Despite the announcement made last week by the Department of Health and Human Services Office for Civil Rights (OCR) about certain reduced penalty caps under the Health Insurance Portability and Accountability Act (HIPAA), OCR has shown in this week’s settlement that it still plans to vigorously enforce HIPAA.

New Maximum Annual Penalty Caps

On April 30, 2019, OCR announced in a Notification of Enforcement Discretion new annual penalty caps for identical violations of a requirement or prohibition under HIPAA. Specifically, under HIPAA, the penalty tiers are based on four levels of culpability. Until the announcement, the annual cap for identical violations was $1.5 million for every level of culpability. Now, after the announcement, only the last tier (willful neglect-not corrected) is subject to that higher cap of $1.5 million. The lower three tiers of culpability have lesser annual caps for identical violations—specifically, willful neglect-corrected – $250,000; reasonable cause – $100,000, and no knowledge – $25,000. The settlement announced this week signals that OCR is still willing to pursue enforcement of HIPAA violations and to seek big settlements for those violations.

New Settlement

A medical imaging company has agreed to pay OCR $3,000,000 to settle potential violations of HIPAA. In May 2014, the company was notified by the Federal Bureau of Investigation (FBI) and OCR that patients’ protected health information (PHI) was exposed online through an insecurely configured FTP server. The uncontrolled access permitted search engines to index patients’ PHI, which remained visible on the internet even after the server was taken offline.

The company initially claimed that PHI was not exposed, but OCR’s investigation revealed that the name, date of birth, phone number, and address (and in some instances, social security numbers) of 307,839 individuals had been accessible to the public through the insecure FTP server. OCR’s investigation also found that the company failed to (1) investigate the security breach until several months after receiving notice from the FBI and OCR; (2) timely notify individuals affected by the breach; and (3) conduct a thorough risk analysis of potential risks and vulnerabilities to the confidentiality of PHI held by it.

In addition to the $3 million penalty, the company agreed to enter into a Corrective Action Plan (CAP), which includes the review and adoption of business associate agreements with vendors and third party service providers; completion of a thorough, enterprise-wide (and OCR-approved) risk assessment that analyzes security risks and vulnerabilities; and the implementation of comprehensive policies and procedures to comply with HIPAA.

Lessons to be Learned from the Settlement

This settlement evidences OCR’s ongoing commitment to enforcing HIPAA compliance and serves as a reminder that demographic information tied to a covered entity (even absent clinical information) constitutes PHI.

Additionally, security incidents should be addressed in a timely and thorough manner—in terms of both remediation of the incident and notification of appropriate individuals and others. It also shows that OCR (as other regulators have indicated recently) not only wants companies to do annual risk assessments, but expects those risk assessments to be comprehensive and based on a thorough analysis of threats and legal requirements.

And, last, this settlement highlights—as have several other settlements in the recent past— the perils of not properly identifying third party vendors who are business associates and the failure to enter into business associate agreements with them as required by HIPAA.

Proactive Steps Your Company Can Take to Reduce Risk of OCR Enforcement

To mitigate the risk of being in a similar situation, covered entities and business associates should:

  1. Build and test an Incident Response Plan. An organization’s ability to timely identify and respond to a security incident is critical to protecting PHI and complying with HIPAA and other breach notification regimes (e.g., the state law regimes). Create an incident response plan and regularly perform tabletop exercises to evaluate the organization’s processes, tools, and proficiency in handling a breach.
  2. Conduct thorough, annual risk assessments with an eye to legal defensibility. Risk assessments are required under the HIPAA Security Rule and can lead to protection from arguments that safeguards in place at the time of an incident or otherwise were inadequate.
  3. Implement and maintain a business associate compliance program. Covered entities and business associates must identify third party vendors who are business associates as defined by HIPAA and enter into business associate agreements (BAAs) with them prior to sharing PHI. Not having appropriate BAAs in place is an easy way for OCR to prove lack of compliance with HIPAA.

OCR’s press release and resolution agreement with the practice are available here.

For help with responding to a HIPAA complaint or investigation initiated by OCR or a state attorney general or a security incident, conducting a thorough and prioritized risk assessment, or developing or updating a HIPAA compliance program, or for any other inquiries, please contact one of the authors.