While many healthcare providers are generally aware of their obligations under HIPAA, most do not have a clear sense of what happens if they fail to meet these obligations. At best, most probably are familiar with headlines about healthcare providers entering into multimillion-dollar settlements with the government for HIPAA violations but otherwise may be unaware of the specifics of such cases. In an environment where, for example, cybersecurity incidents are increasingly common, it can be nerve-wracking for healthcare providers to contemplate actually meeting their HIPAA obligations in the face of such ongoing threats—especially while the specter of enormous HIPAA penalties looms large in their minds. This article is intended to pull back the curtain on how HIPAA violations actually play out and help illustrate ways healthcare providers may mitigate or even avoid HIPAA penalties.
An in-depth case study
In the summer of 2016, a client of our firm became aware of a hacking incident on its server that had originated overseas. The client was a small physician practice that, at the time, housed its server on-site and utilized a local IT professional to provide ongoing electronic security and support services. The hack itself occurred over several days (until it was discovered), and the client notified the U.S. Department of Health and Human Services Office for Civil Rights (OCR)—the government entity responsible for HIPAA enforcement—of the incident a few days later. During the hack, the client’s electronic medical records software was encrypted and locked and thus unavailable to the client.
The client’s situation was, to put it mildly, problematic. At the time of the hack, although the client had some administrative, physical, and technical safeguards in place, most of its HIPAA Security Rule compliance had been handed to the lone IT support person who did not know or understand the requirements of HIPAA very well. The server in question was also not as physically secure as it could have been. It was located in its own room but with an unlocked door. Moreover, the cables connected to the server had been configured improperly for the network router, and the effectiveness of the client’s firewall device had been reduced (improperly) to correct a network connectivity issue. Antivirus and antimalware software likewise were not functioning properly; they had not been kept up to date, and the IT professional had not been performing daily scans, even though their contract required them to do so. In addition, the client’s HIPAA security risk assessment had not been updated in years and was sparse at best. Moreover, the client used a published book to train its staff rather than draft its own policies and procedures.
However, the client’s extensive remedial steps were cutting in its favor. First, the client instructed its electronic health records (EHRs) software vendor to investigate the problem and restore access. Then, the client hired an outside auditor to investigate what had gone wrong internally. The client then fired the IT professional it had been using and hired a new company with actual HIPAA experience; the client later demanded a return of payments made to the previous IT professional for 2016.
In addition, the client hired a company to conduct a new security risk assessment and help it develop new policies and procedures, which would be updated periodically. It improved its physical security—including adding a door lock to its server room and installing security cameras on the building exterior. The client improved backup procedures, enabled screen lockouts, properly updated its software to the latest versions, and set up a separate guest Wi-Fi service to isolate personal devices on its network.
The client’s report to OCR prompted an investigation, which led to the client bringing the matter to our firm. The client and I spent more than a month gathering evidence to demonstrate to OCR the good-faith efforts the client had made to comply with HIPAA. We outlined the remedial efforts the client had undertaken in response to the hack.
Fortunately, because the client had maintained extensive and contemporaneous documentation of its efforts, we were able to prepare a comprehensive narrative—supported by documentary evidence—to explain to OCR what had happened, what steps the client had taken, what matters were outside of its control or knowledge, and how the client had corrected the problems within its control. This included contemporaneous copies of emails sent to the IT professional and EHR software vendor, the policies and procedures that had been in place at the time of the hack, and the ones that replaced them (including a physical copy of the book the client had used). All this information was assembled both as physical copies and in electronic format on a USB thumb drive, with exhibits labeled for ease of reference. I hand-delivered all these materials to OCR’s offices in March 2017.
OCR finally closed the case in December 2018; it imposed no penalties and required no remedial efforts from the client. Instead, it determined the client had voluntarily complied with HIPAA and provided minimal technical assistance as a guide for small medical practices. Beyond this, OCR determined the matter had been resolved.
The reality of HIPAA enforcement
My client’s experience largely tracks with what we know of OCR’s goals and practices regarding HIPAA enforcement. Unlike Medicare recovery audit contractors, OCR’s goal is not to secure significant returns for the government. Instead, its goal is “to the extent practicable and consistent with the provisions of [the HIPAA enforcement regulations], seek the cooperation of covered entities and business associates in obtaining compliance with the applicable [HIPAA regulations].”[1]
OCR’s tools in these efforts are provided by the HIPAA Enforcement Rule, which includes processes and procedures pertaining to compliance and investigations[2] and the imposition of civil money penalties.[3] More specifically, OCR has the ability to open investigations in response to complaints or may conduct compliance reviews separately from the complaint submission process. Anyone can submit a complaint alleging a HIPAA violation to OCR; however, OCR has some discretion in determining whether to accept the complaint for investigation—depending on the facts discovered in a preliminary review.
When the preliminary review discovers willful neglect, OCR is required to investigate; otherwise, the investigation is up to OCR. If OCR accepts the complaint for investigation after the preliminary review, OCR notifies the complainant and the covered entity (CE) or business associate (BA) that is the subject of the complaint. The type of information requested as part of such an investigation is broad-ranging. It can include policies and procedures, an account of specific facts, and other documentary evidence and information. In my client’s case, as previously noted, we gathered and submitted extensive documentation, including a written narrative and guide to all the documents submitted.
