OCR Issues Two HIPAA Enforcement Actions, Plus Adjusts Future FinesSettlement With University of Rochester Medical Center, Penalty for Texas HHS Commission
(This story has been updated.)
See Also: The Global State of Online Digital Trust
The Department of Health and Human Services' Office for Civil Rights has slapped two more organizations with hefty HIPAA enforcement fines.
Meanwhile, HHS announced increases to future HIPAA civil monetary penalties to adjust for annual inflation in a move some observers say is likely to create confusion and uncertainty, given earlier announcements about plans to reduce penalties.
Latest HIPAA Enforcement Actions
OCR on Tuesday said it signed a $3 million HIPAA settlement with the University of Rochester Medical Center related to breach reports in 2013 and 2017 involving the losses of an unencrypted flash drive and an unencrypted laptop.
URMC, which includes the School of Medicine and Dentistry and Strong Memorial Hospital, is one of the largest health systems in New York state with over 26,000 employees.
On Thursday, OCR announced it has issued a $1.6 million civil monetary penalty against the Texas Health and Human Services Commission in a case involving HIPAA violations from 2013 to 2017.
At the center of the case was an investigation by OCR into a 2015 breach at a Texas HHSC agency involving the exposure over the internet of information pertaining to 6,600 individuals, including names, addresses, Social Security numbers and treatment information.
In a statement provided to Information Security Media Group, Texas HHSC says it "takes information security and privacy seriously for all the people we serve. We are continually examining ways to strengthen our processes for the health and safety of Texans." But the agency did not comment on the specifics of the HIPAA penalty.
So far in 2019, OCR has taken HIPAA enforcement actions against at least seven entities, including URMC and Texas HHSC, totaling nearly $10 million.
OCR in a statement Tuesday says its investigation into the URMC breaches revealed that the medical center failed to:
- Conduct an enterprisewide risk analysis;
- Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level;
- Utilize device and media controls;
- Employ a mechanism to encrypt and decrypt electronic protected health information.
"Of note, in 2010, OCR investigated URMC concerning a similar breach involving a lost unencrypted flash drive and provided technical assistance to URMC," OCR says. "Despite the previous OCR investigation, and URMC's own identification of a lack of encryption as a high risk to ePHI, URMC permitted the continued use of unencrypted mobile devices."
Roger Severino, OCR director, said in a statement: "Because theft and loss are constant threats, failing to encrypt mobile devices needlessly puts patient health information at risk. When covered entities are warned of their deficiencies, but fail to fix the problem, they will be held fully responsible for their neglect."
Under its resolution agreement with OCR, URMC will implement corrective action plan that requires two years of monitoring compliance with the HIPAA rules.
The plan requires URMC to conduct a security risk analysis and develop and implement a detailed risk management plan, including policies for encryption and decryption.
The settlement agreement with OCR concludes an investigation into IT security practices at URMC, following two unrelated incidents that the medical center voluntarily reported in 2013 and 2017, URMC notes in a statement provided to ISMG.
"Potentially affected patients were notified at the time both of these incidents occurred, and we have no reason to believe that any patient's personal health information was misused," the statement says.
"The medical center is deeply committed to protecting patient privacy, and we continuously improve our IT security safeguards and staff training to reduce the risk of a privacy breach. As part of the settlement with HHS, we will undertake a comprehensive audit of security practices and implement any corrective actions needed to ensure our safeguards are as strong as possible," URMC says.
Texas HHSC Penalty
In a statement, OCR says the penalty against Texas HHSC involved the Department of Aging and Disability Services, a Texas state agency that administered long-term care services. DADS was reorganized into TX HHSC in September 2017.
On June 11, 2015, DADS filed a breach report with OCR stating that the electronic protected health information of 6,617 individuals was viewable over the internet. The exposure occurred when an internal application was moved from a private, secure server to a public server and a flaw in the software code allowed access to ePHI without access credentials, OCR says.
