The Department of Health and Human Services – Office for Civil Rights (“OCR”) had a record year for settlements from its enforcement of the Health Insurance Portability and Accountability Act (“HIPAA”) privacy rule.
In 2018, OCR settled ten (10) cases and secured one (1) judgment, resulting in a total of $28.7 million in HIPAA fines and penalties. This amount is approximately twenty-two percent (22.0%) higher than the previous record of $23.5 million in 2016.
OCR’s 2018 record was due primarily to the single largest HIPAA settlement in history of $16 million with health insurer, Anthem, Inc. The previous record settlement was $5.5 million in 2016. The insurer agreed to pay OCR the settlement in October 2018 for a major 2015 breach that affected nearly 79 million consumers. The OCR investigation found that Anthem failed to conduct an enterprise-wide risk analysis. In addition, Anthem was found deficient in terms of regular and consistent system review activity and the identification of and response to known security threats.
The following is a summary of other noteworthy cases that led to the record for total settlements in 2018:
* The University of Texas MD Anderson Cancer Center was ordered to pay a $4.3 million penalty over three data breaches dating back to 2012 and 2013, when an unencrypted laptop was stolen from an MD Anderson employee and two unencrypted USB thumb drives containing information on 33,500 patients were lost.
* Fresenius Medical Care, which operates more than 2,200 dialysis clinics, along with outpatient cardiac and vascular labs and urgent care centers, agreed to a $3.5 million settlement after an OCR investigation revealed that the company failed to perform an accurate and thorough risk assessment, which led to five separate data breaches over a five-month period in 2012.
* Cottage Health agreed to pay $3 million to OCR and to adopt a substantial corrective action plan after OCR received two notifications from Cottage Health regarding breaches of unsecured electronic protected health information affecting over 62,500 individuals in 2013 and 2015. Cottage Health operates Santa Barbara Cottage Hospital, Santa Ynez Valley Cottage Hospital, Goleta Valley Cottage Hospital and Cottage Rehabilitation Hospital in California.
Health care providers and their business associates can expect continued enforcement of HIPAA by OCR. 2019 may also bring changes to the HIPAA regulations. In December 2018, HHS issued a Request for Information on ways to modify HIPAA to facilitate care coordination and promote transformation to value-based care.