Healthcare Data Privacy

Mailing Error Sees 1,126 Letters Sent to Patients’ Previous Addresses

Posted by HIPAA Journal

A ‘software glitch’ has resulted in billing statements and other communications sent by TriHealth of Cincinnati being sent to patients’ former addresses. The privacy breach was discovered in November 2016, and impacts 1,126 TriHealth patients.

The glitch caused current addresses to be substituted with former addresses. In some cases, mail may have been forwarded on to the correct address, although TriHealth was unable to determine whether this was the case.  Letters have now been mailed to the correct addresses and affected patients have been notified of the error by mail.

The error affected mailings of billing statements, appointment reminder letters, and other correspondence between November 15, 2015 and January 12, 2017 when the error was discovered. Individuals affected by the error had all mailings directed to wrong addresses between those dates.

The types of protected health information contained in the mailings varied from patient to patient. PHI that was potentially exposed was limited to patients’ names, visit dates, descriptions of medical service provided, places of service, financial charges, details of payments and adjustments, account balances, due payments, and details of appointments.

No insurance numbers, Social Security numbers, credit/debit card information or financial institution information was printed in any of the misdirected letters.

TriHealth has not received any reports to suggest any of the information contained in the letters has been misused in any way. Since the privacy breach only involved a limited amount of data, and the risk of misuse is believed to be low, affected individuals have not been offered credit monitoring or identity theft protection services. They have been advised that they are entitled to obtain a free annual credit report from credit reporting companies and can check for suspicious credit activity.

The software error has now been fixed and affected patients have had their addresses corrected in TriHealth’s computer system.

The post Mailing Error Sees 1,126 Letters Sent to Patients’ Previous Addresses appeared first on HIPAA Journal.

New Report Reveals 2016 Data Breach Trends

Posted by HIPAA Journal

2016 was a particularly bad year for healthcare data breaches. The healthcare industry was targeted by ransomware gangs, careless employees left healthcare records exposed, and hackers broke through defenses on numerous occasions. 2016 was nowhere near as bad as 2015 in terms of the number of healthcare records stolen or exposed, but more healthcare data breaches were reported in 2016 than in previous years. But how did 2016 compare to other industries?

A new data breach report from Risk Based Security has revealed the 2016 data breach trends across all industries and confirms just how bad a year 2016 was for cybersecurity incidents. The total number of data breaches reported in 2016 – 4,149 data breaches – was on a par with 2015. However, the severity of data breaches in 2016 was far worse.

Until 2016, the worst year in terms of the number of records exposed or stolen was 2013, when the milestone of 1 billion exposed or stolen records was exceeded for the first time. However, in 2016 there were 3.2 billion more records exposed or stolen than that landmark year. More than 4.2 billion records were exposed or stolen between January and December 2016.

The worst security breaches of 2016 were caused by hackers. 9 out of the top 10 worst data breaches of 2016 were due to hacks, with one web breach ranking in the top ten. 2016 saw six data breaches make the top ten list of the worst data breaches ever reported as well as the worst ever data breach – The 1 billion-record breach at Yahoo. The top ten breaches of the year resulted in the theft or exposure of more than 3 billion records. Seven out of the top ten data breaches of 2016 had a severity score of 10/10, with an average score of 9.96/10.

94 data breaches involving more than 1 million exposed records were reported over the course of the year – a 63% increase year on year. 37 data breaches of more than 10 million records were reported – an increase of 105% over 2015.

Risk Based Security’s figures show the United States was the worst hit. 47.5% of data breaches affected U.S. companies and those breaches accounted for 68.2% of the total number of exposed or stolen records. California was the worst hit state, registering 234 breaches and 80.48% of exposed records. Florida in second place with 113 breaches, followed by Texas with 105 and New York with 104.

While healthcare industry data breaches increased in 2016, they still only made up a small percentage of the total – 9.2% and just 0.3% of the total number of records exposed. The business sector was the worst hit, registering 51% of data breaches over the course of the year. Those breaches accounted for 80.9% of exposed or stolen records.

