- OCR is on pace to conclude fewer HIPAA settlements and assess less money in HIPAA violation fines this year than in previous years, according to a report from the law firm Gibson Dunn.
For the first half of this year, OCR has reported only two HIPAA settlements and one HIPAA decision from an HHS Administrative Law Judge, amounting to around $7.9 million in fines, according to the law firm’s analysis.
In the 2017, OCR announced ten HIPAA settlements and $19.4 million in fines. In 2016, OCR reported 13 settlements totaling $23.5 million in fines.
“It remains to be seen whether the downtick in enforcement during the first half of 2018 signals a change in priorities, or whether we will see an acceleration of HIPAA settlements in the second half of the year,” the law firm observed.
In terms of the HIPAA fines this year, OCR announced February 1 a $3.5 million HIPAA settlement with Fresenius Medical Care North America, a dialysis provider that also runs labs, urgent care centers, and post-acute practices. OCR alleged that Fresenius committed HIPAA violations on five different occasions at separate facilities.
The FMCNA covered entities that reported cyber incidents include the following: Bio-Medical Applications of Florida, Inc. d/b/a Fresenius Medical Care Duval Facility (FMC Duval); Bio-Medical Applications of Alabama, Inc. d/b/a Fresenius Medical Care Magnolia Grove (FMC Magnolia Grove); Renal Dimensions, LLC d/b/a Fresenius Medical Care Ak-Chin (FMC Ak-Chin); Fresenius Vascular Care Augusta, LLC (FVC Augusta); and WSKC Dialysis Services, Inc. d/b/a Fresenius Medical Care Blue Island Dialysis (FMC Blue Island).
“The number of breaches, involving a variety of locations and vulnerabilities, highlights why there is no substitute for an enterprise-wide risk analysis for a covered entity,” OCR Director Roger Severino stated. “Covered entities must take a thorough look at their internal policies and procedures to ensure they are protecting their patients’ health information in accordance with the law.”
Also in February, OCR announced a $100,000 HIPAA settlement with Filefax, a medical records storage company that went out of business in 2017. A company that was appointed as a receiver to liquidate Filefax’s assets for distribution to creditors agreed to pay the $100,000 monetary settlement.
OCR had been investigating a complaint agasint Filefax from 2015, where 2,150 medical records were reportedly left at a shredding and recycling facility.
“The careless handling of PHI is never acceptable,” Severino said. “Covered entities and business associates need to be aware that OCR is committed to enforcing HIPAA regardless of whether a covered entity is opening its doors or closing them. HIPAA still applies.”
In June, an HHS Administrative Law Judge ruled that the University of Texas MD Anderson Cancer Center (MD Anderson) had to pay $4.3 million in penalties for HIPAA violations.
The judge backed OCR in its proposed determination, granting summary judgment to OCR on all issues.
OCR accused MD Anderson of violating the HIPAA Privacy and Security Rules in failing to encrypt its inventory of devices that handled and held electronic protected health information (ePHI). This failure lead to the exposure of ePHI on more than 33,500 individuals when a laptop was stolen and two thumb drives were lost in 2012 and 2013.
OCR investigated MD Anderson following the three data breaches and found that it had encryption policies dating from 2006 and that its own risk analyses had found that the lack of device-level encryption posed a high risk to the security of ePHI.
However, MD Anderson did not begin to adopt an enterprise-wide solution to implement encryption of ePHI until 2011, and it failed to encrypt its inventory of electronic devices containing ePHI between March 24, 2011, and January 25, 2013.
The judge agreed with OCR’s arguments and findings and upheld OCR’s penalties for MD Anderson’s noncompliance with HIPAA and for each record breached.