SlideShare a Scribd company logo

HIPAA Enforcement Powers Strengthened by HITECH

Daniel Solove
Daniel Solove

The document summarizes key aspects of HIPAA enforcement by the Office for Civil Rights (OCR) within the Department of Health and Human Services (HHS). It notes that initially after HIPAA's passage, enforcement focused on cooperation and corrective actions, with no fines issued. However, the HITECH Act in 2009 increased penalties and auditing. Since then, OCR has issued fines between $50,000-$1.7 million and entered into resolution agreements requiring fines and corrective plans. Overall, enforcement has increased but still represents a small fraction of total complaints filed.

1 of 8
Download to read offline
THE BRAVE NEW WORLD OF HIPAA ENFORCEMENT by Daniel J. Solove
The Health Insurance Portability and Accountability Act (HIPAA) regulations govern health information maintained by various entities covered by HIPAA (“covered entities”) and other organizations that receive protected health information (PHI) from covered entities when performing functions for them. HIPAA is enforced by the Office for Civil Rights (OCR) in the Department of Health and Human Services (HHS). Additionally, state attorneys general (AGs) may enforce HIPAA – only a few federal privacy laws can also be enforced by state AGs. Although the vast majority of HIPAA violations involve civil penalties, there can be criminal HIPAA violations, which are enforced by the Department of Justice (DOJ). HIPAA ENFORCEMENT www.teachprivacy.com U.S. Department of Health and Human Services HIPAA enforcement actions are typically initiated by a compliant. The HIPAA statute doesn’t authorize people to sue for HIPAA violations, so people’s recourse under HIPAA is to file a complaint with OCR. People can sue under state law for many of the things that would constitute HIPAA violations, as HIPAA doesn’t preempt state law, and more privacy-protective state law trumps HIPAA in those states in which it is enacted. The Anatomy of a HIPAA Enforcement Action HIPAA enforcement actions can also be triggered when there is an incident that is reported to HHS, such as a data breach. HIPAA enforcement now also involves auditing. When OCR receives a complaint, it first evaluates whether it has jurisdiction and whether there is a possible violation. It will then launch an investigation and reach a resolution. That resolution can be a finding of no violation or of a violation. Many cases are resolved by the entity being investigated agreeing to take corrective action and sometimes agreeing to pay monetary penalties.
OCR can enforce HIPAA against a wide array of entities. Covered entities large and small are subject to OCR enforcement – from small doctors’ offices to large hospitals and health systems. OCR can enforce against not only private-sector entities but public sector ones as well. For example, one action was against a state’s Department of Health and Human Services. OCR also has the ability to directly enforce HIPAA against business associates – and any subcontractors of business associates. HIPAA enforcement thus follows PHI wherever it goes – except under special circumstances. So if a hospital provides PHI to a billing company, and the company subcontracts with another entity, OCR can enforce down the chain of custody. HIPAA thus is enforced along the chain . . . and PHI generally remains inside HIPAA’s protective bubble no matter where the hot potato is handed. This concept of enforcement along the chain is really essential in today’s age where data can so readily be transferred and where so many entities have access to particular pieces of personal data. Unfortunately, unlike HIPAA, many other privacy laws do not allow for enforcement along the chain – the Family Educational Rights and Privacy Act (FERPA) is an example. Once education records are handed to others, the Department of Education is powerless to enforce against those entities. HIPAA ENFORCEMENT www.teachprivacy.com The story of HIPAA enforcement is a tale of two OCRs – the one before HITECH and the one after. The Scope of HIPAA Enforcement The Story of HIPAA Enforcement HIPAA Enforcement Before HITECH Initially, between 2003 and 2008, HIPAA enforcement would best be characterized as a cooperative model. OCR would work with institutions to help them sin no more. The goal was not penal, but being helpful. The saying “I’m from the government, and I want to help” really applied here. By 2008, more than 33,000 complaints had been filed with OCR. About 8000 of those were investigated, leading to 5600 instances where entities took corrective action. No fines were ever issued. Critics called HIPAA’s enforcement toothless.
HIPAA Enforcement After HITECH In the past few years, we are seeing HIPAA enforcement resolutions that include fines. But even today, most HIPAA enforcement resolutions “simply spell out corrective action plans or offer technical assistance.” There have been just 22 cases involving financial payments or a civil monetary penalty. HIPAA ENFORCEMENT www.teachprivacy.com In 2009, the Health Information Technology for Economic and Clinical Health ( HITECH) Act seriously ratcheted up the penalties. The fines for HIPAA violations were raised dramatically -- up to $1.5 million for a violation in certain circumstances. The HITECH Act added a breach notification requirement and it mandated that HHS conduct compliance audits. Congress made clear that HIPAA enforcement should have more teeth – and that OCR should be issuing some fines. The HITECH Act significantly renovated HIPAA. In my opinion, HITECH was one of the best set of improvements to a privacy law that Congress has ever made. In 2013, HHS issued the Omnibus Final Rule implementing HITECH Act changes in HIPAA. But its enforcement approach changed earlier, right after the HITECH Act. When a civil monetary penalty is involved, HHS will enter into a resolution agreement with the entity. A resolution agreement includes: Resolution Agreements According to OCR, it has entered into 24 resolution agreements, which come with a penalty, and issued one civil monetary penalty. They are listed on HHS’s website.  a financial penalty  a corrective action plan (CAP) that often involves entities improving their policies and procedures, training, risk analyses, and security practices  a reporting requirement, typically ranging from 1 to 3 years How Painful Is HIPAA’s Sting? The penalties as part of the resolution agreements are quite steep. For example, in 2012, penalty amounts ranged from $50,000 to $1.7 million. There were three penalties of $1.5 million or higher. Total = $4,850,000 Average: $970,000
