2019 was another period with stringent HIPAA compliance enforcement evident. Action taken by the Department of Health and Human Services’ Office for Civil Right (OCR) lead to has resulted in 10 financial penalties. $12,274,000 has been paid to OCR in 2019 to resolve HIPAA violation cases.
2019 witnessed two civil monetary penalties sanctioned and settlements were agreed with eight groups, one less than 2018. In 2019, the average fine applied was $1,227,400.
Vert egregious violations will attract financial penalties, but some of the HIPAA settlements in 2019 allow insights into OCRs favourite method of dealing with noncompliance. Even when HIPAA violations are identified, OCR chooses to settle cases through voluntary compliance and by supplying technical assistance. When technical assistance is given and covered entities do not act on OCR’s advice, financial penalties are likely to be applied.
If you are advised by OCR that your interpretation of HIPAA is incorrect, or are otherwise given technical guidance, it pays to act on that guidance swiftly. Failing to implement to take corrective action is a good way to guarantee a financial penalty, attract negative publicity, and still be required to change policies and procedures in line with the guidance.
There were two main HIPAA enforcement updates in 2019. OCR implemented a new interpretation of the Health Information Technology for Economic and Clinical Health (HITECH) Act’s requirements for HIPAA penalties and a new enforcement initiative was initiated.
The HITECH Act of 2009 asked for an increase in the penalties for HIPAA violations. On January 25, 2013, the HHS implemented an interim final rule and implemented a new penalty structure. At the time it was thought that there were inconsistencies in the language of the HITECH Act in relation to the penalty amounts. OCR determined that the most logical reading of the HITECH Act requirements was to apply the same highest penalty of $1,500,000 per violation category, per calendar year to all four penalty tiers.
In April 2019, OCR released a notice of enforcement discretion regarding the penalties. A review of the language of the HITECH Act led to a cut in the maximum penalties in three of the four tiers. The maximum penalties for HIPAA violations were amended to $25,000, $100,000, and $250,000 for penalty tiers, 1, 2, and 3. (subject to inflationary increases).
2019 saw the beginning of a new HIPAA Right of Access enforcement initiative focusing on organizations who were overcharging patients for copies of their medical records and were not supplying copies of medical records in a timely fashion in the format requested by the patient.
The range of noncompliance was highlighted by a study carried out by Citizen Health, which found that 51% of healthcare organizations were not fully compliant with the HIPAA Right of Access. Delays supplying copies of medical records, refusals to share patients’ PHI to their nominated representatives or their chosen health apps, not handing over a copy of medical records in an electronic format, and overcharging for copies of health records are all typical HIPAA Right of Access failures.
The two HIPAA Right of Action settlements agreed to so far under OCR’s enforcement initiative have both lead to $85,000 fines. With these enforcement actions OCR is broadcasting a clear message to healthcare providers that noncompliance with the HIPAA Right of Access will not be accepted.
Apart from Right of Access violations, the same areas of noncompliance go on attracting fines, especially the failure to conduct a comprehensive, group-wide risk analysis. 2019 also saw an increase in the number of cited breaches of the HIPAA Breach Notification Rule.
HIPAA Compliance Problems Cited in 2019 Enforcement Actions
Noncompliance Issue | Number of Cases |
Risk Analysis | 5 |
Breach Notifications | 3 |
Access Controls | 2 |
Business Associate Agreements | 2 |
HIPAA Right of Access | 2 |
Security Rule Policies and Procedures | 2 |
Device and Media Controls | 1 |
Failure to Respond to a Security Incident | 1 |
Information System Activity Monitoring | 1 |
No Encryption | 1 |
Notices of Privacy Practices | 1 |
Privacy Rule Policies and Procedures | 1 |
Risk Management | 1 |
Security Awareness Training for Employees | 1 |
Social Media Disclosures | 1 |
OCR’s HIPAA enforcement in 2019 also clearly showed that a data breach does not have need to have happened for a compliance investigation to be kicked off. OCR looks into all breaches of 500 or more records to determine whether noncompliance resulted in a breach, but complaints can also lead to an investigation and compliance review. That was so with both enforcement actions under the HIPAA Right of Access initiative.