Law.com Subscribers SAVE 30%

Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.

<b><i>Online Extra</b></i><br>HHS Cracks Down on Health Care Privacy Violations under HIPAA

By Rebekah Mintzer
December 01, 2016

The U.S. Department of Health and Human Services shattered previous records for enforcing the Health Insurance Portability and Accountability Act in fiscal year 2016, according to an analysis by McDermott Will & Emery health care attorneys.

The HHS Office for Civil Rights extracted a total of $25.6 million in settlement payments between Oct. 1, 2015, and Sept. 30, 2016, more than triple the previous annual record of $7.9 million set in fiscal year 2014, according to the law firm.

In 2016, the OCR also reached 13 settlements, called “resolution agreements,” in HIPAA enforcement actions, a new high for an agency that has never before resolved more than seven HIPAA cases in a fiscal year.

Edward Zacharias and David Quinn Gacioch, partners in McDermott's Boston office who did the firm's analysis, said that they have heard directly from HHS officials that a new era of HIPAA enforcement is at hand.

“It's going to likely keep building on itself,” said Gacioch of the enforcement uptick.

Health and Human Services' civil rights office is responsible for enforcing HIPAA, the federal law passed in 1996 that allows individuals to continue their health insurance coverage after ending employment, and allows for electronic transfer of medical records. HHS adopted the Privacy, Security and Enforcement Rules under HIPAA in 2003, protecting the privacy and security of individuals' medical information when it is handled by health care providers and insurers.

The HITECH Act, passed in 2009 as part of the Recovery Act providing financial incentives for providers to switch to electronic records, extended some of the same privacy and security rules to medical contractors. In 2013, an HHS Omnibus Rule finalized an updated breach notification standard. Individuals have no private right of action under HIPAA, but the act doesn't preclude states from passing such laws.

Of nearly 22,500 received by HHS since 2003, however, the department had imposed a formal fine or civil monetary penalty in just one case and reached monetary settlement agreements in six others through 2011, according to Congressional testimony by Sen. Al Franken, D-Minnesota, that year.

The OCR has investigated and resolved 24,559 cases through Oct. 31, 2016, requiring changes in privacy practices and corrective actions since 2003, when HIPAA's privacy rule took effect, according to HHS. Its security rule took effect in 2005. The civil rights office refers matters involving deliberate disclosure or obtaining protected health administration to the Department of Justice for criminal prosecution, and 584 referrals had been made in the same period, according to HHS's web page on health-information privacy.

Zacharias said that the OCR gave covered entities the intervening years since 2005 to “really understand what the rules require,” and so from the agency's perspective, the “era of being more lenient” is ending.

Zacharias added that upped enforcement could also be due to criticism from elsewhere in the federal government. The HHS Office of the Inspector General has published multiple reportscriticizing OCR enforcement of HIPAA privacy and security standards as weak, and members of Congress have expressed similar concerns.

According the McDermott data, OCR is recovering more money in its settlements as well—with entities accused of violating HIPAA paying out an average of around $2 million, up from around $850,000 in recent years.

Settlement payments this year included a $5.55 million payout — the largest OCR has ever gotten from a single entity — announced in August from Advocate Health Care Network, a Chicago-area hospital and health care provider network that OCR alleged did not have HIPAA-compliant policies and procedures or sufficient data security, allowing data belonging to about 4 million individuals to be breached. The settlement included a corrective action plan.

McDermott's analysis also showed that in addition to monetary penalties, all resolutions in 2016 included corrective action plans for the alleged violators to remediate their HIPAA compliance programs.

One trend in corrective action plans that Gacioch said has emerged in recent years is the use of “Reportable Events” provisions, which require real-time reporting of every detected violation of a data privacy and security policy or procedure that falls within the corrective action plan's scope. He said that the use of this provision “opens up the potential for further regulatory action and the potential for liability that wouldn't otherwise be there.”

Change will be coming to HHS next year with President-elect Donald Trump's administration and his nominee to head the agency, Rep. Thomas Price, R-Georgia, a surgeon and foe of the Affordable Care Act, also known as Obamacare. But Zacharias said the uptick in HIPAA enforcement would likely remain regardless.

About 12.5 million medical records were breached between September 2009 and August 2016, according to the Privacy Rights Clearinghouse, a nonprofit education and advocacy group based in San Diego.

“I think cybersecurity is generally a bipartisan issue,” Zacharias said, “so for that reason it's unlikely that we're going to see a directive from the administration to cool it on enforcement.”

*****
Rebekah Mintzer writes for Corporate Counsel, an ALM sibling of this newsletter in which this article originally appeared. She can be reached at [email protected]. On Twitter: @rmintzer.

The U.S. Department of Health and Human Services shattered previous records for enforcing the Health Insurance Portability and Accountability Act in fiscal year 2016, according to an analysis by McDermott Will & Emery health care attorneys.

The HHS Office for Civil Rights extracted a total of $25.6 million in settlement payments between Oct. 1, 2015, and Sept. 30, 2016, more than triple the previous annual record of $7.9 million set in fiscal year 2014, according to the law firm.

In 2016, the OCR also reached 13 settlements, called “resolution agreements,” in HIPAA enforcement actions, a new high for an agency that has never before resolved more than seven HIPAA cases in a fiscal year.

