HHS OCR Resumes HIPAA Enforcement Action Announcements: Four New Settlements and Penalties Totaling More than $5 million in a One Month Period

After a pause of nearly two months, the Department of Health and Human Services Office of Civil Rights (HHS OCR) has resumed its announcement of settlements for alleged HIPAA violations, with four new settlement agreements announced between April 12 and May 10, 2017. The settlements include penalties ranging from $31,000 to $2.5 million:

  • Memorial Hermann Health System (MHHS)—improper disclosure of protected health information (PHI) (announced May 10th). MMS agreed to pay $2.4 million to resolve HHS OCR claims that MHHS violated HIPAA by identifying a patient by name in a September 2015 press release after the patient was arrested for allegedly presenting a fraudulent identification card to MHHS. HHS OCR also faulted MHHS for failing to promptly sanction those, including senior management, responsible for the press release.
  • CardioNet—failings found after theft of unencrypted laptop (announced April 24th). CardioNet agreed to pay $2.5 million to resolve HHS OCR claims relating to the theft of an unencrypted laptop containing the electronic PHI of 1,391individuals from a parked vehicle outside an employee’s home in January 2012. HHS OCR faulted CardioNet for “insufficient risk analysis and risk management processes” as well as having policies for compliance with the HIPAA security rule that were in draft form and had not been implemented. HHS OCR also alleged that CardioNet was “unable to produce any final policies or procedures regarding the implementation of safeguards for electronic PHI, including those for mobile devices.”
  • Center for Children’s Digestive Health (CCDH)—no business associate agreement (announced April 20th). CCDH, a small for-profit pediatric practice, agreed to pay $31,000 to resolve HHS OCR claims arising from the inability of CCDH to document the existence of a business associate agreement with a vendor used to store paper files relating to inactive patients. While the relationship and the transfer of PHI dated back to 2003, the only business associate agreement that could be located was executed in 2015. The investigation of CCDH appears to have resulted from an HHS OCR investigation of the vendor, FileFax Inc., which was already underway.
  • Metro Community Provider Network (MCPN)—failings found after a phishing hack (announced April 12th). MCPN agreed to pay $400,000 to resolve HHS OCR claims relating to a January 2012 phishing incident that resulted in hackers compromising employee email accounts and obtaining the electronic PHI of about 3,200 individuals. HHS OCR found that MCPN failed to conduct a risk assessment until after the phishing incident and, as a result, had “not implemented any corresponding risk management plans.” HHS OCR also found that the risk assessments subsequently conducted were “insufficient” to meet MCPN’s obligations under the Security Rule.

These four matters were well on their way to resolution prior to the appointment of Roger Severino as the new Director of HHS OCR at the end of March. It is unclear what impact, if any, Director Severino had on the resolution of these cases or the penalty amounts paid by the organizations subject to these resolution agreements. Speaking at the Health DataPalooza conference in Washington at the end of April, Director Severino again indicated his desire to eliminate unnecessary regulatory burdens, but he also spoke of how his father had been a victim of identity theft. While it is too soon to say, this may suggest that while Director Severino and HHS OCR may begin to look for ways to reduce regulatory burdens, investigations triggered by data breaches may continue result in significant penalties.

The four settlements, taken together, are a reminder to organizations subject to HIPAA of the wide range of issues that can trigger an HHS OCR action and the importance of conducting risk assessments, executing business associate agreements, training workforce members (including senior management), sanctioning workforce members when appropriate, and implementing policies and procedures to comply with HIPAA’s other privacy and security requirements. The settlements that resulted from investigations of data breaches are another reminder that while breaches often are the trigger for an HHS OCR investigation, the resulting settlement can be, and often is, driven by other compliance failings alleged by HHS OCR as a result of its investigations. As a result, any organization handling protected health information, whether as covered entity or as a business associate, should review its HIPAA compliance program, policies, and procedures.