Still with four months to go, 2016 has been a record-setting year for HIPAA enforcement by the U.S. Department of Health and Human Services Office for Civil Rights (OCR). Before September even begins, OCR has already levied over $20 million in fines resulting from its investigation of suspected HIPAA violations. This amount more than triples the $6.2 million in HIPAA penalties which it assessed for all of 2015. These enforcement actions included both first-ever settlement of possible HIPAA violations by a Business Associate and the largest single fine of $5.5 million for suspected HIPAA violations.
In addition, OCR has recently begun an initiative to more widely investigate the root causes of breaches affecting fewer than 500 individuals. While Regional Offices will still retain discretion to prioritize which smaller breaches to investigate, each office will increase its efforts to identify and obtain corrective action to address entity and systemic noncompliance related to these breaches. The factors that OCR’s Regional Offices will consider in this manner include:
- The type and size of the breach, including the amount nature, and sensitivity of the PHI involved
- Whether the breach involved theft or improper disposal of unencrypted PHI;
- Breaches that involve unwanted intrusions to IT systems (for example, by hacking);
- A particular covered entity or business associate’s breach history;
- Lack of breach reports affecting fewer than 500 individuals when comparing a specific covered entity or business associate to like-situated covered entities and business associates.
This flurry of enforcement activity has occurred against the backdrop of “Phase 2” desk and onsite audits of approximately 200 – 250 covered entities and their business associates which will examine compliance with specific requirements of the Privacy, Security, or Breach Notification Rules. In particular, these audits will focus on Notice of Privacy Practices’ contents, individual’s rights to access protected health information, risk analysis, risk management, and timeliness and content of breach notification. There will also be a limited number of comprehensive on-site audits. All audits are expected to be completed by December 31, 2016.
Even if not selected for an audit, the covered entities and business associates would be well-advised to review the Audit Protocol available through the HHS website, ensuring their internal list of business associates is current, and reviewing, and if necessary, updating their risk analysis and risk management in light of recent developments, particularly the proliferation of ransomware attacks targeting the health industry.