HIPAA settlements reached record highs in 2016. This is in part due to the Department of Health and Human Services’ Office for Civil Rights increasing its enforcement activities in recent years. In total, payments of $22,855,300 were made to OCR in 2016 to resolve alleged HIPAA violations. This included seven unique settlements which were in excess of $1,500,000.
In 2016, OCR settled alleged HIPAA violations with 12 healthcare organizations. The Administrative Law Judge ruled that civil monetary penalties previously imposed on a covered entity – Lincare Inc. – by OCR were lawful, bringing the total number of violations settled by the OCR to thirteen for 2016. Only two healthcare organizations-including Lincare-have been required to pay a civil monetary penalty for violations of the Health Insurance Portability and Accountability Act (HIPAA). All other organizations opted to settle with OCR voluntarily.
The OCR does not always deem financial penalties appropriate for the cases they deal with. The body often prefers to settle potential HIPAA violations using non-punitive measures. Financial penalties are reserved for the most severe violations of HIPAA Rules, such as when widespread non-compliance is discovered, or in cases where healthcare organizations have blatantly disregarded HIPAA Rules.
Large-scale breaches of PHI may warrant financial penalties and the size of the breach will affect the severity of the penalty imposed. The OCR has also resorted to financial penalties when relatively small-scale breaches have occurred, with few individuals have been impacted by healthcare data breaches. This year has seen two settlements with organizations for breaches that have impacted fewer than 500 individuals – New York Presbyterian Hospital and Catholic Health Care Services of the Archdiocese of Philadelphia – and one civil monetary penalty – Lincare Inc.
A summary of 2016 HIPAA settlements with the Office for Civil Rights is detailed in the table below:
Summary of 2016 HIPAA Settlements
|
Covered Entity |
Date |
Amount |
Breach that triggered OCR investigation |
Individuals impacted |
|
University of Massachusetts Amherst (UMass) |
November, 2016 |
$650,000 |
Malware infection |
1,670 |
|
St. Joseph Health |
October, 2016 |
$2,140,500 |
PHI made available through search engines |
31,800 |
|
Care New England Health System |
September, 2016 |
$400,000 |
Loss of two unencrypted backup tapes |
14,000 |
|
Advocate Health Care Network |
August, 2016 |
$5,550,000 |
Theft of desktop computers, loss of laptop, improper access of data at business associate |
3,994,175 (combined total of three separate breaches) |
|
University of Mississippi Medical Center |
July, 2016 |
$2,750,000 |
Unprotected network drive |
10.,000 |
|
Oregon Health & Science University |
July, 2016 |
$2,700,000 |
Loss of unencrypted laptop / Storage on cloud server without BAA |
4,361 (combined total of two breaches) |
|
Catholic Health Care Services of the Archdiocese of Philadelphia |
June, 2016 |
$650,000 |
Theft of mobile device |
412 (Combined total) |
|
New York Presbyterian Hospital |
April, 2016 |
$2,200,000 |
Filming of patients by TV crew |
Unconfirmed |
|
Raleigh Orthopaedic Clinic, P.A. of North Carolina |
April, 2016 |
$750,000 |
Improper disclosure to business associate |
17,300 |
|
Feinstein Institute for Medical Research |
March, 2016 |
$3,900,000 |
Improper disclosure of research participants’ PHI |
13,000 |
|
North Memorial Health Care of Minnesota |
March, 2016 |
$1,550,000 |
Theft of laptop computer / Improper disclosure to business associate (discovered during investigation) |
299,401 |
|
Complete P.T., Pool & Land Physical Therapy, Inc. |
February, 2016 |
$25,000 |
Improper disclosure of PHI (website testimonials) |
Unconfirmed |
|
Lincare, Inc. |
February, 2016* |
$239,800 |
Improper disclosure (unprotected documents) |
Last August saw the largest HIPAA settlement ever agreed with a single covered entity occur. OCR agreed to settle potential HIPAA violations with Advocate Health Care Network for $5.5 million.
The previous largest HIPAA settlements were agreed with New York-Presbyterian Hospital and Columbia University after PHI was accidentally indexed by search engines. The two entities were required to pay OCR a total of $4.8 million, split into $3.3 million paid by the New York-Presbyterian Hospital and $1.5 million paid by Columbia University. The previous largest HIPAA settlement for a single entity was agreed with Cignet Health ($4.3 million) for denying 41 patients access to their health records.
This year’s first settlement was agreed to with Presence Health. The settlement-amounting to$475,000-was solely based on delayed breach notifications . This is the first time that a settlement has been agreed solely for a HIPAA Breach Notification Rule violation.
The future of HIPAA enforcement activities is unclear. Funding for the OCR may be cut under the new administration, which would likely have an impact on HIPAA enforcement and may see fewer violations be followed up by an investigation.
This year will see the completion of the long-delayed second round of HIPAA compliance audits, although it is unlikely that a permanent audit program will start any time in the near future.
Last year, Jocelyn Samuels said OCR will remain “laser-focused on breaches occurring at health care entities,” and that OCR is committed to “maintain an effective enforcement program that addresses industry-wide noncompliance and provides corrective action to protect the greatest number of individuals.”
Jocelyn Samuels will be standing down as head of OCR later in 2017. No replacement has yet been announced. While there are a number of suitable candidates for the position, incoming president Trump has yet expressed any opinions on the matter. The future OCR director is likely not to be high on his priority list. When a new OCR director is appointed, we may find that he/she has different priorities for the OCR’s budget.
HIPAA breach investigations take time to conduct and settlements even longer. The 2016 HIPAA settlements are the result of data breach investigations that were conducted in 2012-2013. The dramatic increase in data breaches in 2014 – and HIPAA violations that caused those breaches – may well see 2017 become another record-breaking year for HIPAA settlements.