On February 7, 2019, the Office of Civil Rights (OCR) of the U.S. Department of Health and Human Services published the resolution agreement for its final HIPAA settlement of 2018. The resolution agreement cited two breach notifications that OCR received from the parent of several hospitals in California. In 2013, the provider notified OCR of a breach that occurred when one of its contractors removed electronic security protections from a server. This breach affected more than 50,000 individuals. In 2015, the provider submitted notice of a second breach, this one resulting from an employee’s activation of the wrong website, affecting more than 11,000 individuals.
In reaching a settlement with the OCR, the provider agreed to pay $3 million and to undertake a corrective action plan under OCR’s supervision. The action plan aims to address issues that OCR raised with respect to the provider’s HIPAA compliance. These corrective measures include:
- Undertaking an enterprise-wide risk analysis.
- Implementing a risk management plan to address the risks that the analysis identifies.
- Establishing a written process to evaluate environmental or operational changes that affect the security of electronic protected health information held by the provider.
- Developing/revising written privacy and security policies and procedures that address certain HIPAA compliance requirements.
- Distributing the policies and procedures to workforce members who handle protected health information.
- Requiring members of its workforce to undergo HIPAA and security training.
Of the action items, the requirement for a written process to evaluate changes affecting security drives most directly at the breaches experienced by this provider. All entities subject to HIPAA will be well advised to confirm that changes to their electronic information systems or changes to how information is held, displayed or transmitted through those systems do not compromise the security of protected health information contained in those systems.
Notice of this resolution agreement appeared in a broader announcement trumpeting the success of the OCR’s enforcement efforts for the past year. The $3 million payment increased the amount collected by the OCR in HIPAA enforcement actions in 2018 to $28.7 million, the most that the OCR has ever collected in a single calendar year. The year included some significant successes for the OCR, including a $4.3 million judgment by an administrative law judge in a case where the parties did not enter into a resolution agreement.
The OCR’s summary of its 2018 enforcement efforts is informative, but it is only part of the story. The amount collected in a single year provides only a partial measure of success. Even looking at only dollars and cents, it is difficult to view 2018 as a signal of increased enforcement. More than half of the total for 2018 ($16 million) came through a single settlement with Anthem, Inc. That settlement related to the 2014-15 data breach that affected almost 79 million individuals, the largest health data breach ever identified in the U.S. In addition, the collections in 2018 follow a relatively quiet year in 2017. It is possible that actions not completed in the prior year spilled over into the next. More generally, the success of HIPAA enforcement efforts in any one year is not only a reflection of the amounts that the OCR collects that year. The amounts collected in 2018 pertain to breaches that occurred years earlier and reflect the enforcement activity of prior years. To a significant degree, the success of 2018 enforcement efforts will be measured by collections in years to come.
However, the ultimate measure of success in enforcement will not be determined by the amounts collected, but by the extent to which enforcement requires and encourages covered entities and their business associates to comply with the HIPAA rules in a meaningful manner that reduces the risks to the sensitive data they gather, create, maintain and transmit.