The breakdown: four HIPAA Privacy Rule impermissible disclosure cases. 17 right-of-access cases (15 settlements, 2 cases in which civil monetary penalties were imposed). One Security Rule violation case. The total amount of settlement and civil monetary penalty money collected: $2,170,140.
Trying to fashion a story or theme around this seemingly random and sleepy enforcement year seems difficult. This HIPAA 2022 review discusses potential reasons for OCR’s apparent shift in focus from security rule violations in data breach cases to right-of-access enforcement. This HIPAA 2022 review also goes over what covered entities and business associates can learn from the individual cases to prevent falling prey to fines in the future.
HIPAA Fines 2022 Review: Stop Making Sense
Attempts at a “Unified Theory of OCR Everything” have been made. One theory holds that a 2021 court case (resolved against OCR) has scared OCR off of enforcing the Security Rule. Since this January 2021 court ruling, OCR has only entered into one Resolution Agreement containing a monetary settlement for a data breach.
In the January 14, 2021 decision striking down a $4.3 million fine imposed on the University of Texas MD Anderson Cancer Center, the U.S. Court of Appeals for the Fifth Circuit did indeed issue a ruling against OCR, finding the rationale for imposing a Security Rule-related fine to be unsound. Since January 14, 2021, OCR has indeed only entered into one data breach settlement, in July of 2022.
The “the court scared OCR off” theory is only as solid as the evidence to support it, and there is little to no evidence that the court decision has actually influenced OCR’s decision as to which entities to investigate and for what reasons.
The ruling came from one of 13 federal appeals courts, and is only binding precedent on the states within that court’s jurisdiction (Mississippi, Louisiana, and Texas). The number of covered entities and business associates who have gone so far as to file a federal lawsuit, both before and after MD Anderson, in response to an unfavorable OCR decision, can be counted on two hands.
While the decision (which essentially held that a CE need only implement a mechanism for encryption; it need not actually do the encrypting, contrary to HHS’ position that entities must actually put measures they have implemented into practice) might have led OCR to enter into fewer data breach/security rule violation settlements – so might any other number of events in 2021 and 2022.
- A global pandemic
- The overruling of Roe vs. Wade
- A sudden change in OCR’s leadership (OCR has had two directors in the past year)
- OCR’s issuance of, and allowing time to comply with, of detailed guidance on what constitutes “recognized security practices”
OCR has not shared its enforcement priority reasoning with the public. Instead of guessing why things might have been, it is instructive to look forward – to focus on what OCR has said it will do.
OCR has indicated that it will continue to clamp down on providers who violate the HIPAA Privacy Rule’s right of access provision. People who want to know if they might get in trouble for a Privacy Rule violation in 2023, need only look at the 4 impermissible disclosure cases and 17 right of access cases OCR settled in 2022, or ended by imposition of a fine.
HIPAA Fines 2022 Review: Do I Have Your Permission?
The first “impermissible disclosure” case has an almost storylike quality to it.
In 2017, Dr. David Northcutt, owner and operator of Northcutt Dental, decided to run for state senator for District 32 in Alabama under the Republican Party. On or about July 10, 2017, Dr. Northcutt provided an Excel spreadsheet to his Campaign Manager which contained the names and addresses of 3,657 patients of Northcutt Dental.
The Campaign Manager mailed letters to these patients to announce Dr. Northcutt’s run for state senate. The letter was on the campaign’s letterhead but addressed the recipient as “Dear Valued Patient.”
On April 30, 2018, Northcutt Dental sent an email communication to its patients regarding Dr. Northcutt’s campaign. The email header showed the email as coming from “Northcutt Dental” and the email message was signed “Sincerely, Northcutt Dental.” Northcutt Dental used a third-party marketing company, Solutionreach, to send the emails. The campaign email was sent to the same patients that received the mailed letter in July 2017 plus an additional 1,727 patients, for a total of 5,385 individual recipients.
