations have real impacts for covered entities as well as for individuals. Simple mistakes, such as faxing PHI instead of sending it by letter, can have dire consequences. On a larger scale, failing to design and implement the correct procedures can impact an entire network of healthcare facilities and its patients. Even disposing of PHI must be done correctly – the Filefax case revolved around PHI being transported and left at a shredding and recycling facility.
Risk assessments, training, and awareness of HIPAA Rules must all be high and recurring priorities for HIPAA covered entities. If not, they risk finding out the hard way what OCR Director Roger Severino stated following the Filefax case: OCR is committed to enforcing HIPAA.