With respect to compliance reviews, OCR has left the actual triggering mechanism deliberately vague. In the preface to regulations published in 2006, OCR declined to publish regulations describing the circumstances that would initiate a compliance review, stating:
Outlining specific instances in which a compliance review will be conducted could have the counterproductive effect of skewing compliance efforts towards those aspects of compliance that had been identified as likely to result in a compliance review. It also does not seem advisable to limit, by rule, the circumstances under which such reviews may be conducted at this early stage of the enforcement program, when our knowledge of the types of violations that may arise is necessarily limited.[4]
In other words, OCR wanted CEs and BAs to focus on compliance rather than avoid compliance reviews.
Once a compliance review or investigation has been completed, OCR will close the case when there is no violation. In instances where a violation is found, OCR will typically attempt to resolve the matter informally, usually in one of three ways: (1) determine that the CE or BA has voluntarily complied (as occurred with my client); (2) take corrective action by providing technical assistance or requiring the CE or BA to make changes regarding its policies and procedures, safeguards, etc.; and (3) may enter into resolution agreements with a CE or BA, which may require them to pay a settlement amount and enter into an agreement to perform various remedial activities and subject themselves to oversight by OCR. OCR has noted that most investigations end up concluded to OCR’s satisfaction using one of these methods.[5]
When these efforts fail, OCR may impose civil money penalties. These penalties are only imposed when OCR makes a final determination that a CE or BA has violated one or more HIPAA rules. Ideally, this process would be avoided by the CE or BA, which would avail itself of the informal resolution methods previously described. The penalty amount can vary depending on the CE’s or BA’s actual knowledge or what they would have known by exercising reasonable diligence. Amounts can range from as little as $127 to as much as almost $2 million for identical violations within a calendar year.
Enforcement examples
In terms of actual enforcement examples, OCR’s website provides a range of data, from general statistics to congressional reports to specific resolution agreements and instances of civil money penalties. In general, they demonstrate that CEs and BAs that take their obligations seriously and attempt to correct problems when they are discovered are treated more leniently than entities that ignore or neglect to revise their practices.
For example, compare the cases of ACPM Podiatry and Danbury Psychiatric Consultants.[6] Both instances involved alleged violations of patients’ rights to access copies of their own records, where patients were refused copies because they had outstanding balances. Both cases involved OCR contacting the CE based on patient complaints submitted to OCR.
In the case of Danbury Psychiatric Consultants, the CE provided full access to the patient and entered into a resolution agreement and corrective action plan, with a penalty payment of $3,500 and a promise to engage in various remedial activities, including updating policies and procedures regarding patient records access. By contrast, in ACPM Podiatry, the CE was contacted multiple times by OCR, as well as the patient, and continued to refuse to provide the patient with their records. OCR sent a technical assistance letter, informing the CE of its obligations, but the CE still refused to comply. OCR even called the CE twice on the phone and was told that the CE was aware of the inquiry, but the CE still did not comply. As a result, OCR imposed a civil money penalty of $100,000.
Conclusion
Both my clients’ cases and the two contrasting examples—along with OCR’s own words—highlight the fact that compliance is OCR’s primary goal. Toward that end, CEs and BAs that violate HIPAA have every interest in taking proactive steps to take corrective actions to protect against future violations and mitigate any harm caused by the previous violation. However, based on my clients’ experiences, this will be easier if the CE or BA keeps extensive records of its efforts, and can present them in a clear fashion to OCR. Having done so, however, the CE or BA may find themselves stuck in purgatory awaiting OCR’s judgment for many months. Of course, this process may be made easier if the CE or BA already has in place clear policies and procedures for responding to, and mitigating, HIPAA violations, including procedures to document such efforts. Experienced legal counsel can also assist in these matters.
Takeaways
-
Most healthcare providers do not have experience with HIPAA enforcement.
-
The U.S. Department of Health and Human Services Office for Civil Rights (OCR) is most concerned with ensuring HIPAA compliance, then with imposing penalties.
-
Proactive compliance efforts go a long way to persuade OCR that a provider is trying to comply with HIPAA.
-
Responding to an investigation and demonstrating compliance is time-consuming and requires much effort and documentation.
-
Effectively demonstrating compliance may allow for avoiding penalties and required remedial measures.
*Daniel Shay is an Attorney at Alice G. Gosfield & Associates P.C. in Philadelphia, PA.
1 45 C.F.R. § 160.304(a).
2 45 C.F.R. § 160, Subpart C.
3 45 C.F.R. § 160, Subpart D.
4 HIPAA Administrative Simplification: Enforcement, 71 Fed. Reg. 8,390 (Feb. 16, 2006), https://www.govinfo.gov/content/pkg/FR-2006-02-16/pdf/06-1376.pdf.
5 U.S. Department of Health and Human Services, Office for Civil Rights, “How OCR Enforces the HIPAA Privacy & Security Rules,” content last reviewed November 20, 2023, https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/examples/how-ocr-enforces-the-hipaa-privacy-and-security-rules/index.html.
6 U.S. Department of Health and Human Services, Office for Civil Rights, “ACPM Podiatry Notice of Proposed Determination,” letter, OCR Transaction Number: 19-343845, content last reviewed July 15, 2022, https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/acpm-npd/index.html; U.S. Department of Health and Human Services, Office for Civil Rights, “Danbury Psychiatric Consultants Resolution Agreement & Corrective Action Plan,” content last updated July 15, 2022, https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/danbury-ra-cap/index.html.