Upon investigation, OCR concluded:
- Northcutt Dental impermissibly disclosed the name and address of 3,658 individual patients when it shared this information with Dr. Northcutt’s Campaign Manager in 2017. See 45 C.F.R. §164.502(a).
- Northcutt Dental impermissibly disclosed the name and email address of 5,385 individuals in 2018 when it shared this information with its marketing vendor for purposes outside the service arrangement in place. See 45 C.F.R. § 164.502(a).
Lesson: Patients should not be confused with voters.
In the second impermissible disclosure case, Dr. U. Phillip Igbinadolor, D.M.D. & Associates, P.A. (UPI), a dental practice with offices in Charlotte and Monroe, North Carolina, impermissibly disclosed a patient’s PHI on a webpage in response to a negative online review.
OCR imposed a $50,000 civil monetary penalty on the practice, after the office did not contest the findings in OCR’s Notice of Proposed Determination as to the penalty.
The facts of the third impermissible disclosure case stir interest.
In this case, OCR found that New England Dermatology P.C., d/b/a New England Dermatology and Laser Center (“NDELC”), improperly disposed of protected health information. To settle a potential Privacy Rule violation, NEDLC paid $300,640 to OCR and agreed to implement a corrective action plan to resolve this investigation.
The interest: NEDLC is located in Massachusetts and provides dermatology services. On March 31, 2021, one specimen container bearing a label containing PHI was found in the parking lot by a third-party security guard.
All of NEDLC’s specimen containers bear a label with the corresponding patient’s PHI. The PHI on the specimen label included patient names, dates of birth, dates of sample collection, and the name of the provider who took the specimen.
On May 11, 2021, NEDLC filed a breach report with OCR stating that empty specimen containers with protected health information on the labels were placed in a garbage bin in their parking lot. The containers’ labels included patient names and dates of birth, dates of sample collection, and the name of the provider who took the specimen.
OCR’s investigation, conducted by OCR’s New England Regional Office, found potential violations of the HIPAA Privacy Rule, including the impermissible use and disclosure of PHI and failure to maintain appropriate safeguards to protect the privacy of PHI.
In the fourth impermissible disclosure case, OCR settled with New Vision Dental, a dental practice in California, over allegations that the practice inappropriately used social media to respond to patient reviews, disclosing PHI. New Vision Dental paid $23,000 to OCR and agreed to implement a corrective action plan (CAP) to resolve this investigation.
HIPAA Fines 2022 Review: Fees and Penalties May Apply
Next up in this HIPAA 2022 review is the right of access cases. In 2022, OCR entered into settlements with 15 providers over potential Privacy Rule right of access violations. OCR imposed civil monetary penalties on two other providers for these violations.
Worth mentioning in the HIPAA 2022 review is that in one of these cases, OCR called the provider out for charging patients excessive fees for copies of their records. The right of access prohibits excessive fees.
In its Resolution Agreement with provider Jacob & Associates, OCR stated that this provider failed to provide timely access to PHI to a patient who requested that access. OCR also stated that the provider charged an unreasonable fee that is not cost-based. The right of access provision prohibits charging such fees to patients who seek copies of their records for their own use.
Finally, as it did with the other 14 providers with whom it settled, OCR concluded that the provider failed to implement policies and procedures regarding the right of access to protected health information.
HIPAA Fines 2022 Review: The Lessons for the Rest of ‘Em (And Us):
The lessons from the right of access settlements and fines are:
- All providers are at risk of being investigated for a right of access violation. Most of the providers that were fined or that entered into resolution agreements in 2022 for such violations were small or solo practices.
- Not cooperating with an HHS investigation can increase the amount of a fine. One of this year’s right of access cases involved ACPM Podiatry. This practice failed to provide a former patient with his requested medical records. In response to an initial complaint, OCR provided ACPM with written technical assistance regarding the Privacy Rule’s right of access standard and closed the matter. OCR received a second complaint from the same individual, alleging that ACPM still had not provided the medical records, after numerous requests. ACPM did not respond to multiple data requests from OCR, nor to OCR’s Letter of Opportunity and Notice of Proposed Determination. OCR issued a Notice of Final Determination and imposed a civil money penalty of $100,000.
