The HHS Office for Civil Rights (OCR) announced nine HIPAA settlements in 2017 – resolving allegations against a number health systems, insurance providers, and remote monitoring companies. Taken together with one additional non-settlement enforcement action (in which a $2.3 million civil monetary penalty was levied), the OCR secured over $19.4 million in fines and penalties.
The total number of nine settlements was four fewer than 2016, representing a shift in HHS’ attitude about enforcement: The OCR has said it was more eager to resolve enforcement actions informally in 2017, provided the covered entity or business associate corrected its compliance problems.
And that’s an important note to cover before we comb through the enforcement actions for takeaways, because it shows how preventable the year’s most headline grabbing settlements really are: The most commonplace security gaps of any medical practice or hospital can be filled, and settlements can be avoided if you take steps to fix them.
As we’ll run down in the three sections below, it’s largely the most egregious examples of PHI mismanagement that cost providers millions in penalties.
Lock Up Those Laptops
The largest settlement of the year (a $5.5 million resolution with Memorial Healthcare System) related to the use of login credentials belonging to a former employee to access over 100,000 patients' personal health information. But the next two most expensive settlements – for $3.2 million with Children’s Medical Center of Dallas and $2.5 million with CardioNet – both stemmed from the theft of laptops from the entity’s offices.
In 2018, there’s no excuse for lax security protections on laptops. Encrypt your data, deploy two-factor authentication (among other measures), and be careful about who interacts with your devices.
Don’t Delay The Inevitable
2017 also saw the first enforcement action related to untimely reporting of a HIPAA violation: In January, Presence Health agreed to implement a corrective action play and pay $475,000 for its failure to notify affected patients, social media outlets, and the OCR of a 2013 breach within 60 days of discovering a breach.
Presence Health first realized in October 2013 that its operating room schedules – which contained names, birthdates, medical record numbers, dates and types of procedures, and other sensitive details – had gone missing. Had they reported it right away, instead of filing the breach notification in January, they could have avoided the settlement and negative publicity. Don’t follow their example; in the event of an incident, report it as soon as you can.
Put Common Sense First
Presence Health’s recklessness with its operating room schedules was just one of several stupid mistakes by covered entities that the year’s enforcement actions revealed. Memorial Hermann, for example, reported a patient’s name in the headline of a 2015 news release announcing the patient’s arrest for presenting fraudulent identification; OCR found this to be an "impermissible disclosure" of PHI, and factored it into a $2.4 million settlement.
Mount Sinai St. Luke's health system also made a “careless” disclosure of a patient’s HIV status by faxing it the person’s employer, rather than delivering it to a post office box. That mistake, and a related breach, led to a $387,000 OCR fine. To avoid a similar fate, encourage your staff to slow down and just think; common sense correctives are the best protection from negative HIPAA publicity.
...and if you need help from a medical billing company...