2018 proved to be the strictest year for HIPAA fines in the history of enforcement, marking a new age of heightened risk for healthcare providers and vendors alike.
The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) set an all-time record in HIPAA enforcement activity in 2018. OCR levied a total of $28.7 million in settlements and judgments. This is a shocking 22% increase from the previous record of $23.5 million, and includes the largest individual settlement in history, a $16 million settlement with Anthem, Inc. The settlement is almost three times the previous record of $5.5 million, which was set in 2016.
Read on for a summary of some of 2018’s most significant HIPAA fines.
2018 HIPAA Summary: Settlements and Judgments
January 2018
In January 2018, Filefax, Inc. agreed to pay $100,000 to OCR to settle HIPAA violations. Filefax, a medical records maintenance, storage, and delivery services provider, disclosed protected health information (PHI) by leaving the PHI unsecured outside the Filefax facility. An OCR investigation found that the information was left in an unlocked truck in the Filefax parking lot, or was removed from Filefax by an unauthorized person.
In the same month, OCR settled for $3.5 million with Fresenius Medical Care North America (FMCNA). FMCNA, which provides products and services for people with chronic kidney failure, filed five breach reports for separate incidents occurring between February 23, 2012 and July 18, 2012. Electronic protected health information (ePHI) of five FMCNA-owned covered entities was compromised. The FMCNA provided unauthorized access to the ePHI of patients and failed to conduct an accurate and thorough risk analysis. The organization also faced potential violations like failure to implement policies and procedures as well as failure to set up measures to encrypt and decrypt ePHI.
June 2018
In June 2018, the University of Texas MD Anderson Cancer Center (MD Anderson) was forced to pay $4.3 million in civil money penalties for HIPAA violations after a judge ruled in favor of OCR. The Texas cancer center was under investigation after three separate data breach reports in 2012 and 2013; the investigation found an unencrypted laptop was stolen from the residence of an MD Anderson employee and two unencrypted USB thumb drives containing ePHI of over 33,500 individuals were lost. MD Anderson had written encryption policies dating back to 2006 and based on their own risk analysis, lack of encryption on these devices posed a high security risk to the ePHI. Despite these findings, MD Anderson did not implement an enterprise-wide solution to encrypt ePHI until 2011, and even then, MD Anderson electronic devices containing ePHI between March 24, 2011 and January 25, 2013 still lacked sufficient encryption. MD Anderson has appealed this ruling with the Health and Human Services Departmental Appeals Board.
September 2018
In October 2018, Allergy Associates, a healthcare practice for adult and pediatric patients with asthma and allergies, agreed to pay $125,000 in a settlement with OCR. The breach occurred when a patient reached out to a local television station regarding a dispute with an Allergy Associates’ doctor in February 2015. A reporter followed up with the doctor, and the doctor impermissibly disclosed the patient’s PHI to the reporter.
October 2018
In October 2018, Anthem, Inc. paid the single largest HIPAA fine to date following a series of cyberattacks leading to the largest U.S. health data breach in history. The company agreed to pay $16 million to OCR and agreed to take corrective action to settle the violations. The breach occurred when cyberattackers gained access to Anthem’s IT system via an undetected continuous and targeted cyberattack with the apparent purpose of extracting data, also known as an advanced persistent threat attack. Following the breach report, Anthem discovered the hackers accessed its system through phishing emails sent to an Anthem subsidiary; after at least one employee responded, the system was vulnerable to further attacks. OCR’s investigation revealed the breach affected nearly 79 million individuals and compromised PHI included names, Social Security numbers, medical identification numbers, addresses, dates of birth, email addresses, and employment information, stolen between December 2, 2014 and January 27, 2015.
November 2018
In November 2018, critical access hospital Pagosa Springs Medical Center (PSMC) paid $111,400 to OCR. A former PSMC employee had continued access to PSMC’S web-based scheduling calendar after the individual was no longer employed by the medical center. PSMC impermissibly disclosed ePHI of 557 patients to both the former employee and the calendar vendor—without a business associate agreement in place—because the information was available through the scheduling calendar.
December 2018
In December 2018, Cottage Health agreed to pay $3 million to OCR and to implement a corrective action plan concerned with two breach reports of unsecured ePHI affecting more than 62,500 individuals. The breach exposed unsecured ePHI over the Internet, including patient names, addresses, dates of birth, Social Security numbers, diagnoses, conditions, lab results and other treatment information. Cottage Health failed to take appropriate measures to safeguard its ePHI, including conducting risk assessments and implementing security measures to reduce risks. Cottage Health also did not have a written business associate agreement with the contractor that maintained its ePHI.
Lessons from 2018 HIPAA Fines
These unprecedented HIPAA fines should send a clear message to healthcare provides and vendors working in the healthcare space alike that the risks of HIPAA violations is only becoming more and more concentrated. OCR now has a proven track record of levying millions of dollars in large scale HIPAA settlements.
However, it’s important to remember that these are not the only fines and investigations that OCR conducted. The summary above only includes several notable examples. If you wish to explore more about data breaches that resulted in HIPAA violations, you can read from any of the thousands listed on the HHS Breach Notification Portal, also known as the “HIPAA Wall of Shame.”
The risk of HIPAA enforcement is not only targeted at larger organizations, which means that the time to address your HIPAA compliance and give yourself peace of mind is now!
