So far, 2018 has been a light year in terms of HIPAA enforcement. There have been only two publicly-disclosed settlements. But that doesn’t mean covered entities and business associates should let their guard down and assume that they don’t need to be mindful of HIPAA. Indeed, it is hard to know what is going on in the Office for Civil Rights (OCR) with respect to enforcement. Theories include that the priorities of the current administration are driving less enforcement, that the OCR is focusing its efforts on the current round of audits, and that the OCR is simply holding back on some settlements so that it can ensure a consistent approach to multiple settlements that it will announce in the near future. No matter the answer, it is not safe to assume that things will remain quiet on the HIPAA front.
Looking at the 2018 settlements, they reflect two very different scenarios, and they both demonstrate that HIPAA settlements can take a long time to work their way through the OCR (which makes enforcement predicting even more difficult). The first settlement of the year was with Fresenius Medical Care North America (Fresenius) for $3.5 million and the adoption of a comprehensive corrective action plan. The Fresenius settlement dates back to 2012 when Fresenius experienced breaches at five different facilities around the country. The OCR’s investigation revealed systematic failures by Fresenius to adopt appropriate policies and procedures to address the Privacy and Security Rules. In the press release for the Fresenius settlement, the OCR Director stressed the importance of enterprise-wide risk analysis.
The second settlement was for $100,000 with the receiver that was appointed to liquidate the assets of Filefax, as it was closing its operations in 2015. The OCR’s investigation followed an anonymous complaint regarding improper disposal of medical records, and the OCR found a variety of issues in which records were left unsecured. Even though Filefax had closed, the receiver was held responsible for on-going compliance with HIPAA. Thus, the OCR has confirmed that closing operations does not relieve covered entities of HIPAA obligations, and that any entity that assumes custody of health records needs to be mindful of HIPAA.
Given that the Omnibus Final Rule is now more than five years old, the OCR is unlikely to tolerate non-compliance and it is probably only a matter of time before the sleeping giant awakens—or, more likely, that we learn that the giant hasn’t been sleeping at all. Indeed, because settlements take so long to process, no one outside the OCR really knows how active the OCR is with respect to enforcement activities for situations occurring right now. Therefore, all covered entities and business associates need to stay vigilant with respect to the three pillars of HIPAA compliance: Privacy Rule Policies and Procedures, reasonably current Security Rule Risk Assessments, and workforce training regarding HIPAA. And, any entity that experiences a breach—particularly a breach involving 500 or more individuals that requires prompt notice to the OCR—should revisit all three of these compliance pillars.
To better mitigate HIPAA enforcement actions, stay tuned for a three-part series that will examine several ways to efficiently identify and address gaps in HIPAA compliance during transaction diligence.