HIPAA ENFORCEMENT www.teachprivacy.com In 2013, penalty amounts ranged from $150,000 to $1.7 million. There are two penalties in excess of $1 million. Total = $3,493,280 Average = $678,656 In 2014, penalties ranged from $150,000 to $3.3 million. Total = $7,940,220 Average= $1,134,317 The Many Flavors of Resolution Agreements The OCR resolution agreements appear to be deliberately eclectic, involving institutions large and small, as well as many different types of incidents. They represent a nice cross-section of different types of HIPAA violations. To a HIPAA wonk like me, reading them is akin to going into a gelato store and being able to taste all the flavors. (Having done both, I would opt for the gelato store if you had a choice.) The violations involve paper and electronic records. Frequent themes are inadequate training, failure to encrypt, and failure to conduct a risk assessment. Is Harm Needed for a Penalty? Harm isn’t required for there to be a monetary penalty. In one case, PHI was left in boxes unattended in a driveway to a house. But there were no allegations that any unauthorized individual accessed the PHI or took the records. There were no allegations that any PHI was lost. Nevertheless, the monetary penalty was $800,000. Let’s step back and look at the big picture of HIPAA enforcement. Recently, at the end of August of 2014, the total number of HIPAA complaints received by OCR since 2003 exceeded 100,000. Since 2009, there have been more than 1000 data breaches involving 500 or more people that have been listed on the HHS “wall of shame” website. Of these OCR completed 751 investigations. One of the great things about HHS enforcement is that HHS maintains some of the most comprehensive statistics and information on its website. Other agencies only report a fraction of what HHS reports. And some barely have anything on their websites at all. One interesting difference between HHS and the FTC is that HHS reports on the cases it investigates, whereas the FTC often keeps it a secret when it conducts an investigation and resolves not to take action. The Big Picture of HIPAA Enforcement  Impermissible uses and disclosures of PHI  Lack of safeguards of PHI  Lack of patient access to PHI  Uses or disclosures of more than the minimum necessary PHI  Lack of administrative safeguards of ePHI According to HHS, the compliance issues most investigated include: The Most Investigated Compliance Issues
Enforcement Statistics The story for HIPAA case resolutions is that they have been generally increasing throughout the years. Starting in 2008, there have been between 8000 to 10,000 resolutions. Notice the huge spike in the number in 2013 after the Omnibus Final Rule, an increase of nearly 50% from 2012. HIPAA ENFORCEMENT www.teachprivacy.com State Enforcement In addition to increasing penalties and mandating audits, HITECH also permitted state attorneys general to bring enforcement actions for HIPAA violations at the pre-HITECH penalty levels. Of the actions brought, all state attorneys general have also relied on state data protection laws.
HIPAA ENFORCEMENT www.teachprivacy.com Analysis and Takeaways 1. HIPAA enforcement used to be toothless; now, post-HITECH, it has some teeth and significant fines have been issued. HITECH really strengthened HIPAA in many ways. This is not your grandfather’s HIPAA anymore – it’s much more powerful. 2. There have been only 22 cases thus far with fines. There have been more than 100,000 complaints since 2003. There should be a lot more fines. 3. HIPAA allows for HHS enforcement along the chain of custody of PHI. This is a really essential protection, as these days, it is so common for PHI to circulate among various entities. 4. HIPAA allows state AGs to enforce, though not many have availed themselves of this power. 5. Reading the resolution agreements reveals that doing three things would help a lot with HIPAA compliance: (a) encrypt, (b) conduct risk assessments, and (c) have good workforce training. 6. Although an incident might spark an investigation, the resolution agreements show that the incident is just the tip of the iceberg. There are other HIPAA compliance shortcomings that OCR will typically find. Turn over the stone, and you’ll often find more than one bug crawling underneath. 7. The number of cases with corrective action taken has risen steadily throughout the years. And HIPAA enforcement activity is increasing, especially in 2013. 8. Although HIPAA doesn’t provide for a private right of action for people to sue, HIPAA leaves intact more protective state law. And there’s a lot of state law protecting medical privacy. So just because an entity might get lucky and receive a slap on the wrist from OCR, there still might be lawsuits under state law – plus there could state agency enforcement too under a state’s own laws (or under HIPAA). 9. HHS provides a wealth of information and transparency compared to other federal enforcement agencies. 10. Auditing is another important new dimension to HIPAA enforcement, something other agencies do not do.
About the Author TeachPrivacy was founded by Professor Daniel J. Solove. He is deeply involved in the creation of all training programs because he believes that training works best when made by subject-matter experts and by people with extensive teaching experience. According to Professor Solove: "Great training isn’t about slickness or tricks. It is about teaching. The goal is to make people understand, care, and remember. Great training must made with genuine passion. " TeachPrivacy provides privacy awareness training, information security awareness training, phishing training, HIPAA training, FERPA training, PCI training, as well as training on many other privacy and security topics. In addition to creating enterprise-wide training, TeachPrivacy has teamed up with the American Health Information Management Association (AHIMA) to produce a series of more advanced courses on the HIPAA Privacy and Security Rules: http://www.ahima.org/education/onlineed/Programs/hipaa Professor Daniel J. Solove is the John Marshall Harlan Research Professor of Law at the George Washington University Law School. One of the world’s leading experts in privacy law, Solove has taught privacy and security law for 15 years, has published 10 books and more than 50 articles, including the leading textbook on privacy law and a short guidebook on the subject. His LinkedIn blog has more than 890,000 followers: http://www.linkedin.com/today/post/articles/2259773 Professor Solove organizes many events per year, including the new Privacy + Security Forum, Oct. 21-23, 2015 in Washington, DC: http://privacyandsecurityforum.com About TeachPrivacy www.teachprivacy.com

Recommended

HIPAA Security Rule application to Business Associates heats up
HIPAA Security Rule application to Business Associates heats upHIPAA Security Rule application to Business Associates heats up
HIPAA Security Rule application to Business Associates heats upDavid Sweigert
 
HITECH-Changes-to-HIPAA
HITECH-Changes-to-HIPAAHITECH-Changes-to-HIPAA
HITECH-Changes-to-HIPAAGurvinder Singh, CISSP, CISA, ITIL v3
 
HIPAA HiTech Regulations: What Non-Medical Companies Need to Know
HIPAA HiTech Regulations: What Non-Medical Companies Need to KnowHIPAA HiTech Regulations: What Non-Medical Companies Need to Know
HIPAA HiTech Regulations: What Non-Medical Companies Need to KnowNetwork 1 Consulting
 
Hipaa for business associates simple
Hipaa for business associates simpleHipaa for business associates simple
Hipaa for business associates simpleJose Ivan Delgado, Ph.D.
 
