Common Findings in OCR's Record Year of HIPAA Enforcement
2018 ended up being a record year for HIPAA enforcement actions! According to the Office for Civil Rights (OCR) 10 cases were settled and one case granted summary judgment in a case before an Administrative Law Judge totaling over $28 million from enforcement actions! This far surpassed the previous record of just over $23 million in 2016.
As part of recent announcement OCR provided a HIPAA summary of 2018 settlements and judgments. The summary was broken down by the actual months the enforcement action occurred.
- In January 2018, OCR settled for $100,000 with Filefax, Inc., and for $3.5 million with Fresenius Medical Care North America. Both were required to adopt a corrective action plan.
- In June 2018, an HHS Administrative Law Judge ruled in favor of OCR and required the University of Texas MD Anderson Cancer Center to pay $4.3 million in civil money penalties and adopt a corrective action plan for HIPAA violations.
- In September 2018, OCR announced that it has reached separate settlements totaling $999,000 with Boston Medical Center, Brigham and Women's Hospital, and Massachusetts General Hospital (this was the privacy of patients' PHI violation resulting from filming of an ABC television network documentary). OCR also settled with Advanced Care Hospitalists for $500,000 in a separate and unrelated enforcement action.
- In October 2018, OCR settled with Allergy Associates, for $125,000 – which was a small amount – compared to the largest settlement to date that occurred with Anthem, Inc. who paid $16 million to OCR after a series of cyberattacks led to the largest U.S. health data breach in history!
- In November 2018, Pagosa Springs Medical Center paid $111,400 to OCR to settle potential HIPAA violations.
- And in December 2018, OCR Cottage Health agreed to pay $3 million to OCR and to adopt a substantial corrective action plan to settle potential violations of the HIPAA Rules
Common Finding in Each Enforcement Activity
There is a common finding for each enforcement activity in 2018. The majority or organizations OCR settled with failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of the ePHI. In other words, they did not perform a Security Risk Analysis (SRA) at all or failed to complete one that was sufficient for HIPAA regulations. Another key finding was failure to obtain a written business associate agreement with contractors who performed business associate functions on behalf on their behalf.
Therefore, we recommend that an initial SRA and subsequent reviews thereafter not ever be considered optional. In fact, a HIPAA Complaint SRA may be a healthcare organization's best defense in the event of an OCR investigation. We also recommend covered entities know who their business associates are, and business associates know who their subcontractors are, who perform business function activities. If they do, make sure you have an executed agreement in place.
Healthcare Compliance Pros can help your organization make sure you are in compliance with both of these very important HIPAA requirements. Contact us by phone: 855-427-0427 or by email: [email protected].