HIPAA 2019 Year in Review: Lessons For 2020
2019 was a busy year for the Department of Health and Human Services’ (HHS) Office for Civil Rights. In 2019, OCR HIPAA enforcement efforts were a product of both existing key HIPAA compliance activities, as well as shifting priorities.
In October, the Director of OCR, Roger Severino, was a featured speaker at the “Safeguarding Health Information: Building Assurance Through HIPAA Security” conference co-hosted on October 16 and 17 by the National Institute of Standards and Technology (NIST) and the Office for Civil Rights (OCR) in the Department of Health and Human Services (HHS).
At the conference, Severino recounted important aspects of HIPAA 2019 enforcement.
HIPAA 2019: What Enforcement Trends Should Covered Entities be Aware of?
As made clear by Severino, as well as by the specific enforcement actions taken in 2019 by OCR, the key takeaways from HIPAA 2019 enforcement efforts are:
HIPAA 2019: Covered Entities Must Focus on the Right to Access
In 2019, OCR announced its “Right to Access Initiative,” under which OCR promised to robustly enforce patient rights to receive copies of their medical records. Under the initiative, OCR also promised to clamp down on providers that charge patients excessive fees for their medical records. (Earlier this year, the White House also issued an Executive Order on Improving Price and Quality Transparency in Healthcare – another measure designed to enhance patient rights.)
The HIPAA Privacy Rule generally provides individuals with a legal, enforceable right to see and receive copies, upon request, of the protected health information (PHI) in their medical and other health records maintained by their health care providers and health plans. This right is known as the HIPAA Right of Access.
Under the HIPAA Privacy Rule Right of Access, medical record copy fees must be reasonable and cost-based.
This means that providers may only charge for the following:
- Labor for copying the PHI requested by the individual, whether in paper or electronic form.
- Labor for copying includes only labor for creating and delivering the electronic or paper copy in the form and format requested or agreed upon by the individual, once the PHI that is responsive to the request has been identified, retrieved or collected, compiled and/or collated, and is ready to be copied.
- Labor for copying does not include:
- Costs associated with reviewing the request for access;
- Searching for and retrieving the PHI, which includes locating and reviewing the PHI in the medical or other record,
- Segregating or otherwise preparing the PHI that is responsive to the request for copying.
- Supplies for creating the paper copy (e.g., paper, toner) or electronic media (e.g., CD or USB drive) if the individual requests that the electronic copy be provided on portable media.
OCR settled its first right of access case under the 2019 Right of Access Initiative in September, with Bayfront Health St. Petersburg. Under the terms of the settlement, Bayfront had to pay an $85,000.00 fine and implement a corrective action plan (CAP).
On August 14, 2018, OCR received a complaint against Bayfront from a patient (“Complainant”). Complainant alleged that she requested her fetal heart monitor records from Bayfront starting in October 2017 and had not received them by the date of her complaint. HHS’ investigation revealed that Complainant submitted a written request on October 18, 2017 for the fetal heart monitor records; Bayfront replied that the records were not found. On January 2, 2018 and February 12, 2018, Complainant’s counsel requested the records. Bayfront provided a complete response to Complainant’s counsel on August 23, 2018, after providing an incomplete set of the records in March 2018. Complainant’s counsel shared the records with her and, as a result of OCR’s investigation, on February 7, 2019 – finally – Bayfront provided Complainant with the fetal heart monitor records directly.
Upon investigation of the matter, OCR found that Bayfront took an unacceptably long amount of time to provide the records.
OCR settled its second right of access case under the 2019 Right of Access Initiative in December. OCR settled with Korunda Medical, LLC. Korunda, a Florida healthcare provider that provides primary care and pain management treatment, agreed to pay $85,000 to settle a potential right of access violation. In addition, under the settlement, Korunda must abide by the terms of a corrective action plan (CAP).
In March, OCR received a complaint concerning a Korunda patient alleging that, despite repeatedly asking, Korunda failed to forward a patient’s medical records in electronic format to a third party.
Not only did Korunda fail to timely provide the records to the third party, but Korunda also failed to provide them in the requested electronic format.
In addition, Korunda charged more than the reasonable, cost-based fee. OCR, after receiving the complaint, provided technical assistance to Korunda on how to remedy these issues, and then closed out the complaint.
