2020 Compliance Work Plan Matters: HIPAA Compliance Enforcement Trends 2019 - Past is Prologue

The Office of Civil Rights (OCR) concluded in 2019 another successful year in HIPAA enforcement. While not as monetarily lucrative as 2018, nevertheless, two important trends emerged. The first was the emphasis for covered entities to do a meaningful risk analysis and to address these risks in a meaningful and appropriate level. Set it and forget it creates risk. The second issue, imposed for the first time in 2019, was enforcement of the 30-day provision to provide timely access to medical records. Two providers were each fined $85,000 for this shortcoming.

Significant settlements include a $3 million settlement with Touchstone Medical Imaging (TMI), According to the Health and Human Services (HHS) press release, TMI was notified in May 2014 by both the FBI and the OCR that one of their servers allowed uncontrolled access to patients' personal health information (PHI). TMI failed to respond timely to this notification, failed to conduct an accurate and thorough risk analysis, and failed to have Business Associate Agreements (BAAs) in place.

In a similar vein, Medical Informatics Engineering (MIE) settled with the OCR for $100,000. MIE had filed a breach report with OCR in 2015. The OCR investigation revealed that MIE did not conduct a comprehensive risk analysis.

The $2.15 million dollar settlement with Jackson Health System also began with a breach report by Jackson Health I 2013. Further, they self-reported that an employee was selling PHI in 2016. Investigations by OCR revealed that Jackson Health failed to provide accurate and timely breach notification to HHS, conduct an enterprise risk analysis, manage identified risks to a reasonable and appropriate level, regularly review information system activity records, and restrict authorization of its workforce members' access to patient ePHI to the minimum necessary to accomplish their job duties.

Smaller companies were not exempt from enforcement actions. West Georgia Ambulance settled with the OCR in December 2019 for $65,000. Again, this settlement began with a breach report in 2013 by West Georgia Ambulance concerning the loss of an unencrypted laptop. The OCR investigation uncovered failure to conduct a risk analysis, provide security awareness and training programs, and implement HIPAA Security Rules policies and procedures.

Takeaways: A Security Risk Analysis (SRA), like your organization's compliance plan, is a fluid document evolving during the year. The SRA should be revisited during the year, document remedial efforts, identify emerging risks, and consider all of it under privilege to insulate this roadmap of vulnerability from plaintiff's counsel after a breach. Please also recognize access to medical records is a genuine risk area. Ensure your response to such requests recognizes this risk. Please finally consider ensuring a timely Shield Act security analysis contemporaneous with the SRA for those businesses affected by the New York Shield Act. See https://www.trusiaklaw.com/blog/a-word-of-caution-to-hipaa-hybrid-covered-entities-new-york-s-shield-act-amends-nys-breach-notification-law-adds-data-security-requirements-and-imposes-data-security-obligations-for-hybrid-covered-entities.

The Trusiak Law can assist you in measuring your compliance with the HIPAA Privacy, Security and Breach Notification Rules. It will be done under attorney-client privilege to protect you.