HIPAA Enforcement Updates

Although the Department of Health and Human Services, Office of Civil Rights Compliance (“HHS/OCR”) has been exercising its discretion to waive certain provisions of the HIPAA Privacy Rules during the COVID-19 pandemic, as previously discussed in this post, enforcement in other areas of HIPAA continues.

On September 21, HHS/OCR announced that Athens (GA) Orthopedic Clinic would pay $1.5 million and adopt a corrective action plan (“CAP”), including two years of monitoring to settle potential HIPAA violations following OCR’s investigation of a breach the Clinic reported in 2016. The breach involved over 200,000 patient records that had been hacked and may have been posted for sale online. The investigation found “long-standing systemic noncompliance with HIPAA,” including failure to: conduct a Security Rule risk analysis; implement risk management and audit controls; maintain HIPAA policies and procedures; enter into business associate agreements; and train workforce members on HIPAA compliance, all of which are basics of HIPAA compliance.

Similar noncompliance resulted in a $25,000 settlement and a CAP announced on July 23 for Metropolitan Community Health Center, a small federally qualified health center located in North Carolina, and a $100,000 settlement for a gastroenterology practice operated by Steven A. Porter, M.D., located in Ogden, Utah. The Metropolitan settlement resulted from an investigation of a breach involving disclosure of protected health information to an unknown email account that was reported in 2011, but the provider did not conduct a risk analysis, implement Security Rule policies and procedures, or provide training to its workforce on security awareness until 2016. The Porter settlement resulted from the report of a data breach involving a business associate of the practice, but the ensuing investigation found this provider also failed to conduct a risk analysis or implement security measures. As Roger Severino, OCR Director noted in the Porter settlement, “[a]ll health care providers, large and small, need to take their HIPAA obligations seriously” and expressed concern that failure to implement HIPAA basics “continues to be an unacceptable and disturbing trend” in the health care industry.

Note that on September 15, HHS/OCR and the Office of the National Coordinator (“ONC”) released the latest update to the HHS Security Risk Assessment Tool, version 3.2 (the “SRA Tool”).  The SRA Tool is a downloadable online tool that is designed to help small and medium-sized health care providers conduct the mandatory Security Rule risk analysis. Small and medium-sized health care providers (and business associates) can use the SRA Tool in lieu of engaging a third party vendor to conduct the risk analysis as one important step towards achieving Security Rule compliance. The HealthIT.gov webpage on the SRA Tool includes a wealth of information on HIPAA Basics, Privacy and Security resources and tools, and a link to the downloadable SRA Tool.

HHS/OCR is also continuing enforcement under its Right of Access Initiative, which it began in 2019 to support the HIPAA right of individuals to access their own health information and ensure individuals are not asked to pay excessive fees to obtain copies of their own records. Each of the health care providers involved in the five settlements announced on September 15 were investigated following receipt of complaints that the providers had failed to provide individuals with copies of, or access to, their own medical records. The amounts of the settlements were not excessively large, but “send a message” about the “importance and necessity of compliance” with HIPAA.

Health care providers should take heed of the message and the guidance HHS/OCR and the ONC have made available to ensure that the necessary HIPAA Privacy and Security Rule measures are in place.