The technical assistance apparently fell on deaf ears, since, despite OCR assistance, continued to fail to provide the requested records, this triggering another OCR complaint. Upon receiving the second complaint, OCR intervened again. Only after the second intervention did Korunda provide the records – in May of 2019 – for free and in the format requested.
HIPAA 2019: Covered Entities Must Distinguish Between Right of Access Requests and Authorizations
At the October, 2019 conference, Severino also emphasized that covered entities had failed to distinguish between the timeline associated with the right of access request, and the timeline associated with authorizations.
The timeline associated with the right of access request is 30 days: covered entities must respond to a request for medical records within 30 days.
The “timeline” associated with HIPAA authorizations is the authorization expiration date. Under HIPAA, a patient authorization form (the form authorizing use or disclosure of protected health information) must contain either an expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure.
Notably, HIPAA does not impose any specific time limit on authorizations. For example, an authorization may state that it is good for 90 days, or even for 3 years. An authorization may also provide that it expires when the client reaches a certain age, or that expires once the patient has received a specific course of treatment.
HIPAA 2019: Covered Entities Should Take Caution When Making Social Media Disclosures
Frequently, patients take to social media, such as Facebook and Twitter, to post complaints about providers. In doing so, patients make certain information – such as their names and information about their health status – public. Such information can be protected health information. While patients, who are not covered entities or business associates, may disclose their own PHI online, healthcare providers, bound by the HIPAA Privacy Rule, may not respond in kind by disclosing or confirming PHI when responding to online patient complaints.
Healthcare providers face a challenge when patients post complaints or make other statements on social media. Just because a patient has made certain information public does not mean that the provider can also post protected health information to respond to something the patient says.
HHS made this principle clear on October 2 when it entered into a $10,000.00 settlement with Elite Dental Associates. OCR investigation of Elite Dental Associates began in June of 2016, when OCR received a patient complaint. The patient alleged that dental practice had responded to the patient’s Yelp social media posting by disclosing the patient’s last name and information about the patient’s health on Yelp.
OCR’s investigation determined that the dental practice did not have a policy or procedure to address compliance with HIPAA when using social media. OCR also found that Elite lacked a HIPAA-compliant Notice of Privacy Practices.
The parties entered into a resolution agreement that (in addition to the monetary fine) required Elite to abide by a two-year corrective action plan (CAP). Notably, the resolution agreement stated that the practice had responded to other social media reviews using PHI as well.
OCR decided to accept a reduced settlement in light of the fact that Elite cooperated with OCR during the investigation. The fine value was also reduced in light of the practice’s size, and financial circumstances.
The company agreed to a corrective action plan (CAP), which will last for two years. Among other things, the CAP requires development of certain policies and procedures, distributing them to all workforce members, and obtaining from each workforce member a signed compliance certification indicating that the workforce members have read, understand and will comply with them. The policies and procedures must be assessed at least annually and revised as needed.
HIPAA 2019 Key Takeaway 1: Cases are Chosen Based on Import and Message
This case underscores an important point noted by Severino: OCR, Severino stated, chooses cases based on their import and potential message, with OCR’s Director stating that “we go for big cases and small cases.” Severino stated that OCR has no monetary targets for its investigations and settlements.
In other words, this case had an import beyond its (small) “dollar value”; OCR used this case to “send a message” that covered entities must observe the HIPAA Privacy Rule when they use social media.
HIPAA 2019 Key Takeaway 2: Cooperation Matters
Covered entities are required by law to cooperate with OCR during the investigation. Timely cooperation is one factor OCR may take into account when determining a settlement penalty figure.
The cooperation requirement cuts both ways: Entities that fail to cooperate with OCR subject themselves to higher fines, as illustrated by a 2011 Civil Monetary Penalty assessed against Cignet Health in the amount of $4.3 million.
During OCR’s investigations of Cignet, Cignet refused to respond to OCR’s repeated demands to produce patient medical records. Additionally, Cignet failed to cooperate with OCR’s investigations of patient right of access complaints, including failure to produce the records in response to OCR’s subpoena.
OCR filed a petition to enforce its subpoena in United States District Court and obtained a default judgment (a judgment against a party who fails to answer the allegations made against it) against Cignet on March 30, 2010. On April 7, 2010, only after a lawsuit was filed against it, Cignet produced the medical records to OCR, but otherwise made no efforts to resolve the complaints through informal means.