- Providers should keep some kind of log that tracks access requests. A couple of the fines this year involved a patient making requests at different points in time for their records, and only some (or none) being followed up on by the provider. Keeping the log can show HHS that a provider is taking its right of access obligations seriously.
- Providers should know (and should train their staff to know) that patients, when requesting their own records for their own use, may only be charged a “reasonable, cost-based fee.” Also, providers should know that if a state law allows for the provider to charge a higher fee than HIPAA allows and that the state law fee is “per page,” not tied to the actual cost of copying the records, the provider must charge the lower, HIPAA fee.
HIPAA Fines 2022 Review: Security at Oklahoma State University – Sooner or Later
On January 5, 2018, OCR received a breach notification report from OSU-CHS (Oklahoma State University Center for Health Sciences), reporting a breach of protected health information (PHI), which affected 279,865 individuals.
Specifically, OSU-CHS reported that on November 7, 2017, an unauthorized third party gained access to an OSU-CHS web server by uploading malware. OSU-CHS discovered that some of its workforce members stored folders on the web server that contained ePHI, including patients’ names, Medicaid numbers, healthcare provider names, dates of service, dates of birth, addresses, and treatment information.
OSU-CHS later reported that, on September 25, 2016, it discovered that an unauthorized user had previously accessed the same server, with the first date of access occurring on March 9, 2016. At the time of the 2016 incident, OSU-CHS reported that it was not aware that there was electronic PHI stored on that server.
Evidence gathered by OCR indicated OSU-CHS’s noncompliance with the following provisions of the Privacy, Security, and Breach Notification Rules:
- Uses and Disclosures of PHI (45 C.F.R. § 164.502(a))
- Security Incident Response and Reporting (45 C.F.R. § 164.308(a)(6)(ii))
- Risk Analysis (45 C.F.R. § 164.308(a)(l)(ii)(A))
- Evaluation (45 C.F.R. 164 .308(a)(8))
- Audit Controls (45 C.F.R. § 164.312(b))
- Breach Notification to Individuals (45 C.F.R. § 164.404)
- Breach Notification to the Secretary (45 C.F.R. § 164.408)
As part of a 2022 Resolution Agreement, HHS has agreed to accept, and OSU-CHS has agreed to pay HHS, the amount of $875,000 (“Resolution Amount”). OSU also agreed to enter into a corrective action plan (CAP).
HIPAA Fines 2022 Review: Recognized Security Practices
HHS is developing guidance for covered entities and business associates – guidance that explains what constitutes acceptable cybersecurity practices, and that explains the benefits of implementing them.
In January of 2021, HR 7898, nicknamed the Cybersecurity Best Practices bill, was signed into law. Under this federal law, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) must consider whether an entity used recognized cybersecurity practices in the year preceding a violation when deciding whether to penalize the organization.
Under the law, “recognized security practices” are:
- Standards, guidelines, best practices, methodologies, procedures, and processes developed under the National Institute of Standards and Technology Act (NIST Act)
- The cybersecurity practices developed under section 405(d) of the Cybersecurity Act of 2015
- Programs and practices developed in, recognized by, or set forth in federal laws other than HIPAA
In April of 2022, OCR issued a public Request for Information (RFI). The RFI sought public comment on how covered entities and business associates are implementing recognized security practices.
OCR sought comments to inform potential future guidance on implementing HR 7898. HHS sought public comment on three areas:
- How are covered entities and business associates implementing recognized security practices?
- How are covered entities and business associates adequately demonstrating that recognized security practices are in place?
- Are there any implementation issues covered entities and business associates would like OCR to clarify through future guidance or rulemaking?
After receiving public comment, HHS issued a video on recognized security practices, defining more clearly what these are, and responding to specific public comments. HHS’ work in fashioning the guidance contours for HR 7898 is ongoing. In light of this ongoing work, to interpret 2022 as a year for abandonment of OCR enforcement of the Security Rule, appears to draw too much from too little.