This article, written by Wright Lindsey Jennings’ medical malpractice attorney Hayden Shurgar and published by the Healthcare Journal of Little Rock, explores trends in HIPAA audits and related penalties and enforcement.
The issuance of the Health Insurance Portability and Accountability Act (HIPAA) Omnibus Rule and the Health Information Technology for Economic and Clinical Health (HITECH) Act significantly changed the law governing healthcare privacy by instituting phased audits beginning in 2014, which included auditing of business associates, increasing the amount of civil money penalties, and allowing for the imposition of criminal and civil money penalties against not only covered entities but also business associates and subcontractors. These changes raised many questions about how these issues would be handled by the U.S. Department of Health and Human Service’s Office of Civil Rights (OCR). The first few years of enforcement have provided indications as to how OCR will act to enforce the new rules.
In 2011 and 2012, prior to the implementation of the new rules, the OCR launched a series of pilot audits, which focused solely on auditing covered entities. However, in 2014, the OCR announced that it would begin auditing covered entities and business associates. The auditing of business associates officially began in 2015 and marked the beginning of monitoring and enforcing business associate compliance with HIPAA. Additionally, 2015 was a record year for breaches, with an estimated 100 million healthcare records breached.
In direct relation to the unprecedented number of breaches in 2015, 2016 saw a dramatic increase in the number of enforcement actions, as well as the launch of phase 2 of the HIPAA Privacy, Security, and Breach Notification Audit. The 2016 audit program collected a historic $23 million in fines, more than a 300 percent increase from the previous record of $7.4 million set in 2014. Additionally, there were 13 enforcement actions taken by the OCR, which is six more than the previous record of seven in one year. The average enforcement action penalty in 2016 was $1.5 million, and the largest individual penalty assessed was $5.5 million.
In addition to increased enforcement actions and fines, the OCR expanded its enforcement authority by granting regional offices increased investigatory and enforcement authority. Regional offices may now investigate breaches impacting less than 500 people. According to the OCR, the regional offices may prioritize investigations based on the size of the breach, the amount and nature of protected health information involved in the breach, whether the breach involved theft, unencrypted protected health information, or hacking, and whether the same entity was reporting multiple, small breaches.
The ability to enforce smaller scale breaches will likely increase the investigation of small covered entities in the coming years.
Previously, these breaches were of minimal concern to the OCR. But this new plan seems to take aim at smaller breaches by smaller providers, especially when the breach is a part of or comes after a series of other similarly-sized breaches.
In addition to the increased imposition of fines, criminal prosecutions for HIPAA violations are also on the rise. Arkansas saw its first criminal prosecution based on HIPAA violations in 2008. A Trumann nurse was sentenced to two years of probation and 100 hours of community service after disclosing the protected health information of a patient at her clinic to her husband, who intended to use the information in a legal proceeding. A year later, in July 2009, three Arkansans, one doctor and three former nurses, pled guilty to accessing, out of curiosity, the medical records of a hospital patient. All three received fines, ranging from $1,500 to $5,000, and one was sentenced to 50 hours of community service.
Penalties have been stiffer in other areas of the country. In April 2013, Helen Michel, the former owner of a medical supply company in New York, was sentenced to serve 12 years in federal prison for charges related to HIPAA violations and Medicare fraud. In 2016, at least two individuals were convicted for criminal violations of HIPAA. Other offenders across the country have received sentences ranging from probation to incarceration. It is not unreasonable to expect the number of criminal prosecutions to increase as the number of audits and enforcement actions increase.
Because the OCR audit program is funded by the collection of civil money penalties, without enforcement actions and the collection of fines, the audit program cannot function. In 2017 and 2018, expect that the audit program will continue to step up the number of enforcement actions. However, President Trump’s deregulation of several industries thus far suggests that the Trump administration might pull back on HIPAA enforcement. Knowing if that is the case will be difficult to determine until we are well into 2017.
Regardless, it is imperative that every covered entity, business associate, and subcontractor maintain an audit-ready state, actively mitigate risks, timely report breaches to the OCR and the affected patients, and continue to conduct risk assessments. The penalties for failing to take these steps are too harsh not to take the necessary precautions.
Hayden Shurgar defends medical providers in malpractice and professional liability claims. She also advises clients on healthcare regulatory issues, including the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its amendments. She is a Certified HIPAA Professional and Certified HIPAA Security Specialist and provides HIPAA training and review of HIPAA policies and procedures for clients.