[BreachExchange] HIPAA Enforcement Actions by the Numbers
Inga Goddijn
inga at riskbasedsecurity.com
Wed Jun 29 23:09:46 EDT 2016
http://www.jdsupra.com/legalnews/hipaa-enforcement-actions-by-the-numbers-13704/
Protecting patient information is a central duty for both covered entities
and business associates under the Health Insurance Portability and
Accountability Act (HIPAA). Should a HIPAA-subject entity ever fail to
protect patient information, it may face possible enforcement action from
the U.S. Department of Health and Human Services’ Office for Civil Rights
(OCR) as well as state attorneys general for alleged violations of HIPAA
and its Privacy, Security, and Breach Notification Rules.
The possibility of an enforcement action is unfortunately very real for
HIPAA-subject entities. As of May 31, 2016, OCR has received
<http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/enforcement-highlights/index.html>
more than 134,246 HIPAA-related complaints, and investigated and resolved
more than 24,241 cases since 2003. Even if an entity successfully avoids a
settlement or civil money penalties, just having to go through a HIPAA
investigation can be a painful and expensive experience.
HIPAA-subject entities may thus feel a little in the dark as to just how
frequent state and federal enforcement actions for perceived HIPAA
violations are brought, and what penalties typically are imposed. To help
entities better understand how active OCR and state attorneys general have
been in the HIPAA enforcement space – and what penalties they may face for
any alleged violation – DWT has distilled key information from OCR’s Resolution
Agreements and Civil Money Penalties
<http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/index.html>
and enforcement actions by state attorneys general enforcing HIPAA into an
easily-readable infographic
<http://www.privsecblog.com/files/2016/06/Hipaa_enforcement2016_R2.pdf>.
*Key Takeaways*
- Since OCR entered into its first Resolution Agreement resolving a
HIPAA violation complaint in 2008, OCR has engaged in *36 enforcement
actions* for alleged HIPAA violations. Of those, *23 enforcement actions*
resulted from a covered entity’s or business associate’s own breach report
to OCR.
- *Settling with OCR doesn’t come without a cost.* OCR typically imposes
monetary penalties in HIPAA settlements, with the *average settlement
amount* being *$1,070,585. *
- *You need to fix the problem. *In all settlements but one, the
entities that entered into settlements with OCR agreed to a corrective
action plan, which requires remediation of the alleged violation and
usually ongoing reporting to OCR of their efforts to comply with the
settlement terms for the duration of the corrective action plan. The
average *corrective action plan is approximately two years*.
- *Nearly 70% *of OCR enforcement actions *involved electronic protected
health information (ePHI)*, demonstrating that continued compliance with
the HIPAA Security Rule remains a central focus for OCR. Covered entities
and business associates therefore should, for example: conduct and update
as needed a risk analysis as required by the Security Rule to identify
potential risks and vulnerabilities to ePHI; and manage risk by
implementing appropriate administrative, physical, and technical safeguards
to protect the confidentiality, integrity, and security of ePHI. Entities
also should revisit their compliance efforts to verify that they meet the
Security Rule requirements.
- From 2008 onward, the number of OCR enforcement actions resolved
annually has ticked steadily upward: in 2015, OCR resolved six complaints
in total. As of June 10, 2016, the agency has resolved just as many,
signaling that *2016 may see a record-breaking number of enforcement
actions and settlements*.
- State attorneys general also have been active in HIPAA enforcement: in
just over six years, *11 enforcement actions* have been conducted by
chief state law enforcement officers. *Massachusetts* has been the most
active, with *five settlements* so far.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160629/ed14bae4/attachment.html>
More information about the BreachExchange
mailing list