One of the most significant drivers for information in the healthcare sector (or vertical) is regulatory pressure from the Department of Health and Human Services (of “HHS”). HHS’ Office for Civil Rights (or “OCR”) is responsible for enforcing the HIPAA Privacy and Security Rules. This monthly summary is provided by FRSecure as a service to our healthcare customers for insight into current regulatory enforcement activities and actions.
Source: HHS web site; http://www.hhs.gov/hipaa/for-professionals/special-topics/enforcement-rule/index.html. Much of the information contained in this summary is directly quoted from the HHS web site with emphasis and additional information added.
To date, OCR has investigated and resolved over 24,047 cases by requiring changes in privacy practices and corrective actions by, or providing technical assistance to, HIPAA covered entities and their business associates. Corrective actions obtained by OCR from these entities have resulted in change that is systemic and that affects all the individuals they serve. OCR has successfully enforced the HIPAA Rules by applying corrective measures in all cases where an investigation indicates noncompliance by the covered entity or their business associate, which may include settling with the entity in lieu of imposing a civil money penalty.
To date, OCR has settled 29 such cases resulting in a total dollar amount of $27,974,400.00 (average $964,634.48). OCR has investigated complaints against many different types of entities including: national pharmacy chains, major medical centers, group health plans, hospital chains, and small provider offices.
NOTE: There have been an additional 3 settlements totaling $5,100,000 since the last OCR update (10/31/15). In the 10/31/15 update, the totals were 26 settlements for $22,874,400.00 (average $879,784.62). There was only one resolution agreement announced during this same time period, which leads us to believe that there are potentially two more to be announced soon.
Most Recent Resolution Agreements and Civil Penalties
Organization: Lincare, Inc.
Date of Press Release: 2/3/16
Date of Incident: 12/1/08 (2,620 days)
Cause of Incident: Impermissible Disclosure of Protected Health Information 45 C.F.R. § 164.502(a), Failure to Safeguard Protected Health Information 45 C.F.R. § 164.530(c), and Administrative Requirements: Policies and Procedures 45 C.F.R. § 164.530(i)(I)
TheCenter Manager working at the Lincare operating center in Wynne, Arkansas allegedly left PHI belonging to 278 patients under the bed and in a kitchen drawer after she moved out of the home shared with her estranged husband. Her husband was the Complainant.
Monetary Fine: $239,800
Other Penalties: No other penalties beyond the summary judgement for $239,800 were disclosed.
Notable Quote: “While OCR prefers to resolve issues through voluntary compliance, this case shows that we will take the steps necessary, including litigation, to obtain adequate remedies for violations of the HIPAA Rules,” said OCR Director Jocelyn Samuels. “The decision in this case validates the findings of our investigation. Under the ALJ’s ruling, all covered entities, including home health providers, must ensure that, if their workforce members take protected health information offsite, they have adequate policies and procedures that provide for the reasonable and appropriate safeguarding of that PHI, whether in paper or electronic form.”
Additional Resolution Agreements and Civil Penalties
Previously covered in FRSecure’s last summary (dated 12/31/15)
Organization: University of Washington Medicine (UWM)
Date of Press Release: 12/14/15
Date of Incident: 11/24/13 (747 days)
Cause of Incident: undisclosed “breach of its unsecured electronic protected health information