2018 was a banner year for HIPAA compliance issues

At patient options we always want to keep you up to date with what is happening in our world of compliance. Lets look at the 2018 report of major trends.

After a relatively slow first six months, 2018 turned into an active year for HIPAA enforcement, with the Department of Health and Human Services’ (HHS) Office of Civil Rights (OCR) announcing the largest-ever HIPAA settlement ($16 million) with Anthem in October 2018. The 2018 resolutions highlighted several compliance points that have received consistent focus from OCR, including the importance of utilizing compliant business associate agreements, conducting enterprise-wide security risk assessments, and remediating identified vulnerabilities. Other notable 2018 HIPAA activity included the pending Ciox ligation (challenging, in part, HHS guidance on fees that providers may charge to produce copies of patient medical records), and the HHS HIPAA request for information on improving care coordination and reducing the regulatory burdens of the HIPAA Rules (responses were due by February 12, 2019). These developments highlight areas of recent HIPAA activity and can be instructive in identifying compliance focus areas for the year ahead.

2018 Resolution Agreements and Civil Money Penalties: Enforcement Trends and Compliance Pointers

Excluding the record $16 million settlement with Anthem, the average OCR penalties over the past three years have been approximately $1.7 million, with a range of $25,000 to $5.55 million. The fees imposed in 2018 were consistent with this trend, with fees (other than the Anthem settlement) that ranged from $100,000 to the year’s second-highest settlement of $4.3 million. 2018 saw eight resolution agreements and one ALJ ruling in favor of OCR. Each of the eight settlement agreements was also accompanied by a corrective action plan. Detailed information on the resolutions and ALJ ruling can be found on HHS’s Resolution Agreements and Civil Money Penalties website, and OCR has also released a summary of all 2018 OCR HIPAA settlements and judgments.

Some key enforcement trends and compliance pointers that can be gleaned from the 2018 settlement agreements include:

  • Compliant Business Associate Agreements must be signed with every business associate (from Google to individual contactors). 
  • Security Risk Assessments (SRA) must be conducted and updated on an enterprise-wide basis.
  • Remediating identified vulnerabilities is a critical part of HIPAA compliance and is the action step following the completion of an SRA.
  • HIPAA eclipses self-defense: Covered Entities cannot reveal PHI in a manner not permitted by HIPAA, even if the patient puts the information at issue (e.g., by speaking to media, online review, posting to social media, etc.) and even if the patient’s comments are not flattering to the Covered Entity.
  • OCR has significant discretion in its settlement authority, and settlements are highly circumstance-specific (e.g., a breach affecting 79 million individuals resulted in a $16 million settlement, or an average of approximately $0.20 per person, whereas another breach which affected 1 individual resulted in a settlement of $125,000).

One of the major things for our subscribers that I would like to point out is the HIPAA eclipses self-defense. This is especially relevent in our smaller offices. We recommend if you have a poor review on your internet presence to take your time responding to it and to make sure that you do not reveal any PHI. This is the fastest way to end up with a HIPAA complaint against you and with the record amount of money they took in last year you want to make sure that you do not raise their attention. Patient Options does help you with the rest of the major points.

Thanks to JDSUPRA and their HIPAA Compliance for 2019: Enforcement Trends and Lessons Learned from 2018