In 2016, Health and Human Services’ (HHS) Office for Civil Rights (OCR), the enforcement arm for HIPAA, continued robust enforcement efforts. There were 12 reported resolution agreements (RA) in 2016. An RA is a settlement agreement between HHS and a covered entity (or business associate) where the entity agrees to the payment of a resolution amount. In addition to the payment amount, an RA typically also includes a corrective action plan (CAP), where OCR monitors compliance. Generally, RAs arise in the wake of a breach report submitted to OCR and a subsequent investigation.
The resolution amounts in 2016 continued a trend we have seen toward higher settlement payments, including settlements of over a million dollars and some well over that. Of the 12 RAs in 2016, seven were over $1 million, including amounts of $5.5 million, $3.9 million and $2.75 million.
So what is driving the multimillion-dollar settlements? Is it the number of affected individuals in a reported breach incident? Looking at the highest payment amount in 2016 – $5.5 million – one might think so. In that matter, Advocate Health Care had submitted three breach reports affecting a combined total of approximately 4 million individuals. But the Oregon Health & Science University settlement involved a breach incident affecting only approximately 3,000 individuals – a small number, relatively speaking, compared with 4 million. Yet that settlement was still among the highest in 2016 – $2.7 million. And the $2.2 million settlement with NewYork-Presbyterian Hospital (NYP) concerned the disclosure of just two patients’ protected health information.
So it is clearly not just the raw number of affected individuals that drives the settlement amounts. Let’s take a closer look at what is behind some of these settlements. Is there any rhyme or reason or any trends that we can discern?
Encryption of mobile devices continues to be a focus of OCR’s enforcement efforts in 2016. The $3.9 million settlement with the Feinstein Institute for Medical Research involved an unencrypted laptop stolen from an employee’s car. The laptop contained information relating to 13,000 patients and research subjects. In another unencrypted device incident, the University of Mississippi Medical Center settlement involved an unencrypted laptop believed to have been stolen by a visitor, which contained ePHI of approximately 10,000 patients. That settlement was for $2.75 million. And in an incident involving an unencrypted iPhone, Catholic Health Care Services of the Archdiocese of Philadelphia settled for $650,000.
Business associate agreements (BAA) also drove OCR enforcement in 2016. Care New England (CNE) paid OCR $400,000 when OCR found that one of CNE’s facilities had not updated a BAA with CNE to incorporate revisions required under the HIPAA Omnibus Final Rule. CNE provides centralized corporate support for its affiliated covered entities. And North Memorial Health Care settled with OCR for $1.55 million for failing to implement a BAA with a major contractor. A laptop containing information on more than 9,000 patients was stolen from an employee of the contractor.
In other settlements, it appears that OCR simply wants to make a point or highlight an issue. For example, OCR reached a $2.2 million settlement with NYP related to the filming of “NY Med,” an ABC television program, when NYP did not first obtain authorization from the patients who were filmed. OCR’s press release announcing the settlement stated that “NYP allowed the ABC crew to film someone who was dying and another person in significant distress, even after a medical professional urged the crew to stop.” Significantly, at the same time the settlement with NYP was announced, OCR also released guidance on media access to treatment areas.
A key lesson learned in 2016, is that OCR will likely continue to focus on unencrypted mobile devices. Whether stolen, lost or misplaced, all mobile devices containing ePHI should be encrypted (unless there is a very good and documented reason why it cannot be encrypted). And that includes devices used by business associates. Further, review your BAAs and make sure they are up to date and in place.
Looking ahead, it is difficult to predict how things may shake out at OCR with a new administration coming on board. The new nominee for secretary of HHS, Tom Price, is known to be a proponent of limited government regulations. But barring significant administrative changes, we can certainly expect to see settlement amounts continue to climb, perhaps approaching or surpassing the $10 million threshold.