The 2016 data breach report indicates 7.6% of breaches were reported by medical institutions and 2.1% by hospitals. 11% of medical data breaches involved third parties.

Hacking was the main cause of breaches in 2016, accounting for 53.3% of the total. Those breaches were also the most severe, accounting for 91.9% of exposed or stolen records. One of the most common techniques used by hackers in 2016 was SQL injection, although in many cases there was no need to hack at all. More than 256 million records were exposed or stolen as a result of misconfigured databases and websites.

Insider breaches were a major cause of healthcare data breaches in 2016, although across all industries, insider incidents only accounted for 18.3% of the total. While malware attacks were frequent, they only accounted for 4.5% of the total number of breaches and 0.4% of exposed records.

The Data Breach QuickView Report can be downloaded on this link.

The post New Report Reveals 2016 Data Breach Trends appeared first on HIPAA Journal.

Court of Appeal Rules Horizon BCBS Class Action Has Standing Without Evidence of ID Theft

Posted by HIPAA Journal

The United States Court of Appeals for the Third Circuit has ruled that a class action lawsuit filed by customers of Horizon Blue Cross Blue Shield whose protected health information was exposed when two laptop computers were stolen from its New Jersey offices does have standing, even without proof of harm. The case had previously been dismissed by U.S. District Judge Claire Cecchi.

The incident which led to the lawsuit occurred between November 1 and 3, 2013. Two unencrypted laptop computers containing the personal information of 839,000 plan members were stolen from Horizon BCBS’s headquarters in Newark, NJ. Stored on the laptops were names, addresses, birth dates, Social Security numbers, medical histories, demographic data, lab test results, insurance information, and other care-related data.

Four plaintiffs – Courtney Diana, Karen Pekelney, Mark Meisel, and Mitchell Rindner – are named on the lawsuit, which was filed on behalf of themselves and other customers whose personal information was exposed.

The complainants maintain that the laptop computers were targeted by thieves who realized the value of data contained on the devices, rather than the computers being stolen for resale for their hardware value.

The plaintiffs claim that the disclosure, although accidental, placed them at “imminent, immediate, and continuing increased risk of harm from identity theft, identity fraud, and medical fraud, requiring them to take the time and effort to mitigate the actual and potential impact of the Data Breach on their lives.”

The plaintiffs allege Horizon BCBS wilfully and negligently violated the Fair Credit Reporting Act (FCRA) – in addition to a number of state laws – by failing to adequately protect their personal information. The plaintiffs claim that the unauthorized transfer of personal information was a violation of FCRA and that the transfer, in itself, constitutes a cognizable injury.

The District Court dismissed the lawsuit under Federal Rule of Civil Procedure 12(b)(1) claiming a lack of Article III standing. However, the court of appeals judges ruled that even without evidence of misuse of the plaintiffs’ personal information, the case has standing.

According to U.S. Circuit Judge Kent Jordan , who wrote for the three-judge panel, “In light of the congressional decision to create a remedy for the unauthorized transfer of personal information, a violation of FCRA gives rise to an injury sufficient for Article III standing purposes.” Judge Jordan explained, “the alleged disclosure of their personal information created a de facto injury. Accordingly, all of the Plaintiffs suffered a cognizable injury, and the Complaint should not have been dismissed under Rule 12(b)(1).”

The post Court of Appeal Rules Horizon BCBS Class Action Has Standing Without Evidence of ID Theft appeared first on HIPAA Journal.

Hacking Group Attempts to Extort Funds from Cancer Services Provider

Posted by HIPAA Journal

TheDarkOverlord has struck again, this time the victim was a small Indiana cancer charity. The attack occurred on January 11 and was accompanied with a 50 Bitcoin ($43,000) ransom demand. Little Red Door Cancer Services of East Central Indiana was threatened with the publication of confidential data if the ransom was not paid.

