[BreachExchange] OCR Issues Two HIPAA Enforcement Actions, Plus Adjusts Future Fines

Destry Winant destry at riskbasedsecurity.com
Wed Nov 6 09:31:26 EST 2019


https://www.databreachtoday.com/ocr-issues-two-hipaa-enforcement-actions-plus-adjusts-future-fines-a-13360

The Department of Health and Human Services' Office for Civil Rights
has slapped two more organizations with hefty HIPAA enforcement fines.

Meanwhile, HHS announced increases to future HIPAA civil monetary
penalties to adjust for annual inflation in a move some observers say
is likely to create confusion and uncertainty, given earlier
announcements about plans to reduce penalties.

Latest HIPAA Enforcement Actions

OCR on Tuesday said it signed a $3 million HIPAA settlement with the
University of Rochester Medical Center related to breach reports in
2013 and 2017 involving the losses of an unencrypted flash drive and
an unencrypted laptop.

URMC, which includes the School of Medicine and Dentistry and Strong
Memorial Hospital, is one of the largest health systems in New York
state with over 26,000 employees.

At a HIPAA conference in Washington on Tuesday, OCR Director Roger
Severino noted that the agency has also issued a $1.6 million civil
monetary penalty against the Texas Health and Human Services
Commission in a case involving web application security.

OCR did not immediately respond to an Information Security Media Group
request for comment and additional information on the agency's
enforcement action against Texas HHSC.

In a statement provided to Information Security Media Group, Texas
HHSC says it "takes information security and privacy seriously for all
the people we serve. We are continually examining ways to strengthen
our processes for the health and safety of Texans." But the agency did
not comment on the specifics of the HIPAA penalty.

URMC Settlement

OCR in a statement Tuesday says its investigation into the URMC
breaches revealed that the medical center failed to:

Conduct an enterprisewide risk analysis;
Implement security measures sufficient to reduce risks and
vulnerabilities to a reasonable and appropriate level;
Utilize device and media controls;
Employ a mechanism to encrypt and decrypt electronic protected health
information.

"Of note, in 2010, OCR investigated URMC concerning a similar breach
involving a lost unencrypted flash drive and provided technical
assistance to URMC," OCR says. "Despite the previous OCR
investigation, and URMC's own identification of a lack of encryption
as a high risk to ePHI, URMC permitted the continued use of
unencrypted mobile devices."

Severino said in a statement: "Because theft and loss are constant
threats, failing to encrypt mobile devices needlessly puts patient
health information at risk. When covered entities are warned of their
deficiencies, but fail to fix the problem, they will be held fully
responsible for their neglect."

Under its resolution agreement with OCR, URMC will implement
corrective action plan that requires two years of monitoring
compliance with the HIPAA rules.

The plan requires URMC to conduct a security risk analysis and develop
and implement a detailed risk management plan, including policies for
encryption and decryption.

URMC Statement

The settlement agreement with OCR concludes an investigation into IT
security practices at URMC, following two unrelated incidents that the
medical center voluntarily reported in 2013 and 2017, URMC notes in a
statement provided to ISMG.

"Potentially affected patients were notified at the time both of these
incidents occurred, and we have no reason to believe that any
patient's personal health information was misused," the statement
says.

"The medical center is deeply committed to protecting patient privacy,
and we continuously improve our IT security safeguards and staff
training to reduce the risk of a privacy breach. As part of the
settlement with HHS, we will undertake a comprehensive audit of
security practices and implement any corrective actions needed to
ensure our safeguards are as strong as possible," URMC says.

So far in 2019, OCR has taken HIPAA enforcement actions against at
least seven entities, including URMC and Texas Health and Human
Services Commission, totaling nearly $10 million.

Adjusting Penalties

In other action on Tuesday, HHS issued a final rule to adjust its
civil monetary penalties for annual inflation - including civil
monetary penalties for HIPAA violations. The increase of about 1
percent, which affects all tiers of HIPAA enforcement penalties, goes
into effect immediately.

Even though OCR in April issued a "notice of enforcement discretion"
that significantly lowered HIPAA fines for some less serious
violations, the new "adjusted" civil monetary penalties published
Tuesday are based on the schedule of higher penalties that were in
place prior to OCR's April announcement.

For example, back in April 2019, OCR lowered the annual civil monetary
penalty cap for the "no knowledge" level of HIPAA culpability from
$1.7 million to $25,000, with OCR calling the higher amount
inconsistent with the authority set by Congress in the HITECH Act.

OCR's notice of enforcement discretion published on April 30 lowering
some HIPAA fines for less egregious cases noted that HHS would engage
in future rulemaking to revise its HIPAA penalty tiers. But so far
that has not happened.

So, until OCR issues specific rulemaking to "officially" lower penalty
tiers for HIPAA violations, the final rule on Tuesday by HHS about
"adjusted" civil monetary penalties raises the annual cap for most
culpability tiers to $1.75 million.

Until OCR issues formal rulemaking to lower its HIPAA fine tiers, "HHS
could legally issue higher fines at any point," says privacy attorney
Iliana Peters of the law firm Polsinelli. Before doing so, however,
HHS would most likely issue notice warning organizations of a return
to potentially higher fines, she adds.

Privacy attorney Adam Greene of the law firm Davis Wright Tremaine
notes that "while [the Trump] administration will likely follow the
April 2019 enforcement clarification, until the regulations are
amended with the lower annual caps, future administrations will be
free to renew the prior interpretation" of higher penalties.

Cause for Confusion?

Privacy attorney David Holtzman of security consultancy CynergisTek
says the schedule of adjusted HIPAA civil monetary penalties published
on Tuesday will likely create confusion and uncertainty among HIPAA
covered entities and business associates.

"Covered entities and business associates better belt yourself in. We
could be in for a bumpy ride."
—David Holtzman, CynergisTek

"They have reason to wonder what the annual limit is that can be
levied by OCR as penalties for violations of the regulations,"
Holtzman notes.

"Does this notice issued by HHS signal a conflict between the HHS
secretary and the OCR director who is delegated the authority to
enforce the HIPAA regulations? Will OCR issue a clarification on how
it is applying its enforcement discretion to the civil monetary
penalties it will levy in light of this change announced by HHS?
Covered entities and business associates better belt yourself in. We
could be in for a bumpy ride."

Potential Impact

But privacy attorney Kirk Nahra of the law firm WilmerHale says he
expects current OCR leadership to stick with the lower HIPAA penalty
tiers issued in April, even if OCR has the legal authority to levy the
higher fines still on the books.

"In general, OCR seems to be continuing its pattern throughout the
HIPAA era - it is not a 'gotcha' agency," Nahra says.

"It looks carefully at whether people are trying to do the right
things and it focuses its enforcement attention on serious problems,
repeated issues and a modest number of 'example' cases where they want
to make a point about a practice," he says. "OCR is still doing
careful, thoughtful enforcement generally, even with reduced staff and
more demands."

Similarly, Greene says he doesn't expect that HHS annual inflation
adjustments will have a very substantial impact on OCR's enforcement
inclinations.

"OCR has not historically sought to impose the maximum penalties or
settlement amounts possible," he says. "Rather, OCR often uses minimum
civil monetary penalty levels, rather than maximums."


More information about the BreachExchange mailing list