OCR found that Cignet’s failure to cooperate with OCR’s investigations was due to willful neglect, resulting in the hefty monetary penalty.
HIPAA 2019 Key Takeaway 3: Financial Circumstances and Size are Considered
The reduced monetary penalty in the Elite Dental Associates matter was assessed, in part, due to OCR’s taking into account the size of the practice, as well as its financial circumstances. The HIPAA regulations specifically provide that HHS takes into account covered entity size and financial circumstances in determining monetary penalties.
HIPAA 2019: Government Entities Can be Fined, Too
In October, OCR imposed a $1.6 Million Civil Money Penalty against the Texas Health and Human Services Commission, a Texas state agency, for multiple HIPAA violations committed between 2013 and 2017.
The Texas Health and Human Services Commission (TX HHSC) is a Texas government state agency. Its charge is to improve the health, safety and well-being of Texans with good stewardship of public resources. TX HHSC, which is part of the broader Texas Health and Human Services system, which:
- Operates state-supported living centers;
- Provides mental health and substance abuse services;
- Regulates child care and nursing facilities; and
- Administers programs for Texas who need assistance, including supplemental nutrition benefits and Medicaid.
TX HHSC’ predecessor agency was the Department of Aging and Disability Services (DADS). DADS was reorganized into TX HHSC in September of 2017.
In October of 2015, DADS filed a breach report with OCR. In its report, DADS informed OCR that the electronic protected health information (ePHI) of almost 7,000 individuals was viewable over the Internet. The ePHI consisted of (among other things) names, addresses, social security numbers, and treatment information.
The breach occurred innocently, when an internal application was moved to a public server from a private, secure one. A flaw in the software code allowed ePHI to be viewed without access credentials.
In its investigation, OCR determined that DADS had violated the HIPAA Security Rule by:
- Failing to conduct an enterprise-wide security risk analysis.
- Failing to implement access and audit controls on its information systems and applications
Because DADS’ audit controls were inadequate, DADS could not determine how many authorized persons accessed individuals’ ePHI.
TX HHSC did not dispute OCR’s Notice of Proposed Determination, which proposed to fine TX HHSC in the sum of $1.6 million. OCR then issued a Notice of Final Determination, imposing a fine of $1.6 million.
The story of TX HHSC drives home several points. The first of these points is that entities that do not implement access controls, perform risk analysis, or implement audit controls, are committing HIPAA Security Rule violations, and, as such, are subject to fines. The second point is that OCR can fine not only private entities, but state government agencies as well, if these state government agencies are themselves covered entities or business associates.
HIPAA 2019: Entities Must Take Cybersecurity Seriously
At the conference, Severino recommended that organizations “really consider” testing employees about phishing, describing such training as “almost becoming standard,” and that organizations “really consider two-factor authentication.” He also emphasized the importance of appropriate access controls, including that “shared passwords are a huge no-no.” Severino also has noted that “Neglecting to have a comprehensive, enterprise-wide risk analysis……as illustrated by this case, is a recipe for failure.”
Severino’s concerns about cybersecurity are well-founded. During the first three quarters of 2019, hacking/IT breaches comprised over 60% of reported breaches involving 500 or more affected individuals. In the previous decade, hacking/IT breaches compromised only 28% of such reports. 65% of breaches in 2019 were directed at network servers and email – a record-high sum. These higher figures can be attributed to increasingly well-targeted and sophisticated hacking techniques, including phishing techniques.
Failure to train, to implement appropriate access controls, and/or conduct risk analyses, resulted in phishing and other cyberattacks in 2019 – and resultant OCR fines – as shown by the following examples:
HIPAA 2019 Example One: Touchstone Medical Imaging
In 2019, Touchstone Medical Imaging (“Touchstone”), a multistate diagnostic imaging provider, agreed to pay $3,000,000 to OCR and to adopt a corrective action plan for potential violations of the HIPAA Security and Breach Notification Rules. the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS), and to adopt a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Security and Breach Notification Rules.
The breach occurred as a result of a server’s allowing uncontrolled access to PHI. This access permitted search engines to index patient PHI, thereby allowing the PHI to remain invisible on the Internet even after the affected server was taken offline.
OCR’s investigation found that Touchstone failed to:
- Conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. As a result, the PHI of 300,000 patients was exposed.
HIPAA 2019 Example Two: Medical Informatics Engineering, Inc.
