HIPAA enforcement activity reached an all-time record in 2018, according to The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS). In 2018, OCR levied $28.7 million in HIPAA fines. This record-breaking total surpassed 2016’s $23.5 million in fines by 22%–and as if that wasn’t impressive enough, OCR also issued the single largest fine in the history of HIPAA enforcement for $16 million with Anthem Inc. in October of 2018. The Anthem fine nearly tripled the previous record settlement of $5.5 million in 2016, setting a new trend for heightened enforcement efforts in the years ahead. This recent California HIPAA fine is just another example of OCR’s dedication to HIPAA enforcement.
Cottage Health of California was the final organization to contribute to the record-breaking year after agreeing to pay $3 million to OCR in HIPAA fines in 2018. Cottage Health operates four different medical institutions in California: Santa Barbara Cottage Hospital, Santa Yez Cottage Hospital, Goleta Valley Cottage Hospital, and Cottage Rehabilitation Hospital. Cottage Health reported two separate breaches of electronic protected health information (ePHI) to OCR, which affected over 62,500 individuals and contributed to this California HIPAA fine.
In both cases, the breaches were related to cyber-security incidents that impacted patient privacy. The first breach occurred in December 2013 when ePHI on a Cottage Health server was revealed to be accessible from the internet. OCR’s investigation uncovered that Cottage Health failed to understand their risks and therefore, failed to implement policies and procedures to protect against those risks. This resulted in patient names, addresses, dates of birth, diagnoses, and other treatment conditions being made available to anyone with access to Cottage Health’s servers.
According to Marc Haskelson, President and CEO of Compliancy Group, “The increase in HIPAA enforcement is a reaction to the global need for better security protections in regards to people’s privacy. It requires a combination of compliance and security to keep ePHI secure and protect against violations like those that resulted in this California HIPAA fine.”
One of the biggest misunderstandings in the healthcare industry regarding HIPAA enforcement is the difference between security and compliance. Security is minimizing your risk of a breach of protected health information (PHI) or ePHI. This translates to the risk of your data being lost, stolen, compromised, or hacked. Compliance on the other hand, is binary. You can either prove you have satisfied the requirements of the law or you can’t. If you can’t, you are not HIPAA compliant and can be fined in the event of a HIPAA violation.
Cottage Health experienced a second breach in December of 2015 due to their business associate making a mistake. Cottage Health hired a managed service provider (MSP) to oversee their technology, however the MSP was not properly trained, resulting in the exposure of unsecured ePHI over the internet, including patient names, addresses, date of births, social security numbers, and other treatment information.
These types of breaches are one of the reasons why Compliancy Group gives health care professionals the ability to monitor and track their compliance, all from one web-based solution. We allow users to execute their compliance requirements and work with you to find cyber-security solutions to keep your business safe.
OCR’s investigation determined that Cottage Health was not secure or HIPAA compliant by any means. The organization failed to understand their risks, enforce policies and procedures to protect these risks, properly train employees, and obtain a written business associate agreement with their MSP.
Cottage Health has not only agreed to pay the $3 million fine, but will also adopt a substantial corrective action plan or in other words, prove their “good faith effort” toward being HIPAA compliant. Organizations need to understand that by implementing a true culture of compliance, risks of HIPAA violations and subsequent fines can be significantly reduced.
Director of OCR, Roger Severino, stated: “Our record year underscores the need for covered entities to be proactive about data security if they want to avoid being on the wrong end of an enforcement action. The Cottage settlement reminds us that information security is a dynamic process and the risks to ePHI may arise before, during, and after implementation covered entity makes system changes.”