The charitable organization provides a range of services to help victims of cancer live normal lives during treatment, recovery, and at end of life. Little Red Door provides an invaluable service to cancer patients in East Central Indiana, with its limited funds carefully spent to provide the maximum benefit to cancer patients and their families.

The payment of a $43,000 ransom would have had a significant impact on the good work the organization does, and would have taken funding away from the people who need it most. Little Red Door followed the advice of the FBI and refused to pay.

Little Red Door spokesperson, Aimee Fant, issued a statement saying the organization “will not pay a ransom when all funds raised must instead go to serving families, all stage cancer clients, late stage care/hospice support and preventative screenings.”

The ransom demand was first sent to company executives, its vice president and president by text message. Messages were sent to their personal cell phones. The ransom demand and threats were also followed with email demands. The ransom demand was later reduced to around $12,000, although payment will still not be made. The stolen data included documents pertaining to grants, donors, employees, and the organization’s operations.

In addition to threatening to publish the data, TheDarkOverlord allegedly also issued a threat to contact the families of cancer patients, as well as the organization’s partners and donors.

Previous attacks by TheDarkOverlord have involved data theft. This time around, data were stolen and the company’s database and physical backups were wiped. Fortunately, patient diagnoses and other client information were on paper files.

Little Red Door has a cloud storage backup containing most of its data. Systems and databases will be rebuilt and data reconstructed. The cancer agency expects its IT systems to be back up and running by the end of this week. After recovery, Little Red Door will fully transition to a cloud-based system.

Little Red Door has received assistance from a number of organizations. A spokesperson for the organization said it “extends its immense gratitude to all who have helped in its efforts to gain control of the ransom attack and sincerely apologizes for any inconvenience and distress experienced on account of this act of cyberterrorism.”

The post Hacking Group Attempts to Extort Funds from Cancer Services Provider appeared first on HIPAA Journal.

Protenus Releases 2016 Healthcare Data Breach Report

Posted by HIPAA Journal

Protenus, in conjunction with Databreaches.net, has published its 2016 healthcare data breach report, summarizing the hacks and mishaps that have resulted in patient and health plan members’ protected health information being exposed or stolen.

Fortunately, 2016 has not seen the mega data breaches of 2015, although it has been far from a good year. More than 27 million healthcare records were stolen in 2016 across 450 reported data breaches. The total number of breached records may be down year on year, but the total number of incidents has increased. 2016 has been the worst year for healthcare industry breaches since records first started being kept.

The Protenus 2016 healthcare data breach report includes data breaches that have already been reported to the Department of Health and Human Services’ Office for Civil Rights, in addition to those that have been disclosed to the media but not yet uploaded to the OCR breach portal.

In total, there were 27,314,647 individuals affected by healthcare data breaches in 2016, with detailed information available for 380 of the 450 incidents. More than one healthcare data breach was reported every single day, on average, in 2016.

Data breaches fluctuated throughout 2016, with no clear trend emerging. The worst months of the year – in terms of the number of records breached – were June and August. In June, 10,880,605 healthcare records were exposed or stolen. 9,096,515 records were breached in August.

The worst months of 2016 for reported data breaches were November (58 incidents) April (946 incidents) and August (45 incidents). January saw the fewest breaches with 21 incidents reported. January also saw the lowest number of healthcare records exposed, with 104,056 individuals impacted.

Million-record plus data breaches were relatively rare. The largest breach of the year – at Banner Health – saw 3.62 million records exposed.

The 2016 healthcare data breach report shows the majority of security breaches in 2016 involved insiders. Protenus classified insider breaches as those involving accidents caused by human error, data theft by healthcare workers, and snooping on medical records. 43% of the data breaches in 2016 involved insiders, compared to 26.8% of incidents which involved hacking, malware or ransomware.