In 2019, Medical Informatics Engineering, Inc. (MIE), an Indiana company that provides software and electronic medical record services to healthcare providers, agreed to pay $100,000 to OCR and to implement a corrective action plan, to settle potential violations of the Privacy and Security Rules.
The breach occurred as a result of hackers’ using a compromised user ID and password to access the ePHI of approximately 3.5 million patients. OCR, after investigation, determined that MIE failed to conduct to conduct a comprehensive risk analysis prior to the breach.
As Severino noted in a press release announcing the settlement, “Entities entrusted with medical records must be on guard against hackers,” said OCR Director Roger Severino. “The failure to identify potential risks and vulnerabilities to ePHI opens the door to breaches and violates HIPAA.”
MIE agreed to undertake a corrective action plan that required, among other measures, completion of a full, enterprise-wide risk analysis.
HIPAA 2019 Example 3: Cottage Health
In February of 2019, OCR announced it had, in December of 2018, entered into a resolution agreement with Cottage Health, a California healthcare provider. Cottage Health agreed to pay $3 million and to adopt a substantial corrective action plan to settle potential HIPAA violations.
OCR received two notifications from Cottage Health regarding breaches of unsecured electronic protected health information (ePHI) affecting over 62,500 individuals, one in December 2013 and another in December 2015.
The first breach arose when ePHI on a Cottage Health server was accessible from the internet. OCR’s investigation determined that security configuration settings of the Windows operating system permitted access to files containing ePHI without requiring a username and password. As a result, patient names, addresses, dates of birth, diagnoses, conditions, lab results and other treatment information were available to anyone with access to Cottage Health’s server.
The second breach occurred when a server was misconfigured following an IT response to a troubleshooting ticket, exposing unsecured ePHI over the internet. This ePHI included patient names, addresses, dates of birth, social security numbers, diagnoses, conditions, and other treatment information.
OCR’s investigation revealed that Cottage Health:
- Failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of the ePHI;
- Failed to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level; and
- Failed to perform periodic technical and non-technical evaluations in response to environmental or operational changes affecting the security of ePHI.
Failure to conduct a risk assessment; failure to implement a remediation plan; and failure to conduct periodic security evaluations, can all be violations of the HIPAA Security Rule. As noted by Severino, “The Cottage settlement reminds us that information security is a dynamic process and the risks to ePHI may arise before, during, and after implementation covered entity makes system changes.”
HIPAA 2019: Business Associate Agreements are a Must
OCR highlighted that many HIPAA-regulated entities continue to lack appropriate business associate agreements. In addition to being compliance violations, the lack of such an agreement can contribute to other violations such as a failure to respond appropriately to Right of Access requests or insufficient cooperation with OCR.
In the Touchstone Medical Imaging matter discussed above, OCR also found that Touchstone failed to have business associate agreements in place with its vendors, including their IT support vendor and a third-party data center provider as required by HIPAA. In the Cottage Health matter, also described above, OCR also found that Cottage Health failed to have required business associate agreements in place. In each instance, not having a signed business associate agreement compromised the security of protected health information.
Not having business associate agreements in place can subject covered entities to significant liability. Having a business associate agreement in place ensures business associates are contractually obligated to take measures to safeguard ePHI.
HIPAA 2019: Timely Breach Notification is Essential
In 2019, OCR imposed a $2.15 Million Civil Money Penalty against Jackson Health System (JHS) for HIPAA violations (not potential violations). Violations of the Security Rule and the Breach Notification Rule occurred between 2013 and 2016.
JHS is a nonprofit academic medical system based in Miami, Florida. It operates a network of six major hospitals, urgent care centers, multiple primary care and specialty care centers, long-term care nursing facilities, and corrections health services clinics, providing services to approximately 650,000 patients annually.
On August 22, 2013, JHS submitted a breach report to OCR stating that its Health Information Management Department had lost paper records containing the protected health information (PHI) of 756 patients in January 2013. JHS’s internal investigation determined that an additional three boxes of patient records were also lost in December 2012; however, JHS did not report the additional loss or the increased number of individuals affected to 1,436, until June 7, 2016.
In July 2015, OCR initiated an investigation following a media report that disclosed the PHI of a JHS patient. A reporter had shared a photograph of a JHS operating room screen containing the patient’s medical information on social media. JHS subsequently determined that two employees had accessed this patient’s electronic medical record without a job-related purpose.