Ftc As Enforcer Proposed Data Breach Notification Rule For Personal Health R...
Ftc As Enforcer Proposed Data Breach Notification Rule For Personal Health R...Ftc As Enforcer Proposed Data Breach Notification Rule For Personal Health R...
Ftc As Enforcer Proposed Data Breach Notification Rule For Personal Health R...Davis Wright Tremaine LLP
 
Hipaa final enforcement rule
Hipaa final enforcement ruleHipaa final enforcement rule
Hipaa final enforcement ruleYork County School of Technology
 
The New HIPAA Privacy Rule
The New HIPAA Privacy RuleThe New HIPAA Privacy Rule
The New HIPAA Privacy RuleMichael Witt
 
Role-Based Access Governance and HIPAA Compliance: A Pragmatic Approach
Role-Based Access Governance and HIPAA Compliance: A Pragmatic ApproachRole-Based Access Governance and HIPAA Compliance: A Pragmatic Approach
Role-Based Access Governance and HIPAA Compliance: A Pragmatic ApproachEMC
 

Recommended

HIPAA Security Rule application to Business Associates heats up
HIPAA Security Rule application to Business Associates heats upHIPAA Security Rule application to Business Associates heats up
HIPAA Security Rule application to Business Associates heats upDavid Sweigert
 
HITECH-Changes-to-HIPAA
HITECH-Changes-to-HIPAAHITECH-Changes-to-HIPAA
HITECH-Changes-to-HIPAAGurvinder Singh, CISSP, CISA, ITIL v3
 
HIPAA HiTech Regulations: What Non-Medical Companies Need to Know
HIPAA HiTech Regulations: What Non-Medical Companies Need to KnowHIPAA HiTech Regulations: What Non-Medical Companies Need to Know
HIPAA HiTech Regulations: What Non-Medical Companies Need to KnowNetwork 1 Consulting
 
Hipaa for business associates simple
Hipaa for business associates simpleHipaa for business associates simple
Hipaa for business associates simpleJose Ivan Delgado, Ph.D.
 
Ftc As Enforcer Proposed Data Breach Notification Rule For Personal Health R...
Ftc As Enforcer Proposed Data Breach Notification Rule For Personal Health R...Ftc As Enforcer Proposed Data Breach Notification Rule For Personal Health R...
Ftc As Enforcer Proposed Data Breach Notification Rule For Personal Health R...Davis Wright Tremaine LLP
 
Hipaa final enforcement rule
Hipaa final enforcement ruleHipaa final enforcement rule
Hipaa final enforcement ruleYork County School of Technology
 
The New HIPAA Privacy Rule
The New HIPAA Privacy RuleThe New HIPAA Privacy Rule
The New HIPAA Privacy RuleMichael Witt
 
Role-Based Access Governance and HIPAA Compliance: A Pragmatic Approach
Role-Based Access Governance and HIPAA Compliance: A Pragmatic ApproachRole-Based Access Governance and HIPAA Compliance: A Pragmatic Approach
Role-Based Access Governance and HIPAA Compliance: A Pragmatic ApproachEMC
 
Sarah Kim HIPAA for Small Providers
Sarah Kim HIPAA for Small ProvidersSarah Kim HIPAA for Small Providers
Sarah Kim HIPAA for Small ProvidersSarah Kim
 
HHS Issues HIPAA Cyber Attack Response Checklist
HHS Issues HIPAA Cyber Attack Response ChecklistHHS Issues HIPAA Cyber Attack Response Checklist
HHS Issues HIPAA Cyber Attack Response ChecklistTodd LaRue
 
Cost of Data Breah in Healthcare_Quinlan, Courtney
Cost of Data Breah in Healthcare_Quinlan, CourtneyCost of Data Breah in Healthcare_Quinlan, Courtney
Cost of Data Breah in Healthcare_Quinlan, Courtneycourtneyquinlan
 
2014 Data Breach Industry Forecast
2014 Data Breach Industry Forecast2014 Data Breach Industry Forecast
2014 Data Breach Industry Forecast- Mark - Fullbright
 
Legal Aspects in Health Informatics
Legal Aspects in Health InformaticsLegal Aspects in Health Informatics
Legal Aspects in Health InformaticsNawanan Theera-Ampornpunt
 
HIPAA Privacy, Security, Breach Overview
HIPAA Privacy, Security, Breach OverviewHIPAA Privacy, Security, Breach Overview
HIPAA Privacy, Security, Breach OverviewHealthCare Too, LLC
 
Privacy Breaches In Canada It.Can May 1 2009
Privacy Breaches In Canada It.Can May 1 2009Privacy Breaches In Canada It.Can May 1 2009
Privacy Breaches In Canada It.Can May 1 2009canadianlawyer
 
Privacy and Information Security: What Every New Business Needs to Know
Privacy and Information Security: What Every New Business Needs to KnowPrivacy and Information Security: What Every New Business Needs to Know
Privacy and Information Security: What Every New Business Needs to KnowThe Capital Network
 
