Our 2017 HIPAA enforcement summary details the financial penalties paid by healthcare organizations to resolve HIPAA violation cases investigated by the Department of Health and Human Services’ Office for Civil Rights (OCR) and state attorneys general.
2017 saw OCR continue its aggressive pursuit of financial settlements for serious violations of HIPAA Rules. There have been 9 HIPAA settlements and one civil monetary penalty in 2017.
In total, OCR received $19,393,000 in financial settlements and civil monetary penalties from covered entities and business associates to resolve HIPAA violations discovered during the investigations of data breaches and complaints.
Last year, there were 12 settlements reached with HIPAA-covered entities and business associates, and one civil monetary penalty issued. In 2016, OCR received $25,505,300 from covered entities to resolve HIPAA violation cases.
Summary of 2017 HIPAA Enforcement by OCR
Listed below are the 2017 HIPAA enforcement activities of OCR that resulted in financial penalties for HIPAA-covered entities and their business associates.
|Covered Entity||Amount||Type||Violation Type|
|Memorial Healthcare System||$5,500,000||Settlement||Insufficient ePHI Access Controls|
|Children’s Medical Center of Dallas||$3,200,000||Civil Monetary Penalty||Impermissible Disclosure of ePHI|
|Cardionet||$2,500,000||Settlement||Impermissible Disclosure of PHI|
|Memorial Hermann Health System||$2,400,000||Settlement||Careless Handling of PHI|
|21st Century Oncology||$2,300,000||Settlement||Multiple HIPAA Violations|
|MAPFRE Life Insurance Company of Puerto Rico||$2,200,000||Settlement||Impermissible Disclosure of ePHI|
|Presense Health||$475,000||Settlement||Delayed Breach Notifications|
|Metro Community Provider Network||$400,000||Settlement||Lack of Security Management Process|
|St. Luke’s-Roosevelt Hospital Center Inc.||$387,000||Settlement||Unauthorized Disclosure of PHI|
|The Center for Children’s Digestive Health||$31,000||Settlement||Lack of a Business Associate Agreement|
OCR’s 2017 HIPAA enforcement activities have revealed covered entities are continuing to fail to comply with HIPAA Rules in key areas: Safeguarding PHI on portable devices, conducting an organization-wide risk analysis, implementing a security risk management process, and entering into HIPAA-compliant business associate agreements with all vendors.
Throughout 2016 and 2017, many covered entities have failed to issue breach notifications promptly. In 2017, OCR took action for this common HIPAA violation and agreed its first HIPAA settlement solely for delaying breach notifications to patients.
HIPAA Desk Audits Revealed Widespread HIPAA Violations
In late 2016, OCR commenced the much-delayed second phase of its HIPAA-compliance audit program. The first stage involved desk audits of 166 HIPAA-covered entities – 103 audits on the Privacy and Breach Notification Rules, and 63 audits on the Security Rule. 41 desk audits were conducted on business associates on the Breach Notification and Security Rules.
While the full results of the compliance audits have not been released, this fall OCR announced preliminary findings from the compliance audits.
Covered entities were given a rating from 1 to 5 for the completeness of compliance efforts on each control and implementation specification. A rating of 1 signifies full compliance with goals and objectives of the standards and implementation specifications that were audited. A rating of 5 indicates there was no evidence that the covered entity had made a serious attempt to comply with HIPAA Rules.
Preliminary Findings of HIPAA Compliance Audits on Covered Entities
Listed below are the findings from the HIPAA compliance audits. A rating of 5 being the worst possible score and 1 being the best.
|Preliminary HIPAA Compliance Audit Findings (2016/2017)|
|HIPAA Rule Compliance||Controls Audited||Covered Entities Given Rating of 5||Covered Entities Given Rating of 1|
|Breach Notification Rule (103 audits)||Timeliness of Breach Notifications||15||67|
|Breach Notification Rule (103 audits)||Content of Breach Notifications||9||14|
|Privacy Rule (103 audits)||Right to Access PHI||11||1|
|Privacy Rule (103 audits)||Notice of Privacy Practices||16||2|
|Privacy Rule (103 audits)||Electronic Notice||15||59|
|Security Rule (63 audits)||Risk Analysis||13||0|
|Security Rule (63 audits)||Risk Management||17||1|
Almost a third of covered entities failed to issue breach notifications promptly and next to no covered entities were found to be fully compliant with the HIPAA Privacy and Security Rules.
OCR has delayed the full compliance reviews until 2018. While some organizations will be randomly selected for a full review – including a site visit – OCR has stated that poor performance in the desk audits could trigger a full compliance review. Financial penalties may be deemed appropriate, especially when there has been no attempt to comply with HIPAA Rules.
Attorneys General Fines for Privacy Breaches
The HITECH Act gave state attorneys general the authority to pursue financial penalties for HIPAA violations and assist OCR with the enforcement of HIPAA Rules. Relatively few state attorneys general exercise this right. Instead they choose to pursue cases under state laws, even if HIPAA Rules have been violated.
Notable 2017 settlements with healthcare organizations and business associates of HIPAA covered entities have been listed below.
|Covered Entity||State||Amount||Individuals affected||Reason|
|Cottage Health System||California||$2,000,000||More than 54,000||Failure to Safeguard Personal Information|
|Horizon Healthcare Services Inc.,||New Jersey||$1,100,000||3.7 million||Failure to Safeguard Personal Information|
|SAManage USA, Inc.||Vermont||$264,000||660||Exposure of PHI on Internet|
|CoPilot Provider Support Services, Inc.||New York||$130,000||221,178||Late Breach Notifications|
|Multi-State Billing Services||Massachusetts||$100,000||2,600||Failure to Safeguard Personal Information|