A recent surge in monetary Health Insurance Portability and Accountability Act (HIPAA) settlements is altering the compliance landscape at a time when new technical and legal challenges also are coming into play, practitioners and regulators told a recent conference.
“There’s no question we’ve seen a spike in enforcement,” said Adam Greene, an attorney with Davis Wright Tremaine LLP. The U.S. Department of Health and Human Services (HHS) now has reached 38 monetary HIPAA settlements and imposed actual penalties in two instances, he noted. Of these 40 cases, 27 originated with the covered entity’s required breach report.
The settlement amounts themselves also have spiked recently, Greene added. HHS’ Office for Civil Rights (OCR) takes the covered entity’s size into account when assessing these amounts, but “if you are a large entity, the size of the settlement amount is increasing,” he said.
OCR Director Jocelyn Samuels said the agency is “committed to using all of the tools in our toolbox,” including requiring corrective action and levying monetary penalties. “When there are compliance concerns, we will hold entities accountable.”
Samuels cited the recent $650,000 settlement with Catholic Health Care Services (CHCS) as an example of how OCR “goes in the front door” in response to breach report, and then discovers more systemic problems. On investigating CHCS’ report of a mobile device theft, OCR determined that the business associate had no policy on device removal and no risk analysis or risk management in place.
The recent surge culminated, thus far, with a $5.55 million settlement involving Advocate Health Care for three breaches including a desktop computer theft affecting a million patients’ protected health information (PHI). The unprecedented amount was due to “the extent and duration of the noncompliance that we found, and the number of records,” Samuels said. “Four million people is a huge compromise of PHI and something that clearly needed systemic attention.”
Other lessons from recent settlements, Samuels said, included the importance of encryption (“the gold standard of ensuring that your information is protected”) and strong passwords. “I know how enraging it is to have to change passwords all time,” she said, but adequate administrative controls are essential and “generic passwords aren’t adequate.”
While the large hospitals have faced the costliest settlements lately, OCR also has announced a new level of scrutiny for the smaller breaches that do not meet HIPAA’s “major” threshold of 500 individuals’ PHI. The agency realized that small breaches can illustrate the same kind of security concerns that elicit the large breach investigations, so “we will be ramping up our evaluation and investigation of small breaches,” Samuels said.
Private litigation
The landscape also may be changing for private data breach litigation, Greene said. The U.S. Supreme Court’s decision in Spokeo, Inc. v. Robins, while inconclusive, left open the possibility that a data breach could be deemed an “injury” in itself for legal standing purposes, even without a showing that the data was later misused. Courts have so far been reluctant to allow private lawsuits based on a breach alone, and the high court “didn’t open up the floodgates but didn’t close them either,” he said.
Meanwhile, the Federal Trade Commission (FTC) recently ruled in the LabMD case that a breach of health information constitutes “harm” in itself under the FTC Act, even absent an indication of later misuse. According to Greene, a key question will be, “is this limited to Section 5 of the FTC Act” or will it find its way into the courts?
Audit program
OCR has performed its Phase 2 desk audits of selected covered entities, and currently is evaluating the information gathered from these 167 entities, said Deven McGraw, OCR deputy director for health information privacy. OCR will send as preliminary draft report to the auditees shortly, she said.
In October, OCR plans to start auditing business associates—between 40 and 50 of them. These desk audits will focus on their risk analyses and their breach notifications to covered entities, McGraw said. The procedures generally will be the same as the covered entity audits, including the 10-day window to respond, she said. Next, OCR will perform some onsite audits, though far fewer than the desk audits.
McGraw encouraged all covered entities and business associates to consult OCR’s recently revised audit protocol. “The audit protocol is a tool for everyone to use,” whether audited or not, she said. It has details on meeting “every aspect of our regulations.”
Requests for third-party access
McGraw fielded a question about how a covered entity can minimize its liability when an individual asks to have sensitive PHI sent to a third party. The HIPAA rule on access rights, as amended in 2013, generally requires entities to grant such requests.
A covered entity can get the request in writing, and can note in the request form that “this information may be particularly sensitive,” as long as the form does not create obstacles to access, McGraw said. The underlying access right “is strongly established on the rule,” she noted. “HIPAA puts a thumb on the scale of ‘patient gets what they want.’ The one thing you cannot do is make a judgment call on behalf of the patient of whether this is a good idea.”
A provider could still explain to the patient, “these are the categories of health information in your records that I’ll be sending,” Samuels added.
Business associate audits
Another questioner asked about the possible consequences for a covered entity if its business associate is audited and found to be noncompliant.
OCR realizes the covered entity can’t always police its business associates, McGraw said. “It is not our intent to say, ‘how could the covered entity have allowed this to happen?’” However, if you’re giving the business associate direct access to your systems, for example, maybe you should be more “in their business,” she added. “It’s really a judgment call.”
A covered entity might be subject to enforcement action in that scenario, or if no business associate agreement is in place at all, McGraw noted.
Greene, McGraw, and Samuels spoke at the 25th National HIPAA Summit in Washington, D.C.
David A. Slaughter, JD, is a Senior Legal Editor for BLR’s Thompson HR products, focusing on benefits compliance. Before coming to BLR, he served as editor of Thompson Information Services’ (TIS) HIPAA guides, along with other writing and editing duties related to TIS’ HR/benefits offerings. Mr. Slaughter received his law degree from the University of Virginia and his B.A. from Dartmouth College. He is an associate member of the Virginia State Bar. Questions? Comments? Contact David at dslaughter@blr.com for more information on this topic. |