Change in Political Leadership

Some industry publications indicate a pause in enforcement of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and its implementing regulations, the HIPAA Privacy, Security, and Breach Notification Rules (the “HIPAA Rules”), by the Department of Health & Human Services (“HHS”), Office for Civil Rights (“OCR”). However, we note that publication of HIPAA related settlements and civil money penalties always lags after a change in administration or in the Director of OCR, which happened again recently. Therefore, we emphasize that OCR continues to investigate cases involving and enforcing the HIPAA Rules vigorously. We continually see data requests from OCR for cases involving a range of clients, including voluminous data requests addressing the HIPAA Rules requirements and for “recognized security practices,” as discussed following. Given the number of investigations we know are ongoing at OCR, we expect there to be more published enforcement activity on cases involving all of the HIPAA Rules during 2023.

Recognized Security Practices On January 5, 2020, President Donald Trump signed into law H.R. 7898. This new statute amended the Health Information Technology for Economic and Clinical Health (HITECH)  Act to require HHS to consider efforts by HIPAA Covered Entities and Business Associates to implement “recognized security practices” when assessing fines or penalties under the HIPAA Security Rule. The statute provides that if a HIPAA Covered Entity or Business Associate can demonstrate compliance for the previous twelve months with “recognized security practices,” then that entity may benefit in the mitigation of fines related to the incident, an early termination of an audit and, potentially, mitigation of remedies agreed to in an agreement with OCR for violations of the HIPAA Rules.

We note that in any case where OCR requests information about a HIPAA Covered Entity’s or Business Associate’s implementation of “recognized security practices,” such request from OCR may indicate that OCR is considering a settlement or a civil money penalty in that case. We hope the attached sample “Additional Data Request” from OCR referring to and requesting information about an organization’s “recognized security practices” is helpful to you. We expect more requests for this information and additional guidance on these “recognized security practices” from OCR in 2023.

Recent Cases

According to press releases and publicly available information, we see a large range of payments being made for violations of the HIPAA Rules, as well as a range in types of entities. We have included examples below of a few of the settlement agreements about which OCR provided information on its website. We note that these settlements range in both dollar amount and entity type and include small to very large amounts. As such, there is no truth to the urban legends that either OCR is not generally enforcing the HIPAA Rules or that OCR does not enforce the HIPAA Rules against small entities. As mentioned above, we expect to see more cases like these in 2023.

According to OCR’s website, Oklahoma State University Center for Health Sciences (“OSU-CHS”), agreed to pay OCR a settlement amount of $875,000 and also agreed to implement a corrective action plan in response to settling allegations of potential violations of the HIPAA Rules after a cyberattack. Specifically, OCR stated that on January 5, 2018, OSU-CHS filed a breach report with OCR that stated that an unauthorized third party gained access to a web server that contained protected health information and that the hacker installed malware that resulted in the disclosure of 279,865 individuals’ protected health information. Finally, OCR alleged that OSUCHS failed to do the following: conduct an accurate, thorough risk analysis; perform an evaluation; implement audit controls and security incident response reporting; and provide timely breach notification to the affected individuals and HHS.

Also according to OCR’s website, Peachstate Health Management LLC, doing business as AEON Clinical Laboratories (“Peachstate”), agreed to pay OCR a settlement amount of $25,000 and to implement a corrective action plan in response to a review by OCR. Specifically, OCR stated that in December of 2017, it initiated a compliance review of Peachstate to determine its compliance with the HIPAA Security and Privacy Rules and, as a result, OCR alleged Peachstate was not in compliance, as it failed to conduct an enterprise-wide risk analysis, implement risk management and audit controls, and maintain documentation of HIPAA Security policies and procedures. We note that clinical labs, to the extent they bill insurance, must comply with the HIPAA Rules. The OCR Director stated in the press release related to this incident that failing to implement basic HIPAA Security Rule requirements makes entities easy targets for malicious activity and puts patient information at risk. Again, we note that small providers are not immune from investigation or enforcement related to the HIPAA Rules.

Finally, according to OCR’s website, Excellus Health Plan agreed to pay a $5.1 million settlement to OCR and to implement a corrective action plan to settle potential violations related to a breach affecting over 9.3 million people. Specifically, OCR stated that in September of 2015 Excellus filed a breach report stating that cyberattackers gained unauthorized access to its information technology systems. OCR alleged that the hackers installed malware, which resulted in the disclosure of the protected health information of more than 9.3 million individuals. In the press release related to this incident, the OCR Director stated that hacking continues to be the greatest threat to the privacy and security of patient information and “health care entities need to step up their game” to protect the privacy of their patients.

OCR Website

OCR posts all breaches reported to HHS involving 500 or more individuals on its website. All cases closed by OCR, usually added to the “Archive” of cases, include “web descriptions.” As such, all cases without web descriptions, whether or not they are in the “Under Investigation” section of the website or the “Archive” section, remain open and continue to be investigated by OCR. Accordingly, many reporters, press outlets, plaintiffs’ attorneys, researchers, and others frequently use this website to research breaches reported to HHS for a variety of reasons, including for purposes of developing class action litigation. As a reminder, OCR will verify all details of a breach notification submitted to HHS with the entity involved by phone within two weeks of submission, and after confirming the details submitted, OCR will post the information on its website, where it will remain in perpetuity, and automatically start an investigation into potential violations of the HIPAA Rules. OCR does not remove information from this website. We expect to see many more entities notifying HHS of various breaches and OCR posting the information to its website in 2023, thus creating additional resources for reporters, researchers, and plaintiffs’ attorneys.

Conclusion

HHS OCR continues to vigorously enforce the HIPAA Rules, and HIPAA Covered Entities and Business Associates should continue to be vigilant about their HIPAA compliance. We expect more activity related to allegations of HIPAA violations by HHS OCR in 2023. Stay tuned!