Failure to Execute a HIPAA Business Associate Agreement Results in $1.55 Mill...
Failure to Execute a HIPAA Business Associate Agreement Results in $1.55 Mill...Failure to Execute a HIPAA Business Associate Agreement Results in $1.55 Mill...
Failure to Execute a HIPAA Business Associate Agreement Results in $1.55 Mill...Brian Dickerson
 
HIPAA Part I the Law Test
HIPAA Part I the Law TestHIPAA Part I the Law Test
HIPAA Part I the Law TestSachiko Hurst
 
GDPR FAQ'S
GDPR FAQ'SGDPR FAQ'S
GDPR FAQ'SMorgan McKinley
 
CSI 2008, Legal Developments In Security and Privacy Law
CSI 2008, Legal Developments In Security and Privacy Law CSI 2008, Legal Developments In Security and Privacy Law
CSI 2008, Legal Developments In Security and Privacy Law padler01
 
Privacy and Data Protection CLE Presentation for Touro Law Center
Privacy and Data Protection CLE Presentation for Touro Law CenterPrivacy and Data Protection CLE Presentation for Touro Law Center
Privacy and Data Protection CLE Presentation for Touro Law CenterJonathan Ezor
 
Data Breaches
Data BreachesData Breaches
Data Breachessstose
 
HIPAA Final Omnibus Rule Playbook
HIPAA Final Omnibus Rule PlaybookHIPAA Final Omnibus Rule Playbook
HIPAA Final Omnibus Rule PlaybookElizabeth Dimit
 
Hippa training v2
Hippa training v2Hippa training v2
Hippa training v2Suzanne Guggenheim
 
The real reason why physicians must comply with HIPAA. What the government do...
The real reason why physicians must comply with HIPAA. What the government do...The real reason why physicians must comply with HIPAA. What the government do...
The real reason why physicians must comply with HIPAA. What the government do...CureMD
 
Accounting
AccountingAccounting
Accountingjerryrabin
 
What is HIPAA Compliance?
What is HIPAA Compliance?What is HIPAA Compliance?
What is HIPAA Compliance?Power Admin LLC
 
Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...
Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...
Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...Envision Technology Advisors
 
Hipaa journal com - HIPAA compliance guide
Hipaa journal com - HIPAA compliance guideHipaa journal com - HIPAA compliance guide
Hipaa journal com - HIPAA compliance guideFelipe Prado
 
Hipa Health Insurance Portability And Accountability Act
Hipa Health Insurance Portability And Accountability ActHipa Health Insurance Portability And Accountability Act
Hipa Health Insurance Portability And Accountability ActAmy Williams
 

More Related Content

What's hot

Sarah Kim HIPAA for Small Providers
Sarah Kim HIPAA for Small ProvidersSarah Kim HIPAA for Small Providers
Sarah Kim HIPAA for Small ProvidersSarah Kim
 
HHS Issues HIPAA Cyber Attack Response Checklist
HHS Issues HIPAA Cyber Attack Response ChecklistHHS Issues HIPAA Cyber Attack Response Checklist
HHS Issues HIPAA Cyber Attack Response ChecklistTodd LaRue
 
Cost of Data Breah in Healthcare_Quinlan, Courtney
Cost of Data Breah in Healthcare_Quinlan, CourtneyCost of Data Breah in Healthcare_Quinlan, Courtney
Cost of Data Breah in Healthcare_Quinlan, Courtneycourtneyquinlan
 
2014 Data Breach Industry Forecast
2014 Data Breach Industry Forecast2014 Data Breach Industry Forecast
2014 Data Breach Industry Forecast- Mark - Fullbright
 
HIPAA Privacy, Security, Breach Overview
HIPAA Privacy, Security, Breach OverviewHIPAA Privacy, Security, Breach Overview
HIPAA Privacy, Security, Breach OverviewHealthCare Too, LLC
 
Privacy Breaches In Canada It.Can May 1 2009
Privacy Breaches In Canada It.Can May 1 2009Privacy Breaches In Canada It.Can May 1 2009
Privacy Breaches In Canada It.Can May 1 2009canadianlawyer
 
Privacy and Information Security: What Every New Business Needs to Know
Privacy and Information Security: What Every New Business Needs to KnowPrivacy and Information Security: What Every New Business Needs to Know
Privacy and Information Security: What Every New Business Needs to KnowThe Capital Network
 
Failure to Execute a HIPAA Business Associate Agreement Results in $1.55 Mill...
Failure to Execute a HIPAA Business Associate Agreement Results in $1.55 Mill...Failure to Execute a HIPAA Business Associate Agreement Results in $1.55 Mill...
Failure to Execute a HIPAA Business Associate Agreement Results in $1.55 Mill...Brian Dickerson
 
HIPAA Part I the Law Test
HIPAA Part I the Law TestHIPAA Part I the Law Test
HIPAA Part I the Law TestSachiko Hurst
 
CSI 2008, Legal Developments In Security and Privacy Law
CSI 2008, Legal Developments In Security and Privacy Law CSI 2008, Legal Developments In Security and Privacy Law
CSI 2008, Legal Developments In Security and Privacy Law padler01
 
Privacy and Data Protection CLE Presentation for Touro Law Center
Privacy and Data Protection CLE Presentation for Touro Law CenterPrivacy and Data Protection CLE Presentation for Touro Law Center
Privacy and Data Protection CLE Presentation for Touro Law CenterJonathan Ezor
 
Data Breaches
Data BreachesData Breaches
Data Breachessstose
 
HIPAA Final Omnibus Rule Playbook
HIPAA Final Omnibus Rule PlaybookHIPAA Final Omnibus Rule Playbook
HIPAA Final Omnibus Rule PlaybookElizabeth Dimit
 