On February 19, 2016, JHS submitted a breach report to OCR reporting that an employee had been selling patient PHI. The employee had inappropriately accessed over 24,000 patients’ records since 2011.
OCR’s investigation revealed that JHS:
- Failed to conduct enterprise-wide risk analyses;
- Failed to manage identified risks to a reasonable and appropriate level;
- Regularly review information system activity records; and
- Restrict authorization of its workforce members’ access to patient ePHI to the minimum necessary to accomplish their job duties.
The investigation also revealed (and JHS was also fined) because JHS to provide timely and accurate breach notification to the Secretary of HHS, in violation of the Breach Notification Rule reporting requirements. JHS waived its right to a hearing and did not contest the findings in OCR’s Notice of Proposed Determination. Accordingly, OCR issued a Notice of Final Determination and JHS has paid the full civil money penalty.
“OCR’s investigation revealed a HIPAA compliance program that had been in disarray for a number of years,” said OCR Director Roger Severino. “This hospital system’s compliance program failed to detect and stop an employee who stole and sold thousands of patient records; lost patient files without notifying OCR as required by law; and failed to properly secure PHI that was leaked to the media.”
HIPAA 2019: Ignorance of the Law is No Excuse
The day before Thanksgiving of 2019, OCR announced that it had secured a $2.175 Million settlement with Sentara Hospitals to settle potential Breach Notification and Privacy Rule violations, stemming from Sentara Hospitals’ failure to properly notify HHS of a breach of unsecured PHI.
Sentara Hospitals is a healthcare organization, comprised of 12 acute care hospitals with more than 300 care sites in Virginia and North Carolina. Sentara Healthcare – a different entity – is an entity that performed business associate services for Sentara.
The initial complaint, made to HHS in April of 2017, alleged that Sentara Hospital mailed 577 patients’ PHI to wrong addresses that included patient names, account numbers, and dates of services.
Sentara Hospital reported this incident as a breach affecting 8 individuals, because Sentara concluded, incorrectly, that unless the disclosure included patient diagnosis, treatment information or other medical information, no reportable breach of PHI had occurred.
In other words, Sentara took it upon itself to determine what constitutes PHI, even though the HIPAA regulations outline 18 specific identifiers. Sentara persisted in its refusal to properly report the breach even after being explicitly advised of their duty to do so by OCR.
“HIPAA compliance depends on accurate and timely self-reporting of breaches because patients and the public have a right to know when sensitive information has been exposed.” said Roger Severino, OCR Director. “When health care providers blatantly fail to report breaches as required by law, they should expect vigorous enforcement action by OCR.”
This settlement illustrates an important point: Ignorance or misunderstanding of the HIPAA regulations cannot form the basis of refusing to report a breach. Covered entities must know what constitutes PHI; if they do not, they can be fined – even if they “just made a mistake as to what PHI is.”
HIPAA 2019: The Past is Never Dead
On December 30, 2019, through a press release, OCR announced it has entered into a resolution agreement with West Georgia Ambulance, Inc., which provides emergency and non-emergency ambulance services. The agreement, entered into on December 23, requires West Georgia to pay a fine in the amount of $65,000.00.
In 2013, West Georgia filed a data breach report with the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR).
The breach described the details of a loss of an unencrypted laptop containing the protected health information (PHI) of 500 individuals. On February 11, 2013, West Georgia submitted the required breach report to OCR, reporting that on December 13, 2012, the laptop fell off the back bumper of an ambulance.The laptop was not recovered.
OCR, upon receiving the report, conducted an investigation. The investigation uncovered longstanding noncompliance with HIPAA rules, dating back to at least 2012. The length during which the noncompliance continued played a role in assessment of the HIPAA penalties West Georgia agreed to pay. The investigation revealed West Georgia was noncompliant by failing to comply with, among other things, the risk analysis and security awareness and training aspects of the HIPAA Security Rule.
When a covered entity is suspected to be noncompliant, OCR may choose to offer technical assistance as an initial remediation measure. OCR offered such technical assistance to West Georgia. However, West Georgia failed to take meaningful steps to its widespread noncompliance with the HIPAA Ruled. As a result, West Georgia must now, as part of the resolution agreement, implement a corrective action plan (CAP), in addition to the fine.