[BreachExchange] HIPAA Enforcement Actions by the Numbers

Inga Goddijn inga at riskbasedsecurity.com
Wed Jun 29 23:09:46 EDT 2016 

http://www.jdsupra.com/legalnews/hipaa-enforcement-actions-by-the-numbers-13704/

Protecting patient information is a central duty for both covered entities
and business associates under the Health Insurance Portability and
Accountability Act (HIPAA).  Should a HIPAA-subject entity ever fail to
protect patient information, it may face possible enforcement action from
the U.S. Department of Health and Human Services’ Office for Civil Rights
(OCR) as well as state attorneys general for alleged violations of HIPAA
and its Privacy, Security, and Breach Notification Rules.

The possibility of an enforcement action is unfortunately very real for
HIPAA-subject entities. As of May 31, 2016, OCR has received
<http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/enforcement-highlights/index.html>
more than 134,246 HIPAA-related complaints, and investigated and resolved
more than 24,241 cases since 2003. Even if an entity successfully avoids a
settlement or civil money penalties, just having to go through a HIPAA
investigation can be a painful and expensive experience.

HIPAA-subject entities may thus feel a little in the dark as to just how
frequent state and federal enforcement actions for perceived HIPAA
violations are brought, and what penalties typically are imposed. To help
entities better understand how active OCR and state attorneys general have
been in the HIPAA enforcement space – and what penalties they may face for
any alleged violation – DWT has distilled key information from OCR’s Resolution
Agreements and Civil Money Penalties
<http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/index.html>
and enforcement actions by state attorneys general enforcing HIPAA into an
easily-readable infographic
<http://www.privsecblog.com/files/2016/06/Hipaa_enforcement2016_R2.pdf>.

*Key Takeaways*

   - Since OCR entered into its first Resolution Agreement resolving a
   HIPAA violation complaint in 2008, OCR has engaged in *36 enforcement
   actions* for alleged HIPAA violations. Of those, *23 enforcement actions*
   resulted from a covered entity’s or business associate’s own breach report
   to OCR.
   - *Settling with OCR doesn’t come without a cost.* OCR typically imposes
   monetary penalties in HIPAA settlements, with the *average settlement
   amount* being *$1,070,585. *
   - *You need to fix the problem. *In all settlements but one, the
   entities that entered into settlements with OCR agreed to a corrective
   action plan, which requires  remediation of the alleged violation and
   usually ongoing reporting to OCR of their efforts to comply with the
   settlement terms for the duration of the corrective action plan. The
   average *corrective action plan is approximately two years*.
   - *Nearly 70% *of OCR enforcement actions *involved electronic protected
   health information (ePHI)*, demonstrating that continued compliance with
   the HIPAA Security Rule remains a central focus for OCR. Covered entities
   and business associates therefore should, for example: conduct and update
   as needed a risk analysis as required by the Security Rule to identify
   potential risks and vulnerabilities to ePHI; and manage risk by
   implementing appropriate administrative, physical, and technical safeguards
   to protect the confidentiality, integrity, and security of ePHI. Entities
   also should revisit their compliance efforts to verify that they meet the
   Security Rule requirements.
   - From 2008 onward, the number of OCR enforcement actions resolved
   annually has ticked steadily upward: in 2015, OCR resolved six complaints
   in total. As of June 10, 2016, the agency has resolved just as many,
   signaling that *2016 may see a record-breaking number of enforcement
   actions and settlements*.
   - State attorneys general also have been active in HIPAA enforcement: in
   just over six years, *11 enforcement actions* have been conducted by
   chief state law enforcement officers. *Massachusetts* has been the most
   active, with *five settlements* so far.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160629/ed14bae4/attachment.html>

More information about the BreachExchange mailing list