The agency tasked to enforce HIPAA compliance is the Department of Health and Human Services’ Office for Civil Rights. Until 2016, only a few financial penalties were issued for HIPAA violations. Then, issued financial penalties in 2016 doubled and there have been more enforcement actions in 2017.
2018 started slowly with just a few financial penalties issued. There were rumors that OCR was slowing down on its enforcement activities. But, there was a stir of announcements regarding settlements in the second half of the year, which included the biggest ever HIPAA penalty.
The Beazley Breach Insights Report published recently included a review of the enforcement activities of OCR in 2018. It revealed that OCR is not stopping its enforcement activities on healthcare organizations. The settlements and civil monetary penalties in 2018 were from $100,000 to $16 million, having an average financial penalty of $2.8 million, which is higher than the $1.9 million in 2017.
The Beazley Breach Response (BBR) group likewise discovered that OCR is taking much longer to close and resolve its HIPAA case investigations. Cases today take 4.3 years to close as opposed to 3.6 years in 2018.
The Beazley report is warning healthcare organizations that an OCR investigation is not just triggered by a major breach. OCR is currently examining all breach reports and is trying to determine patterns that would point out non-compliant tendencies.
An example is the case of Fresenius Medical Care, which had five breaches each having less than 250 records. The pattern identified revealed non-compliance resulting in a settlement worth $3.5 million.
There were several prevalent themes in HIPAA enforcement actions in 2018. One of the most common is a failure in risk analysis. Covered entities need to perform and record security risk analyses regularly. They need to create risk management plans to deal with vulnerabilities and minimize them to an appropriate level.
There must be access controls in place and maintained. It is recommended to subject all ePHi to encryption. If the entity decides not to encrypt, the decision should have proper documentation and implementation of alternative measures. The settlements likewise emphasize how vital it is to have signed business associate agreements with all vendors given access to PHI.
Although there were a lot of Security Rule failures, the number of HIPAA settlements in 2018 emphasizes the great importance of protecting patient rights and following the HIPAA Privacy Rule. Several cases of privacy violations were settled including shooting videos of patients and exposing PHI without patient consent.