The real reason why physicians must comply with HIPAA. What the government do...
The real reason why physicians must comply with HIPAA. What the government do...The real reason why physicians must comply with HIPAA. What the government do...
The real reason why physicians must comply with HIPAA. What the government do...CureMD
 

What's hot (18)

Sarah Kim HIPAA for Small Providers
Sarah Kim HIPAA for Small ProvidersSarah Kim HIPAA for Small Providers
Sarah Kim HIPAA for Small Providers
 
HHS Issues HIPAA Cyber Attack Response Checklist
HHS Issues HIPAA Cyber Attack Response ChecklistHHS Issues HIPAA Cyber Attack Response Checklist
HHS Issues HIPAA Cyber Attack Response Checklist
 
Cost of Data Breah in Healthcare_Quinlan, Courtney
Cost of Data Breah in Healthcare_Quinlan, CourtneyCost of Data Breah in Healthcare_Quinlan, Courtney
Cost of Data Breah in Healthcare_Quinlan, Courtney
 
2014 Data Breach Industry Forecast
2014 Data Breach Industry Forecast2014 Data Breach Industry Forecast
2014 Data Breach Industry Forecast
 
Legal Aspects in Health Informatics
Legal Aspects in Health InformaticsLegal Aspects in Health Informatics
Legal Aspects in Health Informatics
 
HIPAA Privacy, Security, Breach Overview
HIPAA Privacy, Security, Breach OverviewHIPAA Privacy, Security, Breach Overview
HIPAA Privacy, Security, Breach Overview
 
Privacy Breaches In Canada It.Can May 1 2009
Privacy Breaches In Canada It.Can May 1 2009Privacy Breaches In Canada It.Can May 1 2009
Privacy Breaches In Canada It.Can May 1 2009
 
Privacy and Information Security: What Every New Business Needs to Know
Privacy and Information Security: What Every New Business Needs to KnowPrivacy and Information Security: What Every New Business Needs to Know
Privacy and Information Security: What Every New Business Needs to Know
 
Failure to Execute a HIPAA Business Associate Agreement Results in $1.55 Mill...
Failure to Execute a HIPAA Business Associate Agreement Results in $1.55 Mill...Failure to Execute a HIPAA Business Associate Agreement Results in $1.55 Mill...
Failure to Execute a HIPAA Business Associate Agreement Results in $1.55 Mill...
 
HIPAA Part I the Law Test
HIPAA Part I the Law TestHIPAA Part I the Law Test
HIPAA Part I the Law Test
 
GDPR FAQ'S
GDPR FAQ'SGDPR FAQ'S
GDPR FAQ'S
 
CSI 2008, Legal Developments In Security and Privacy Law
CSI 2008, Legal Developments In Security and Privacy Law CSI 2008, Legal Developments In Security and Privacy Law
CSI 2008, Legal Developments In Security and Privacy Law
 
Privacy and Data Protection CLE Presentation for Touro Law Center
Privacy and Data Protection CLE Presentation for Touro Law CenterPrivacy and Data Protection CLE Presentation for Touro Law Center
Privacy and Data Protection CLE Presentation for Touro Law Center
 
Data Breaches
Data BreachesData Breaches
Data Breaches
 
HIPAA Final Omnibus Rule Playbook
HIPAA Final Omnibus Rule PlaybookHIPAA Final Omnibus Rule Playbook
HIPAA Final Omnibus Rule Playbook
 
Hippa training v2
Hippa training v2Hippa training v2
Hippa training v2
 
The real reason why physicians must comply with HIPAA. What the government do...
The real reason why physicians must comply with HIPAA. What the government do...The real reason why physicians must comply with HIPAA. What the government do...
The real reason why physicians must comply with HIPAA. What the government do...
 
Accounting
AccountingAccounting
Accounting
 

Similar to HIPAA Enforcement Powers Strengthened by HITECH

What is HIPAA Compliance?
What is HIPAA Compliance?What is HIPAA Compliance?
What is HIPAA Compliance?Power Admin LLC
 
Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...
Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...
Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...Envision Technology Advisors
 
Hipaa journal com - HIPAA compliance guide
Hipaa journal com - HIPAA compliance guideHipaa journal com - HIPAA compliance guide
Hipaa journal com - HIPAA compliance guideFelipe Prado
 
Hipa Health Insurance Portability And Accountability Act
Hipa Health Insurance Portability And Accountability ActHipa Health Insurance Portability And Accountability Act
Hipa Health Insurance Portability And Accountability ActAmy Williams
 
Implications of hipaa non compliance
Implications of hipaa non complianceImplications of hipaa non compliance
Implications of hipaa non complianceAegify Inc.
 
MichBIO_-_HIPAA__Industry-Provider_Interactions__and_Related_Compliance_Matte...
MichBIO_-_HIPAA__Industry-Provider_Interactions__and_Related_Compliance_Matte...MichBIO_-_HIPAA__Industry-Provider_Interactions__and_Related_Compliance_Matte...
MichBIO_-_HIPAA__Industry-Provider_Interactions__and_Related_Compliance_Matte...Colin Zick
 
Health Insurance Portability And Accountability Act (HIPAA
Health Insurance Portability And Accountability Act (HIPAAHealth Insurance Portability And Accountability Act (HIPAA
Health Insurance Portability And Accountability Act (HIPAAKatie Gulley
 
The Importance of HIPAA Compliance in ensuring the Privacy and Security of PHI!
The Importance of HIPAA Compliance in ensuring the Privacy and Security of PHI!The Importance of HIPAA Compliance in ensuring the Privacy and Security of PHI!
The Importance of HIPAA Compliance in ensuring the Privacy and Security of PHI!Shelly Megan
 
HIPAA Violations and Penalties power point
HIPAA Violations and Penalties power pointHIPAA Violations and Penalties power point
HIPAA Violations and Penalties power pointDeena Fetrow
 