OCR's investigation determined that, in addition to the impermissible disclosure, DADS failed to conduct an enterprisewide risk analysis and implement access and audit controls on its information systems and applications as required by the HIPAA Security Rule. Because of inadequate audit controls, DADS was unable to determine how many unauthorized persons accessed ePHI.
"Covered entities need to know who can access protected health information in their custody at all times," Severino said in the statement. "No one should have to worry about their private health information being discoverable through a Google search."
In other action on Tuesday, HHS issued a final rule to adjust its civil monetary penalties for annual inflation - including civil monetary penalties for HIPAA violations. The increase of about 1 percent, which affects all tiers of HIPAA enforcement penalties, goes into effect immediately.
Even though OCR in April issued a "notice of enforcement discretion" that significantly lowered HIPAA fines for some less serious violations, the new "adjusted" civil monetary penalties published Tuesday are based on the schedule of higher penalties that were in place prior to OCR's April announcement.
For example, back in April 2019, OCR lowered the annual civil monetary penalty cap for the "no knowledge" level of HIPAA culpability from $1.7 million to $25,000, with OCR calling the higher amount inconsistent with the authority set by Congress in the HITECH Act.
OCR's notice of enforcement discretion published on April 30 lowering some HIPAA fines for less egregious cases noted that HHS would engage in future rulemaking to revise its HIPAA penalty tiers. But so far that has not happened.
So, until OCR issues specific rulemaking to "officially" lower penalty tiers for HIPAA violations, the final rule on Tuesday by HHS about "adjusted" civil monetary penalties raises the annual cap for most culpability tiers to $1.75 million.
Until OCR issues formal rulemaking to lower its HIPAA fine tiers, "HHS could legally issue higher fines at any point," says privacy attorney Iliana Peters of the law firm Polsinelli. Before doing so, however, HHS would most likely issue notice warning organizations of a return to potentially higher fines, she adds.
Privacy attorney Adam Greene of the law firm Davis Wright Tremaine notes that "while [the Trump] administration will likely follow the April 2019 enforcement clarification, until the regulations are amended with the lower annual caps, future administrations will be free to renew the prior interpretation" of higher penalties.
Cause for Confusion?
Privacy attorney David Holtzman of security consultancy CynergisTek says the schedule of adjusted HIPAA civil monetary penalties published on Tuesday will likely create confusion and uncertainty among HIPAA covered entities and business associates.
"Covered entities and business associates better belt yourself in. We could be in for a bumpy ride."
—David Holtzman, CynergisTek
"They have reason to wonder what the annual limit is that can be levied by OCR as penalties for violations of the regulations," Holtzman notes.
"Does this notice issued by HHS signal a conflict between the HHS secretary and the OCR director who is delegated the authority to enforce the HIPAA regulations? Will OCR issue a clarification on how it is applying its enforcement discretion to the civil monetary penalties it will levy in light of this change announced by HHS? Covered entities and business associates better belt yourself in. We could be in for a bumpy ride."
But privacy attorney Kirk Nahra of the law firm WilmerHale says he expects current OCR leadership to stick with the lower HIPAA penalty tiers issued in April, even if OCR has the legal authority to levy the higher fines still on the books.
"In general, OCR seems to be continuing its pattern throughout the HIPAA era - it is not a 'gotcha' agency," Nahra says.
"It looks carefully at whether people are trying to do the right things and it focuses its enforcement attention on serious problems, repeated issues and a modest number of 'example' cases where they want to make a point about a practice," he says. "OCR is still doing careful, thoughtful enforcement generally, even with reduced staff and more demands."
Similarly, Greene says he doesn't expect that HHS annual inflation adjustments will have a very substantial impact on OCR's enforcement inclinations.
"OCR has not historically sought to impose the maximum penalties or settlement amounts possible," he says. "Rather, OCR often uses minimum civil monetary penalty levels, rather than maximums."