In 2017, the Department of Health and Human Services’ Office of Civil Rights (“OCR”) continued its HIPAA enforcement efforts, resulting in over $19,393,000 in settlements and civil monetary penalties. OCR investigations focused on various issues, including impermissible disclosures, data breaches, inadequate protection of protected health information (“PHI”) on electronic devices such as laptops and tablets, deficiencies in conducting enterprise-wide risk assessments, insufficient implementation of risk management protocols and procedures, delayed breach notifications, careless handling of PHI, and lack of valid business associate agreements with vendors. OCR’s largest settlement in 2017 was with Florida’s Memorial Healthcare System, which agreed to pay $5,500,000 to resolve allegations involving insufficient access controls to electronic PHI. OCR also assessed a $3,200,000 civil monetary penalty against Children’s Medical Center of Dallas for its impermissible disclosure of PHI.
In addition to its reactive enforcement activities, OCR is piloting a proactive HIPAA-compliance audit program. The pilot program is still in phase 2, but OCR recently released preliminary findings of desk audits conducted on 163 covered entities. According to OCR, these desk audits uncovered widespread HIPAA violations. For example, of the covered entities evaluated on their compliance with the HIPAA Privacy Rule, less than 1% were rated as fully compliant in implementing the Privacy Rule’s requirements for PHI access and notices of privacy practices. Moreover, close to 10% of the audited covered entities were rated as having presented no evidence that they had made any serious attempt to comply with those rules.
OCR’s preliminary findings also revealed similarly bleak ratings for covered entities’ compliance with the HIPAA Security Rule’s requirements for risk assessment and risk management, as well as problems with the timeliness and content of breach notifications. Covered entities that failed these desk audits may face additional review by OCR, which may result in financial penalties. Although relatively few covered entities were directly affected by these audits, OCR intends to use the final results of this pilot program to establish a permanent audit program for future HIPAA enforcement.
The attorneys at Chilivis Grubman assist healthcare entities of all types and sizes with HIPAA-related issues, including audits, assessments, and OCR investigations. For any questions, or if we can assist you in connection with such a matter, please contact us at (404) 262-6505 or sgrubman@cglawfirm.com.