Hitech changes-to-hipaa
Hitech changes-to-hipaaHitech changes-to-hipaa
Hitech changes-to-hipaageeksikh
 
The Startup Path to HIPAA Compliance
The Startup Path to HIPAA ComplianceThe Startup Path to HIPAA Compliance
The Startup Path to HIPAA ComplianceJim Anfield
 
In 2013, the Health Insurance Portability and Accountability Act (HI.pdf
In 2013, the Health Insurance Portability and Accountability Act (HI.pdfIn 2013, the Health Insurance Portability and Accountability Act (HI.pdf
In 2013, the Health Insurance Portability and Accountability Act (HI.pdfbharatchawla141
 
Confidentiality Issues Arising Under the ADA, FMLA, HIPAA
Confidentiality Issues Arising Under the ADA, FMLA, HIPAAConfidentiality Issues Arising Under the ADA, FMLA, HIPAA
Confidentiality Issues Arising Under the ADA, FMLA, HIPAAParsons Behle & Latimer
 
MEDICAL ANSWERING SERVICE
MEDICAL ANSWERING SERVICE MEDICAL ANSWERING SERVICE
MEDICAL ANSWERING SERVICE Milk663
 
HIPAA Panel Discussion
HIPAA Panel Discussion HIPAA Panel Discussion
HIPAA Panel Discussion Dan Wellisch
 
HIPAA Security Audits in 2012-What to Expect. Are You Ready?
HIPAA Security Audits in 2012-What to Expect. Are You Ready?HIPAA Security Audits in 2012-What to Expect. Are You Ready?
HIPAA Security Audits in 2012-What to Expect. Are You Ready?Redspin, Inc.
 
Does your Mobile App require HIPAA Compliance.pdf
Does your Mobile App require HIPAA Compliance.pdfDoes your Mobile App require HIPAA Compliance.pdf
Does your Mobile App require HIPAA Compliance.pdfShelly Megan
 
What is HIPAA Why was it passed What arc the potential benefits to .pdf
What is HIPAA Why was it passed What arc the potential benefits to .pdfWhat is HIPAA Why was it passed What arc the potential benefits to .pdf
What is HIPAA Why was it passed What arc the potential benefits to .pdfarchigallery1298
 

Similar to HIPAA Enforcement Powers Strengthened by HITECH (20)

What is HIPAA Compliance?
What is HIPAA Compliance?What is HIPAA Compliance?
What is HIPAA Compliance?
 
Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...
Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...
Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...
 
Hipaa journal com - HIPAA compliance guide
Hipaa journal com - HIPAA compliance guideHipaa journal com - HIPAA compliance guide
Hipaa journal com - HIPAA compliance guide
 
Hipa Health Insurance Portability And Accountability Act
Hipa Health Insurance Portability And Accountability ActHipa Health Insurance Portability And Accountability Act
Hipa Health Insurance Portability And Accountability Act
 
Implications of hipaa non compliance
Implications of hipaa non complianceImplications of hipaa non compliance
Implications of hipaa non compliance
 
MichBIO_-_HIPAA__Industry-Provider_Interactions__and_Related_Compliance_Matte...
MichBIO_-_HIPAA__Industry-Provider_Interactions__and_Related_Compliance_Matte...MichBIO_-_HIPAA__Industry-Provider_Interactions__and_Related_Compliance_Matte...
MichBIO_-_HIPAA__Industry-Provider_Interactions__and_Related_Compliance_Matte...
 
Hipaa omnibus
Hipaa omnibusHipaa omnibus
Hipaa omnibus
 
Health Insurance Portability And Accountability Act (HIPAA
Health Insurance Portability And Accountability Act (HIPAAHealth Insurance Portability And Accountability Act (HIPAA
Health Insurance Portability And Accountability Act (HIPAA
 
The Importance of HIPAA Compliance in ensuring the Privacy and Security of PHI!
The Importance of HIPAA Compliance in ensuring the Privacy and Security of PHI!The Importance of HIPAA Compliance in ensuring the Privacy and Security of PHI!
The Importance of HIPAA Compliance in ensuring the Privacy and Security of PHI!
 
HIPAA Violations and Penalties power point
HIPAA Violations and Penalties power pointHIPAA Violations and Penalties power point
HIPAA Violations and Penalties power point
 
Hitech changes-to-hipaa
Hitech changes-to-hipaaHitech changes-to-hipaa
Hitech changes-to-hipaa
 
The Startup Path to HIPAA Compliance
The Startup Path to HIPAA ComplianceThe Startup Path to HIPAA Compliance
The Startup Path to HIPAA Compliance
 
HIPAA
HIPAAHIPAA
HIPAA
 
In 2013, the Health Insurance Portability and Accountability Act (HI.pdf
In 2013, the Health Insurance Portability and Accountability Act (HI.pdfIn 2013, the Health Insurance Portability and Accountability Act (HI.pdf
In 2013, the Health Insurance Portability and Accountability Act (HI.pdf
 
Confidentiality Issues Arising Under the ADA, FMLA, HIPAA
Confidentiality Issues Arising Under the ADA, FMLA, HIPAAConfidentiality Issues Arising Under the ADA, FMLA, HIPAA
Confidentiality Issues Arising Under the ADA, FMLA, HIPAA
 
MEDICAL ANSWERING SERVICE
MEDICAL ANSWERING SERVICE MEDICAL ANSWERING SERVICE
MEDICAL ANSWERING SERVICE
 
HIPAA Panel Discussion
HIPAA Panel Discussion HIPAA Panel Discussion
HIPAA Panel Discussion
 
HIPAA Security Audits in 2012-What to Expect. Are You Ready?
HIPAA Security Audits in 2012-What to Expect. Are You Ready?HIPAA Security Audits in 2012-What to Expect. Are You Ready?
HIPAA Security Audits in 2012-What to Expect. Are You Ready?
 