There were 99 accidental data breaches and 91 breaches caused by insider wrongdoing. Breaches that were the result of insider wrongdoing tended to result in the theft of less data than accidental data breaches. Accidental data breaches exposed three times as many records, on average.

2016 saw an explosion in ransomware attacks with the healthcare industry heavily targeted. The healthcare data breach report indicates only 30 ransomware attacks were reported in 2016. The true figure may be considerably higher. Healthcare organizations are only required to report ransomware attacks if there was a reasonable probability that ePHI was compromised. Covered entities also have up to 60 days to report healthcare data breaches, so a final total for the year will not be available until March 1, 2017. 2016 also saw a rise in other extortion attempts, with hackers gaining access to healthcare data and demanding ransoms not to publish the information.

Hacking may not have been the biggest cause of healthcare data breaches in 2016, but hackers certainly obtained the most records. 120 hacking incidents were included in the report, although the number of records stolen in those attacks was only known for 99 incidents. Even so, the total number of records obtained by hackers was 87% of the annual total – 23,695,069 records.

Healthcare providers were the worst hit in 2016 accounting for 80% of the total breach count. Health plans were second with 10% of attacks, followed by business associate breaches which accounted for 6.3% of the total. 4% of breaches affected other entities.

The report shows healthcare organizations are slow to detect breaches. The report indicates the average time to discover data breaches was 233 days, although insider breaches took considerably longer. Cases of insider wrongdoing took an average of 607 days to discover that ePHI had been breached. Protenus reports the average time from the breach to reporting the incident to HHS was 344 days.

The post Protenus Releases 2016 Healthcare Data Breach Report appeared first on HIPAA Journal.

Final Rule Updating Common Rule Regulations Issued by HHS

Posted by HIPAA Journal

The Department of Health and Human Services has published its Final Common Rule (45 CFR part 46). The Final Rule makes considerable changes to the Common Rule, although some of the most controversial elements which were included in September 2015 proposed rule have been dropped.

One of the proposed changes would have made it much harder for research organizations to use biomedical samples for research. Rather than allowing a general consent form to be used, HHS proposed that written consent be obtained from patients prior to their samples being used for further studies, requiring additional consent to be obtained from the patient in writing for every step of research.

If a tissue or blood sample was left over from a previous research study, additional written consent would have been required before that sample could be used, even when consent to use the sample for research had already been obtained from the patient in the first place.

The proposed change was included following a high-profile case of a woman – Henrietta Lacks – whose cancer cells were used in multiple research studies without her knowledge or consent. While the proposed change was important for patient privacy, it would have been a major headache that could have slowed research and reduced the number of tissue samples that could be used for essential biomedical research.

The proposed change attracted a huge number of negative comments (more than 2,100) from researchers  who felt it would slow their research. Additionally, there were cost considerations. The change would have made it difficult for small hospitals to provide samples for research due to the costs involved.

After reviewing the comments, the HHS decided to drop the change for the Final Rule. Now, samples can be used for research without obtaining additional consent from the donor of the sample, provided the samples are de-identified by removing names and other identifying information. Essentially, research can continue to be conducted as it currently is.

Another proposed change that attracted considerable criticism was the need for all researchers who received federal funding for clinical research to abide by the Common Rule. Critics pointed out that this requirement would not tackle the biggest problem – organizations that received no federal funding. It was believed that the change would also have hampered student research and social studies. This change was also dropped from the Final Rule.

When the Final Rule comes into effect, consent forms will need to include a concise summary at the start of the document explaining the most important information that potential research participants will need to know to give informed consent. The summary will need to include alternate treatments, and the risks and benefits of participation. Consent forms for certain federally funded programs will also need to be posted on public websites.

One controversial change that has not been dropped is the requirement for a single institutional review board (IRB) to be used for multi-institutional research studies to streamline oversight. However, a number of exceptions have now been included in the Final Rule to add greater flexibility.

The HHS says the Final Rule strengthens patient privacy protections while reducing the administrative burden on research institutions.

