Last year was a record-setting year for HIPAA enforcement. HHS’ Office of Civil Rights (OCR) has levied an unprecedented number of fines over the last year; since June 2013, OCR has recovered more than $10 million from various entities for alleged HIPAA violations. Just last month, Parkview Health System, Inc., a non-profit health care system that provides community-based health care services to individuals in northeast Indiana and northwest Ohio, agreed to pay an $800,000 settlement and adopt a corrective action plan to address deficiencies in its HIPAA compliance plan after 71 cardboard boxes of medical records were left unattended in the driveway of a physician’s home. OCR also recently announced a $4.8 million settlement against New York-Presbyterian Hospital and Columbia University as the result of the organizations’ failure to secure thousands of patients’ ePHI held on their networks. This was the largest HIPAA settlement to date.
Despite these impressive numbers, Jerome B. Meites, OCR Chief Regional Counsel for Region V (which covers Illinois, Indiana, Michigan, Minnesota, Ohio, and Wisconsin), made an announcement on June 12, 2014, at an American Bar Association conference in Chicago that the past 12 months of enforcement will likely pale in comparison to the next 12 months. “Knowing what’s in the pipeline, I suspect that that number will be low compared to what’s coming up,” Meites said. He noted that based on prior comments by leaders at OCR, the office has signaled an increasing desire to send strong messages through “high-impact cases.”
Consistent with prior statements from OCR, Meites notes that “portable media is the bane of existence for covered entities” and “causes a number of the complaints that OCR deals with.” He also emphasized that the failure to perform a comprehensive risk analysis has factored into most of the cases where breaches actually resulted in financial settlements. “You have to think carefully about what a risk analysis involves, and it can’t just be the obvious,” he said. “Everywhere in your system [PHI] is used, you have to think about how to protect it.”
As OCR moves towards the next round of HIPAA Audits, covered entities and business associates alike need to ensure that they are conducting appropriate comprehensive risk analyses and following the privacy and security standards set forth in HIPAA and HITECH.