Does your Mobile App require HIPAA Compliance.pdf
Does your Mobile App require HIPAA Compliance.pdfDoes your Mobile App require HIPAA Compliance.pdf
Does your Mobile App require HIPAA Compliance.pdf
 
What is HIPAA Why was it passed What arc the potential benefits to .pdf
What is HIPAA Why was it passed What arc the potential benefits to .pdfWhat is HIPAA Why was it passed What arc the potential benefits to .pdf
What is HIPAA Why was it passed What arc the potential benefits to .pdf
 

HIPAA Enforcement Powers Strengthened by HITECH

  • 1. THE BRAVE NEW WORLD OF HIPAA ENFORCEMENT by Daniel J. Solove
  • 2. The Health Insurance Portability and Accountability Act (HIPAA) regulations govern health information maintained by various entities covered by HIPAA (“covered entities”) and other organizations that receive protected health information (PHI) from covered entities when performing functions for them. HIPAA is enforced by the Office for Civil Rights (OCR) in the Department of Health and Human Services (HHS). Additionally, state attorneys general (AGs) may enforce HIPAA – only a few federal privacy laws can also be enforced by state AGs. Although the vast majority of HIPAA violations involve civil penalties, there can be criminal HIPAA violations, which are enforced by the Department of Justice (DOJ). HIPAA ENFORCEMENT www.teachprivacy.com U.S. Department of Health and Human Services HIPAA enforcement actions are typically initiated by a compliant. The HIPAA statute doesn’t authorize people to sue for HIPAA violations, so people’s recourse under HIPAA is to file a complaint with OCR. People can sue under state law for many of the things that would constitute HIPAA violations, as HIPAA doesn’t preempt state law, and more privacy-protective state law trumps HIPAA in those states in which it is enacted. The Anatomy of a HIPAA Enforcement Action HIPAA enforcement actions can also be triggered when there is an incident that is reported to HHS, such as a data breach. HIPAA enforcement now also involves auditing. When OCR receives a complaint, it first evaluates whether it has jurisdiction and whether there is a possible violation. It will then launch an investigation and reach a resolution. That resolution can be a finding of no violation or of a violation. Many cases are resolved by the entity being investigated agreeing to take corrective action and sometimes agreeing to pay monetary penalties.
  • 3. OCR can enforce HIPAA against a wide array of entities. Covered entities large and small are subject to OCR enforcement – from small doctors’ offices to large hospitals and health systems. OCR can enforce against not only private-sector entities but public sector ones as well. For example, one action was against a state’s Department of Health and Human Services. OCR also has the ability to directly enforce HIPAA against business associates – and any subcontractors of business associates. HIPAA enforcement thus follows PHI wherever it goes – except under special circumstances. So if a hospital provides PHI to a billing company, and the company subcontracts with another entity, OCR can enforce down the chain of custody. HIPAA thus is enforced along the chain . . . and PHI generally remains inside HIPAA’s protective bubble no matter where the hot potato is handed. This concept of enforcement along the chain is really essential in today’s age where data can so readily be transferred and where so many entities have access to particular pieces of personal data. Unfortunately, unlike HIPAA, many other privacy laws do not allow for enforcement along the chain – the Family Educational Rights and Privacy Act (FERPA) is an example. Once education records are handed to others, the Department of Education is powerless to enforce against those entities. HIPAA ENFORCEMENT www.teachprivacy.com The story of HIPAA enforcement is a tale of two OCRs – the one before HITECH and the one after. The Scope of HIPAA Enforcement The Story of HIPAA Enforcement HIPAA Enforcement Before HITECH Initially, between 2003 and 2008, HIPAA enforcement would best be characterized as a cooperative model. OCR would work with institutions to help them sin no more. The goal was not penal, but being helpful. The saying “I’m from the government, and I want to help” really applied here. By 2008, more than 33,000 complaints had been filed with OCR. About 8000 of those were investigated, leading to 5600 instances where entities took corrective action. No fines were ever issued. Critics called HIPAA’s enforcement toothless.
  • 4. HIPAA Enforcement After HITECH In the past few years, we are seeing HIPAA enforcement resolutions that include fines. But even today, most HIPAA enforcement resolutions “simply spell out corrective action plans or offer technical assistance.” There have been just 22 cases involving financial payments or a civil monetary penalty. HIPAA ENFORCEMENT www.teachprivacy.com In 2009, the Health Information Technology for Economic and Clinical Health ( HITECH) Act seriously ratcheted up the penalties. The fines for HIPAA violations were raised dramatically -- up to $1.5 million for a violation in certain circumstances. The HITECH Act added a breach notification requirement and it mandated that HHS conduct compliance audits. Congress made clear that HIPAA enforcement should have more teeth – and that OCR should be issuing some fines. The HITECH Act significantly renovated HIPAA. In my opinion, HITECH was one of the best set of improvements to a privacy law that Congress has ever made. In 2013, HHS issued the Omnibus Final Rule implementing HITECH Act changes in HIPAA. But its enforcement approach changed earlier, right after the HITECH Act. When a civil monetary penalty is involved, HHS will enter into a resolution agreement with the entity. A resolution agreement includes: Resolution Agreements According to OCR, it has entered into 24 resolution agreements, which come with a penalty, and issued one civil monetary penalty. They are listed on HHS’s website.  a financial penalty  a corrective action plan (CAP) that often involves entities improving their policies and procedures, training, risk analyses, and security practices  a reporting requirement, typically ranging from 1 to 3 years How Painful Is HIPAA’s Sting? The penalties as part of the resolution agreements are quite steep. For example, in 2012, penalty amounts ranged from $50,000 to $1.7 million. There were three penalties of $1.5 million or higher. Total = $4,850,000 Average: $970,000