The changes were required because the Common Rule became effective in 1991 when most research was conducted at single sites by universities and medical institutions. However, today, the landscape is very different. Studies are now commonly spread across multiple institutions now that data have been digitalized. Large scale studies are now commonplace.

Jerry Menikoff, MD, Director of the HHS Office for Human Research Protections, said “We are very hopeful that these changes and all the others that reduce unnecessary administrative burdens will be beneficial to both researchers and research participants.

The 543-page Final Rule, which was produced with assistance from 15 federal agencies, will be effective from 2018.

The post Final Rule Updating Common Rule Regulations Issued by HHS appeared first on HIPAA Journal.

No HIPAA Violation Fine for Virginia State Senator

Posted by HIPAA Journal

While campaigning to become Republican state senator for Virginia in 2015, Henrico County physician Siobhan Dunnavant, M.D., used patients’ contact information – classed as protected health information under HIPAA Rules – to solicit donations from patients to help fund her campaign.

Contact information – names and addresses – was shared with her campaign team and was used to communicate with patients. The same information was also disclosed to a direct mail company: A violation of the HIPAA Privacy Rule. At least two complaints were received by the Department of Health and Human Services’ Office for Civil Rights about the privacy violation last year.

An OCR regional office contacted Dunnavant after being alerted to the privacy violation and informed her that her actions constituted an impermissible use and disclosure of PHI – violations of the HIPAA Privacy Rule.  Such violations can result in financial penalties being issued.

Dunnavant, who was later elect to the state senate, could have been fined up to $250,000 for the HIPAA violation and could potentially have been imprisoned for up to 10 years. However, OCR has chosen not to take further action.

No financial penalty was deemed appropriate as Dunnavant took immediate action to minimize damage. The investigation into the HIPAA violations has now been closed.

HIPAA violations are not always punishable with civil monetary penalties and do not always require resolution agreements. OCR prefers to resolve HIPAA violations through voluntary compliance and by issuing technical assistance. Civil monetary penalties and resolution agreements are typically reserved for the most serious violations of HIPAA Rules.

While Dunnavant’s use of patient contact information to solicit contributions did violate HIPAA Rules, the privacy violation was relatively minor and no patients came to harm as a result. Dunnavan believed her actions were permitted under HIPAA Rules as she had obtained a business associate agreement prior to disclosing the information.

Senator Dunnavant told the Richmond-Times Dispatch that the mailings were intended to advise patients of her political activity and reassure them that it would not have an impact on the provision of medical services. Dunnavant said she sought advice from her lawyers and medical practice board before sending the letter and no HIPAA issues were raised.  She also said she regretted adding an appeal for political support to the letters.

The post No HIPAA Violation Fine for Virginia State Senator appeared first on HIPAA Journal.

HHS Issues Final Rule on Confidentiality of Alcohol and Drug Abuse Patient Records Regulations

Posted by HIPAA Journal

In February 2016, the Department of Health and Human Services published a proposed change to the Confidentiality of Alcohol and Drug Abuse Patient Records regulations, (42 CFR Part 2) to facilitate health integration and information exchange. HHS has now finalized the Part 2 changes following an extensive evaluation of public comments, according to a recent press release from the Substance Abuse and Mental Health Services Administration (SAMHSA).

The Confidentiality of Alcohol and Drug Abuse Patient Records regulations were introduced in 1975 to protect the privacy of patients receiving treatment for substance abuse and mental health disorders. At the time there was concern that the revelation of patients’ identities would have serious social consequences and a lack of privacy may deter individuals from seeking treatment.

The healthcare delivery system has changed considerably during the past 40 years and Part 2 regulations were in need of modernization. While the privacy of patients must and will still be protected, the Part 2 changes will help to promote health integration and allow information exchange with research institutions.

