The Office of Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) has continued its enforcement of the privacy and security rules included in the Health Insurance Portability and Accountability Act of 1996 (HIPAA), announcing a number of settlements of alleged violations in the first seven months of 2021.
This settlement activity followed other significant HIPAA developments that occurred in January 2021, including HHS’s release of proposed regulations to the HIPAA Privacy Rule and a Fifth Circuit Court of Appeals opinion vacating an OCR penalty of approximately $4.44 million for a HIPAA security breach involving the University of Texas MD Anderson Cancer Center (MD Anderson).
The Fifth Circuit took issue with the standards that OCR (and an administrative law judge) had applied in assessing the penalty. The Court found that MD Anderson had implemented a mechanism for the encryption of data, even if certain employees did not follow that mechanism. It held that the government had not demonstrated that MD Anderson made any affirmative disclosure of protected health information to an outside person. The Court explained that even if the government had established that MD Anderson was liable, the Court would have lowered the penalties substantially, finding that the amount assessed exceeded applicable limits. Although it is unclear how the Fifth Circuit’s opinion will affect OCR’s enforcement activity (or the willingness of parties to settle) going forward, this year’s settlements demonstrate that OCR has remained active in enforcing HIPAA’s rules.
OCR’s first settlement of 2021 also was its largest of the year to date. OCR learned of a breach when Excellus Health Plan reported to OCR that cyber-attackers had installed malware and gained unauthorized access to its systems from December 2013 to May 2015. The breach resulted in the impermissible disclosure of more than 9.3 million individuals’ protected health information, including their social security numbers, bank account information, health plan claims, and treatment information.
HHS investigated the breach and alleged that Excellus did not conduct a thorough analysis of the risks and vulnerabilities of the electronic protected health information (ePHI), implement security measures to mitigate risks, and implement procedures to regularly review information system activity records.
Excellus agreed to pay a resolution amount of $5.1 million and entered into a Corrective Action Plan. The Corrective Action Plan required Excellus to perform a comprehensive risk analysis to identify any other potential risks or vulnerabilities to its systems maintaining ePHI. It also required Excellus to prepare written policies to address the monitoring of suspicious activity and submit the policies to HHS for review, provide training to employees on such policies, and submit to monitoring by HHS for a period of two years.
OCR’s analysis of the severity of the potential violations and determination of the resolution amount appears to have been heavily influenced by the length of time that the breach went undetected. As the director of OCR commented: “In this case, a health plan did not stop hackers from roaming inside its health record system undetected for over a year, which endangered the privacy of millions of its beneficiaries.”
This settlement serves as a reminder that covered entities should be vigilant in reviewing activity within their systems so they may respond quickly if a breach does occur.
OCR also has demonstrated a continuing commitment to enforce the obligation to provide individuals with timely access to their health information upon request. OCR entered into six separate Resolution Agreements between January and June of 2021, amounting to 19 total actions under its Right of Access Initiative.
All six settlements involved health care providers that failed to provide patients’ medical records in a timely manner, ranging from a six-month delay to a complete failure to provide the requested documents. Each entity entered into a Resolution Agreement and Corrective Action Plan with OCR, with resolution payments ranging from $5,000 to $200,000.
Based on the limited information available in the Resolution Agreements, it is unclear how the monetary resolution amounts were set. They may have been based on a combination of factors such as the time that passed between the initial request and the date the entity provided the medical records, the number of complaints that HHS received with respect to each entity, or the size and sophistication of each entity. Although the settlement amounts for breaches of the access to information requirements tend to be less than those involving an actual breach of privacy, the Corrective Action Plans still require the entities to undertake significant compliance measures, including revising internal policies and procedures for HHS review, providing training to all employees with job duties that relate to processing these requests, and submitting to monitoring by HHS for up to two years.
These Resolution Agreements and accompanying news releases indicate that HHS will continue pursuing its Right of Access Initiative, demonstrating the importance of health care entities to maintain sufficient policies to ensure timely, comprehensive, and accurate responses to patients’ requests for medical records.