The Department of Health and Human Services’ Office for Civil Rights (OCR) has increased its enforcement operations in recent years, and 2016 HIPAA settlements were at the highest levels ever recorded.
Overall, payments of $22,855,300 were submitted to the OCR during 2016 to settle alleged HIPAA breaches. Seven settlements were over the figure of $1,500,000.
Last year, OCR resolved supposed HIPAA violations with 12 healthcare groups. Last year also saw an Administrative Law Judge rule that civil monetary penalties previously sanctioned on a covered body – Lincare Inc. – by OCR were legal, bringing the overall total to thirteen for 2016. Lincare was only the second healthcare group obligated to pay a civil monetary penalty for violations of the Health Insurance Portability and Accountability Act. All other groups chose to settle with OCR voluntarily.
Financial sanctions are not always an appropriate punishment. OCR elects to settle potential HIPAA violations using non-punitive tactics. Financial penalties are reserved for the worst violations of HIPAA Rules, when widespread non-compliance is found, or in instances where healthcare groups have obviously disregarded HIPAA Rules.
While massive breaches of PHI may require financial penalties, and will have an effect on the final settlement amount, OCR has resorted to financial sanctions when comparatively few people have been affected by healthcare data breaches. 2017 has seen two settlements with groups for breaches that have impacted less than 500 individuals – New York Presbyterian Hospital and Catholic Health Care Services of the Archdiocese of Philadelphia – and one civil monetary sanction – Lincare Inc.
A complete summary of 2016 HIPAA settlements with the Office for Civil Rights is outlined in the table below:
HIPAA Breach Settlements 2016 Summary
*Civil monetary penalty confirmed as legal by an administrative law judge
The highest HIPAA settlement of 2016 – and the highest HIPAA settlement ever agreed with a single covered body – was revealed in August. OCR agreed to settle potential HIPAA breaches with Advocate Health Care Network for $5.5 million.
The previous highest HIPAA settlements were agreed with New York-Presbyterian Hospital and Columbia University after PHI was mistakenly indexed by search engines. The two entities were obligated to make a payment to the OCR of a figure of $4.8 million, with $3.3 million covered by New York-Presbyterian Hospital and the remainder by Columbia University. The previous largest HIPAA settlement for a single body was agreed with Cignet Health ($4.3 million) for denying 41 patients access to their health histories.
2017 has kicked off with a settlement with Presence Health. The $475,000 settlement was entirely based on delayed breach alerts – the first ever time that a settlement has been agreed completely for a HIPAA Breach Notification Rule breach.
Looking ahead to 2017 and further, the future of HIPAA enforcement operations is unclear. The new administration in place may decrease funding for OCR which would likely have an effect on HIPAA enforcement operations.
2017 will see the second round of HIPAA compliance audits completed, although it is not likely that a permanent audit program will begin this year.
In 2016, Jocelyn Samuels said OCR will keep “laser-focused on breaches occurring at health care entities,” and that OCR is focused on it goal to “maintain an effective enforcement program that addresses industry-wide noncompliance and provides corrective action to protect the greatest number of individuals.”
Jocelyn Samuels will be departing the role of head of OCR and it is currently unclear who will replace her. While there are a number of preferable candidates for the position, incoming US President Donald Trump has a lot to do and the appointment of an OCR director is likely to be far down his to do list. When a new OCR director is announced, we may discover that he/she has different aims for the OCR’s budget.
What we may see in 2017 is a continuation of enforcement operations that have already begun. HIPAA violation investigations take time to complete and settlements even more time. The 2016 HIPAA settlements are the due to the data breach investigations that were completed in 2012-2013. The dramatic rise in data breaches in 2014 – and HIPAA violations that lead to those breaches – may well see 2017 become another record-breaking year for HIPAA settlements and resulting payments.