According to HHS Deputy Assistant Secretary, Kana Enomoto, the Part 2 changes “will further enhance health services research, integrated treatment, quality assurance and health information exchange activities while at the same time safeguarding the essential privacy rights of people seeking treatment for substance use disorders.” Enomoto went on to explain that “These efforts clear the way for integrated health care models that can provide a better, more cost-effective health care system that also empowers people to make key decisions about their health care.”

A number of new provisions have been finalized in the HHS Final Rule:

  • Any lawful holder of patient identifying information will be permitted to disclose Part 2 identifying information to qualified individuals for purposes of scientific research, provided the research meets certain regulatory requirements. The sharing of data will enable organizations to conduct essential research on substance use disorders. SAMHSA will also permit data linkages between data sets and data repositories holding Part 2 data, if certain regulatory requirements are met.
  • In certain circumstances, patients will be permitted to use general designations such as “My Treating Providers” when giving consent to share personal information. Patients are not required to agree to disclosures of their personal information, although by doing so they will be able to benefit from integrated healthcare systems. If patients do use the general disclosure designation, they can request a list of individuals and entities with whom their information has been shared.
  • Changes have been made that outline audit/evaluation procedures necessary to meet the requirements of CMS-regulated accountable care organization and other CMS-regulated organizations. The changes permit financial and quality assurance functions critical to ACOs and other healthcare organizations.
  • Part 2 has been updated to cover physical and electronic documentation
  • SAMHSA will develop additional sub-regulatory guidance on the finalized provisions and will monitor the implementation of the Final Rule.

HHS has also issued a Supplemental Notice of Proposed Rulemaking (SNPRM) and is seeking input and comments from the public on additional clarifications and suggestions on a number of new provisions including:

  • Clarifying and limiting the circumstances under which contractors, subcontractors and legal representatives of lawful holders of Part 2 data can receive information for payment and healthcare operations activities.
  • An abbreviated alternative statement for the notice to accompany disclosure.
  • The use of contractors, sub-contractors, and legal representatives by CMS-regulated entities to carry out audit and evaluation activities necessary to meet the requirements of a CMS-regulated program.

The post HHS Issues Final Rule on Confidentiality of Alcohol and Drug Abuse Patient Records Regulations appeared first on HIPAA Journal.

OCR HIPAA Enforcement: Summary of 2016 HIPAA Settlements

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights has stepped up its enforcement activities in recent years, and 2016 HIPAA settlements were at record levels. In total, payments of $22,855,300 were made to OCR in 2016 to resolve alleged HIPAA violations. Seven settlements were in excess of $1,500,000.

In 2016, OCR settled alleged HIPAA violations with 12 healthcare organizations. Last year also saw an Administrative Law Judge rule that civil monetary penalties previously imposed on a covered entity – Lincare Inc. – by OCR were lawful, bringing the total to thirteen for 2016. Lincare was only the second healthcare organization required to pay a civil monetary penalty for violations of the Health Insurance Portability and Accountability Act. All other organizations opted to settle with OCR voluntarily.

Financial penalties are not always appropriate. OCR prefers to settle potential HIPAA violations using non-punitive measures. Financial penalties are reserved for the most severe violations of HIPAA Rules, when widespread non-compliance is discovered, or in cases where healthcare organizations have blatantly disregarded HIPAA Rules.

While largescale breaches of PHI may warrant financial penalties and will have an impact on the final settlement amount, OCR has resorted to financial penalties when relatively few individuals have been impacted by healthcare data breaches. This year has seen two settlements with organizations for breaches that have impacted fewer than 500 individuals – New York Presbyterian Hospital and Catholic Health Care Services of the Archdiocese of Philadelphia – and one civil monetary penalty – Lincare Inc.

