With big fines being announced right along with supposed lowering of HIPAA fines, what kind of take-away should healthcare providers be receiving from these seemingly contradictory trends?
On the high fines side, OCR announced the following:
Touchstone Medical Imaging (“Touchstone”) has agreed to pay $3,000,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS), and to adopt a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Security and Breach Notification Rules. Touchstone, based in Franklin, Tennessee, provides diagnostic medical imaging services in Nebraska, Texas, Colorado, Florida, and Arkansas.
In May 2014, Touchstone was notified by the Federal Bureau of Investigation (FBI) and OCR that one of its FTP servers allowed uncontrolled access to protected health information (PHI). This uncontrolled access permitted search engines to index the PHI of Touchstone’s patients, which remained visible on the Internet even after the server was taken offline.
Touchstone initially claimed that no patient PHI was exposed. However, during OCR’s investigation, Touchstone subsequently admitted that the PHI of more than 300,000 patients was exposed including, names, birth dates, social security numbers, and addresses. OCR’s investigation found that Touchstone did not thoroughly investigate the security incident until several months after notice of the breach from both the FBI and OCR. Consequently, Touchstone’s notification to individuals affected by the breach was also untimely. OCR’s investigation further found that Touchstone failed to conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of all of its electronic PHI (ePHI), and failed to have business associate agreements in place with its vendors, including their IT support vendor and a third-party data center provider as required by HIPAA.
In addition to the monetary settlement, Touchstone will undertake a robust corrective action plan that includes the adoption of business associate agreements, completion of an enterprise-wide risk analysis, and comprehensive policies and procedures to comply with the HIPAA Rules.
The resolution agreement and corrective action plan may be found at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/tmi/index.html.
On the lower fines side, HHS announced:
It was adjusting annual limits for fines downward violations with less culpability or fault. Violations where the entity has “No Knowledge” that they were violating HIPAA range from $100-$50,000 per violation but the maxium annual penalty has been reduced from $1.5 million to $25,000 per type of violation. “Reasonable Cause” violations penalties range from $1,000-$50,000 with the annual maxium being reduced from $1.5 million to $100,000 per type of violation. “Willful neglect” violations that were corrected by the entity range from $10,000-$50,000 with the annual maxium dropping from $1.5 million to $250,000 per type of violation. “Willful neglect” violations that were not corrected by the entity remain at the $1.5 million annual maximum per type of violation.
TAKE-AWAY #1
The annual maximum is NOT A MAXIMUM, but a maximum for a single type of violation with the same degree of culpability. A covered entity will likely have different types of violations and different levels of culpability. Like the MD Anderson fines of more than $4 million which are currently on appeal on various issues or the Touchstone fine above, the cummulative fine can be a multiple of the supposed “annual maximum.”
My Prediction: Expect to see more “types” of violations charged.
TAKE-AWAY #2
OCR has been “consultative” on most of the HIPAA violations up to this point. Relatively few fines have been assessed. At the same time, years have passed and arguably covered entities should have had sufficient time to come up to speed on HIPAA compliance. By lowering the maxium annual fines for lesser degrees of culpability, it makes it easier for OCR to transition from a “no fine” approach to a “reasonable fine” approach and escalate the level of culpability determinations.
My Prediction: Expect to see more cases fined and culpability to escalate.
While the current administration favors reduction of regulatory demands on industry, I believe it would be niave to believe that penalties are being eased in a time of increased concern over privacy violations. A change in fine structure may indicate a change in philosophy or approach by OCR to become more active and visible in enforcing privacy rights that the public is increasingly demanding.