Edward Zacharias and David Quinn Gacioch, partners in McDermott's Boston office who did the firm's analysis, said that they have heard directly from HHS officials that a new era of HIPAA enforcement is at hand.

“It's going to likely keep building on itself,” said Gacioch of the enforcement uptick.

Health and Human Services' civil rights office is responsible for enforcing HIPAA, the federal law passed in 1996 that allows individuals to continue their health insurance coverage after ending employment, and allows for electronic transfer of medical records. HHS adopted the Privacy, Security and Enforcement Rules under HIPAA in 2003, protecting the privacy and security of individuals' medical information when it is handled by health care providers and insurers.

The HITECH Act, passed in 2009 as part of the Recovery Act providing financial incentives for providers to switch to electronic records, extended some of the same privacy and security rules to medical contractors. In 2013, an HHS Omnibus Rule finalized an updated breach notification standard. Individuals have no private right of action under HIPAA, but the act doesn't preclude states from passing such laws.

Of nearly 22,500 received by HHS since 2003, however, the department had imposed a formal fine or civil monetary penalty in just one case and reached monetary settlement agreements in six others through 2011, according to Congressional testimony by Sen. Al Franken, D-Minnesota, that year.

The OCR has investigated and resolved 24,559 cases through Oct. 31, 2016, requiring changes in privacy practices and corrective actions since 2003, when HIPAA's privacy rule took effect, according to HHS. Its security rule took effect in 2005. The civil rights office refers matters involving deliberate disclosure or obtaining protected health administration to the Department of Justice for criminal prosecution, and 584 referrals had been made in the same period, according to HHS's web page on health-information privacy.

Zacharias said that the OCR gave covered entities the intervening years since 2005 to “really understand what the rules require,” and so from the agency's perspective, the “era of being more lenient” is ending.

Zacharias added that upped enforcement could also be due to criticism from elsewhere in the federal government. The HHS Office of the Inspector General has published multiple reportscriticizing OCR enforcement of HIPAA privacy and security standards as weak, and members of Congress have expressed similar concerns.

According the McDermott data, OCR is recovering more money in its settlements as well—with entities accused of violating HIPAA paying out an average of around $2 million, up from around $850,000 in recent years.

Settlement payments this year included a $5.55 million payout — the largest OCR has ever gotten from a single entity — announced in August from Advocate Health Care Network, a Chicago-area hospital and health care provider network that OCR alleged did not have HIPAA-compliant policies and procedures or sufficient data security, allowing data belonging to about 4 million individuals to be breached. The settlement included a corrective action plan.

McDermott's analysis also showed that in addition to monetary penalties, all resolutions in 2016 included corrective action plans for the alleged violators to remediate their HIPAA compliance programs.

One trend in corrective action plans that Gacioch said has emerged in recent years is the use of “Reportable Events” provisions, which require real-time reporting of every detected violation of a data privacy and security policy or procedure that falls within the corrective action plan's scope. He said that the use of this provision “opens up the potential for further regulatory action and the potential for liability that wouldn't otherwise be there.”

Change will be coming to HHS next year with President-elect Donald Trump's administration and his nominee to head the agency, Rep. Thomas Price, R-Georgia, a surgeon and foe of the Affordable Care Act, also known as Obamacare. But Zacharias said the uptick in HIPAA enforcement would likely remain regardless.

About 12.5 million medical records were breached between September 2009 and August 2016, according to the Privacy Rights Clearinghouse, a nonprofit education and advocacy group based in San Diego.

“I think cybersecurity is generally a bipartisan issue,” Zacharias said, “so for that reason it's unlikely that we're going to see a directive from the administration to cool it on enforcement.”

*****
Rebekah Mintzer writes for Corporate Counsel, an ALM sibling of this newsletter in which this article originally appeared. She can be reached at [email protected]. On Twitter: @rmintzer.

Read These Next
How Secure Is the AI System Your Law Firm Is Using? Image

What Law Firms Need to Know Before Trusting AI Systems with Confidential Information In a profession where confidentiality is paramount, failing to address AI security concerns could have disastrous consequences. It is vital that law firms and those in related industries ask the right questions about AI security to protect their clients and their reputation.

COVID-19 and Lease Negotiations: Early Termination Provisions Image

During the COVID-19 pandemic, some tenants were able to negotiate termination agreements with their landlords. But even though a landlord may agree to terminate a lease to regain control of a defaulting tenant's space without costly and lengthy litigation, typically a defaulting tenant that otherwise has no contractual right to terminate its lease will be in a much weaker bargaining position with respect to the conditions for termination.

Pleading Importation: ITC Decisions Highlight Need for Adequate Evidentiary Support Image

The International Trade Commission is empowered to block the importation into the United States of products that infringe U.S. intellectual property rights, In the past, the ITC generally instituted investigations without questioning the importation allegations in the complaint, however in several recent cases, the ITC declined to institute an investigation as to certain proposed respondents due to inadequate pleading of importation.

Authentic Communications Today Increase Success for Value-Driven Clients Image

As the relationship between in-house and outside counsel continues to evolve, lawyers must continue to foster a client-first mindset, offer business-focused solutions, and embrace technology that helps deliver work faster and more efficiently.

The Power of Your Inner Circle: Turning Friends and Social Contacts Into Business Allies Image

Practical strategies to explore doing business with friends and social contacts in a way that respects relationships and maximizes opportunities.