2017 will go down as a change year for Health Insurance Portability and Accountability Act (HIPAA) enforcement of the Privacy, Security, and Breach Notification Rules. This comes on the heels of 2016, which saw an unprecedented level of enforcement actions, with 13 total settlements and nearly a 300% increase in total collected fines over 2015. In 2017, nine compliance reviews were settled with resolution agreements in addition to a HIPAA enforcement action in which a civil monetary penalty was levied. A total of $19.4 million in fines and penalties were collected in 2017 by OCR through its enforcement actions.
OCR’s enforcement approach has quietly undergone a significant change by resolving enforcement actions informally when the covered entity or business associate corrects its compliance problems, and without the government levying fines or penalties for HIPAA violations. In 2017, over 800 cases will be closed through use of this informal enforcement approach. The number case closures in 2017 through an informal resolution increased by 10% over the number in 2016.
What Did We Learn from OCR HIPAA Enforcement Actions in 2017?
Several themes emerged from OCR enforcement actions that covered entities and business associates should keep in mind to help ensure their compliance with the HIPAA requirements.
- Performing Risk Analyses is crucial. One of the most consistent themes that has emerged from the resolution agreements and corrective action plans announced by OCR is that HIPAA covered entities and business associates must regularly conduct enterprise-wide information security risk analyses in accordance with the Security Rule to assess risk and vulnerabilities. The Security Rule does not proscribe a specific risk analysis methodology, however CynergisTek recommends performing the risk analysis using the NIST Cybersecurity Framework (NIST-CSF). Unlike some other frameworks, the NIST-CSF has been optimized to meet the requirements of the HIPAA Security Rule.
- Develop a Risk Management Plan. While conducting a risk analysis is critical, a risk management plan can assure that reasonable safeguards are adopted as a result of the risks or vulnerabilities identified through the risk analysis.
- Have Business Associate Agreements with vendors. A number of settlements in 2016 and 2017 made headlines when covered entities disclosed PHI to contractors and vendors without first assuring that appropriate safeguards to protect PHI were in place. The vendor subsequently suffered a breach that resulted in the PHI of individuals being disclosed without authorization in violation of the Privacy Rule. The HIPAA rules require that there be a signed business associate agreement in place prior to the vendor creating, receiving, or maintaining the PHI of the covered entity. An effective vendor management program ensures that third-party vendors have appropriate security safeguards to protect the organization’s PHI, as well as the required business associate agreement.
2017 OCR HIPAA Enforcement Fines and Penalties