  • 5. HIPAA ENFORCEMENT www.teachprivacy.com In 2013, penalty amounts ranged from $150,000 to $1.7 million. There are two penalties in excess of $1 million. Total = $3,493,280 Average = $678,656 In 2014, penalties ranged from $150,000 to $3.3 million. Total = $7,940,220 Average= $1,134,317 The Many Flavors of Resolution Agreements The OCR resolution agreements appear to be deliberately eclectic, involving institutions large and small, as well as many different types of incidents. They represent a nice cross-section of different types of HIPAA violations. To a HIPAA wonk like me, reading them is akin to going into a gelato store and being able to taste all the flavors. (Having done both, I would opt for the gelato store if you had a choice.) The violations involve paper and electronic records. Frequent themes are inadequate training, failure to encrypt, and failure to conduct a risk assessment. Is Harm Needed for a Penalty? Harm isn’t required for there to be a monetary penalty. In one case, PHI was left in boxes unattended in a driveway to a house. But there were no allegations that any unauthorized individual accessed the PHI or took the records. There were no allegations that any PHI was lost. Nevertheless, the monetary penalty was $800,000. Let’s step back and look at the big picture of HIPAA enforcement. Recently, at the end of August of 2014, the total number of HIPAA complaints received by OCR since 2003 exceeded 100,000. Since 2009, there have been more than 1000 data breaches involving 500 or more people that have been listed on the HHS “wall of shame” website. Of these OCR completed 751 investigations. One of the great things about HHS enforcement is that HHS maintains some of the most comprehensive statistics and information on its website. Other agencies only report a fraction of what HHS reports. And some barely have anything on their websites at all. One interesting difference between HHS and the FTC is that HHS reports on the cases it investigates, whereas the FTC often keeps it a secret when it conducts an investigation and resolves not to take action. The Big Picture of HIPAA Enforcement  Impermissible uses and disclosures of PHI  Lack of safeguards of PHI  Lack of patient access to PHI  Uses or disclosures of more than the minimum necessary PHI  Lack of administrative safeguards of ePHI According to HHS, the compliance issues most investigated include: The Most Investigated Compliance Issues
  • 6. Enforcement Statistics The story for HIPAA case resolutions is that they have been generally increasing throughout the years. Starting in 2008, there have been between 8000 to 10,000 resolutions. Notice the huge spike in the number in 2013 after the Omnibus Final Rule, an increase of nearly 50% from 2012. HIPAA ENFORCEMENT www.teachprivacy.com State Enforcement In addition to increasing penalties and mandating audits, HITECH also permitted state attorneys general to bring enforcement actions for HIPAA violations at the pre-HITECH penalty levels. Of the actions brought, all state attorneys general have also relied on state data protection laws.
  • 7. HIPAA ENFORCEMENT www.teachprivacy.com Analysis and Takeaways 1. HIPAA enforcement used to be toothless; now, post-HITECH, it has some teeth and significant fines have been issued. HITECH really strengthened HIPAA in many ways. This is not your grandfather’s HIPAA anymore – it’s much more powerful. 2. There have been only 22 cases thus far with fines. There have been more than 100,000 complaints since 2003. There should be a lot more fines. 3. HIPAA allows for HHS enforcement along the chain of custody of PHI. This is a really essential protection, as these days, it is so common for PHI to circulate among various entities. 4. HIPAA allows state AGs to enforce, though not many have availed themselves of this power. 5. Reading the resolution agreements reveals that doing three things would help a lot with HIPAA compliance: (a) encrypt, (b) conduct risk assessments, and (c) have good workforce training. 6. Although an incident might spark an investigation, the resolution agreements show that the incident is just the tip of the iceberg. There are other HIPAA compliance shortcomings that OCR will typically find. Turn over the stone, and you’ll often find more than one bug crawling underneath. 7. The number of cases with corrective action taken has risen steadily throughout the years. And HIPAA enforcement activity is increasing, especially in 2013. 8. Although HIPAA doesn’t provide for a private right of action for people to sue, HIPAA leaves intact more protective state law. And there’s a lot of state law protecting medical privacy. So just because an entity might get lucky and receive a slap on the wrist from OCR, there still might be lawsuits under state law – plus there could state agency enforcement too under a state’s own laws (or under HIPAA). 9. HHS provides a wealth of information and transparency compared to other federal enforcement agencies. 10. Auditing is another important new dimension to HIPAA enforcement, something other agencies do not do.
  • 8. About the Author TeachPrivacy was founded by Professor Daniel J. Solove. He is deeply involved in the creation of all training programs because he believes that training works best when made by subject-matter experts and by people with extensive teaching experience. According to Professor Solove: "Great training isn’t about slickness or tricks. It is about teaching. The goal is to make people understand, care, and remember. Great training must made with genuine passion. " TeachPrivacy provides privacy awareness training, information security awareness training, phishing training, HIPAA training, FERPA training, PCI training, as well as training on many other privacy and security topics. In addition to creating enterprise-wide training, TeachPrivacy has teamed up with the American Health Information Management Association (AHIMA) to produce a series of more advanced courses on the HIPAA Privacy and Security Rules: http://www.ahima.org/education/onlineed/Programs/hipaa Professor Daniel J. Solove is the John Marshall Harlan Research Professor of Law at the George Washington University Law School. One of the world’s leading experts in privacy law, Solove has taught privacy and security law for 15 years, has published 10 books and more than 50 articles, including the leading textbook on privacy law and a short guidebook on the subject. His LinkedIn blog has more than 890,000 followers: http://www.linkedin.com/today/post/articles/2259773 Professor Solove organizes many events per year, including the new Privacy + Security Forum, Oct. 21-23, 2015 in Washington, DC: http://privacyandsecurityforum.com About TeachPrivacy www.teachprivacy.com