A summary of 2016 HIPAA settlements with the Office for Civil Rights is detailed in the table below:

 

Summary of 2016 HIPAA Settlements

 

Covered Entity Date Amount Breach that triggered OCR investigation Individuals impacted
University of Massachusetts Amherst (UMass) November, 2016 $650,000 Malware infection 1,670
St. Joseph Health October, 2016 $2,140,500 PHI made available through search engines 31,800
Care New England Health System September, 2016 $400,000 Loss of two unencrypted backup tapes 14,000
Advocate Health Care Network August, 2016 $5,550,000 Theft of desktop computers, loss of laptop, improper access of data at business associate 3,994,175 (combined total of three separate breaches)
University of Mississippi Medical Center July, 2016 $2,750,000 Unprotected network drive 10.,000
Oregon Health & Science University July, 2016 $2,700,000 Loss of unencrypted laptop / Storage on cloud server without BAA 4,361 (combined total of two breaches)
Catholic Health Care Services of the Archdiocese of Philadelphia June, 2016 $650,000

 

 Theft of mobile device 412 (Combined total)
New York Presbyterian Hospital

 

 April, 2016 $2,200,000 Filming of patients by TV crew Unconfirmed
Raleigh Orthopaedic Clinic, P.A. of North Carolina April, 2016 $750,000 Improper disclosure to business associate 17,300
Feinstein Institute for Medical Research March, 2016 $3,900,000 Improper disclosure of research participants’ PHI 13,000
North Memorial Health Care of Minnesota March, 2016 $1,550,000 Theft of laptop computer / Improper disclosure to business associate (discovered during investigation) 299,401
Complete P.T., Pool & Land Physical Therapy, Inc. February, 2016 $25,000 Improper disclosure of PHI (website testimonials) Unconfirmed
Lincare, Inc.

 

 February, 2016* $239,800 Improper disclosure (unprotected documents) 278

*Civil monetary penalty confirmed as lawful by an administrative law judge

 

The largest HIPAA settlement of 2016 –  and the largest HIPAA settlement ever agreed with a single covered entity – was announced in August. OCR agreed to settle potential HIPAA violations with Advocate Health Care Network for $5.5 million.

The previous largest HIPAA settlements were agreed with New York-Presbyterian Hospital and Columbia University after PHI was accidentally indexed by search engines. The two entities were required to pay OCR a total of $4.8 million, with $3.3 million covered by New York-Presbyterian Hospital and the remainder by Columbia University. The previous largest HIPAA settlement for a single entity was agreed with Cignet Health ($4.3 million) for denying 41 patients access to their health records.

2017 has started with an early settlement with Presence Health. The $475,000 settlement was solely based on delayed breach notifications – The first time that a settlement has been agreed solely for a HIPAA Breach Notification Rule violation.

Looking forward into 2017 and beyond, the future of HIPAA enforcement activities is unclear. The new administration may cut funding for OCR which would likely have an impact on HIPAA enforcement.

This year will see the completion of the long-delayed second round of HIPAA compliance audits, although it is unlikely that a permanent audit program will commence this year.

Last year, Jocelyn Samuels said OCR will remain “laser-focused on breaches occurring at health care entities,” and that OCR is committed to “maintain an effective enforcement program that addresses industry-wide noncompliance and provides corrective action to protect the greatest number of individuals.”

However, Jocelyn Samuels will be standing down as head of OCR and it is currently unclear who will take her place. While there are a number of suitable candidates for the position, incoming president Trump has a lot on his hands and the appointment of an OCR director is likely to be relatively low down the to do list. When a new OCR director is appointed, we may find that he/she has different priorities for the OCR’s budget.

What we can expect to see in 2017 is a continuation of enforcement actions that have already commenced. HIPAA breach investigations take time to conduct and settlements even longer. The 2016 HIPAA settlements are the result of data breach investigations that were conducted in 2012-2013. The dramatic increase in data breaches in 2014 – and HIPAA violations that caused those breaches – may well see 2017 become another record-breaking year for HIPAA settlements.

The post OCR HIPAA Enforcement: Summary of 2016 HIPAA Settlements appeared first on HIPAA Journal.