Table of Contents
In the roughly three months since the HHS Office for Civil Rights announced it planned to reduce the amount of fines imposed for all but the most serious HIPAA violations, OCR issued two settlements—but both were finalized before the change.
The health care privacy and security community, then, has yet to see how the recent decision by OCR Director Roger Severino plays out and, at the same time, what impact there might be on compliance.
Now Congress has entered the fray. Significant health care legislation is advancing in the Senate that calls for OCR, when dealing with HIPAA violators, to take into consideration whether a covered entity (CE) or business associate (BA) had “recognized security practices in place” for at least a year that would “mitigate fines” or “limit remedies” the agency might impose.
It could be argued that OCR already does this, but in recent years, particularly as its penalties have risen, the agency has stopped explaining how it arrived at settlement amounts. For example, last year OCR entered into a $16 million settlement with Anthem Inc. over a massive exposure of protected health information (PHI)—some 79 million records were involved. Severino said only that the “largest health data breach in U.S. history fully merits the largest HIPAA settlement in history” (“OCR Exacts Its Pound of Flesh From Anthem With $16 Million Settlement, Corrective Actions,” RPP 18, no. 11).
Now Annual Caps Will Vary
Although specific decisions in individual settlements are not always disclosed, OCR’s penalty structure since it implemented the 2009 HITECH Act has been based on four tiers with amounts assessed per violation and per year, with an annual cap for identical violations.
The tiers range from $100 per violation minimum for acts that an organization (defined as a person under the law) did not know “and by exercising reasonable diligence,” would not have known, that the person violated a HIPAA provision to $500,000 for willful neglect and when the violation has not been corrected within 30 days.
Despite the differences, OCR has been applying a maximum of $1.5 million per year for all of the tiers, rather than at just the top or highest level of culpability.
It may be appropriate to thank the University of Texas MD Anderson Cancer Center for the reduction, as it came in the middle of a legal battle it is waging against a multimillion-dollar fine OCR has been trying to impose since 2017.
MD Anderson refused to settle and took its concerns to an HHS administrative law judge; in July 2018, OCR announced that the ALJ upheld the agency’s intent to impose a fine of $4.358 million on MD Anderson for a stolen laptop and a USB drive lost in 2012 and $1.5 million for another drive reported missing in 2013. To this total OCR added $1.348 million for failing to implement access controls, specifically encryption and decryption (“Lack of Encryption Key to $4.3M Penalty For MD Anderson; ‘Layered Security’ One Solution,” RPP 18, no. 7).
Penalty Drop Followed MD Anderson Litigation
In April of this year, MD Anderson filed suit against HHS Secretary Alex Azar in the U.S. District Court for the Southern District of Texas; it is arguing, among other things, that OCR lacks the authority under HIPAA to fine MD Anderson because it is a type of state agency and that the fines imposed are excessive (“Should ‘State’ Agencies Be Exempt From HIPAA? MD Anderson Says Yes,” RPP 19, no. 5).
MD Anderson also specifically called out the fact that OCR’s calculations of its penalty equated to “the maximum amount that the OCR could impose under any level of culpability under HIPAA, making the punishment the same as in a case in which [electronic protected health information] was intentionally taken to cause harm to patients and where harm was actually incurred.” The cancer center said the fines were in violation of annual caps imposed per identical violation.
That will change with settlements OCR reaches now. As Severino announced on April 26, OCR has changed its interpretation of the law and instead intended, from that day forward, to impose annual maximums of $25,000, $100,000 or $250,000 per year for the three lower tiers of violations.
As of RPP’s deadline, HHS had not yet filed a formal response to the suit. But the reduction in the annual caps clearly seems to be connected. MD Anderson officials told RPP the “revised penalty structure interpretation is consistent with MD Anderson’s legal arguments” and that they were “hopeful the OCR will reexamine the proposed penalty against MD Anderson consistent with its new approach.”
In announcing the reduction, OCR did not tie its decision to anything other than a “more accurate” reading of the HITECH Act, and HHS has stuck to its position of not commenting on pending litigation (“Easy Win for MD Anderson? OCR Drops Annual Caps, Issues Warning on Right-of-Access Denials,” RPP 19, no. 5).
As noted, OCR has issued two new settlements since that April announcement, but they were completed before a reduction could go into effect. The seeming disparity in the amounts and size of the breaches at the center of the settlements could perhaps be seen as an argument for more standardization of penalties. At least one HIPAA expert advises against a focus on financial penalties (“Deterrent Effect of OCR Fines Unknown; Expert Advises Against ‘Rolling the Dice,’” RPP 19, no. 7).
Touchstone Medical Imaging LLC, OCR said on May 6, agreed to a $3 million settlement for a breach affecting 307,000 individuals (“$3 Million Settlement Demonstrates Need for Quick Breach Management,” RPP 19, no. 6). The circumstances included a delay in notification of the 2014 breach that occurred when a patient billing file was “inadvertently” available online.
Then, on May 23, the agency announced a $100,000 agreement for a breach that affected 3.9 million medical records held by Medical Informatics Engineering, a business associate (BA) (“Generic ‘Tester’ Accounts Allowed Records Hack Triggering $1M in OCR, State AG Payments,” RPP 19, no. 6). This firm, however, paid another $900,000 to settle a suit brought by 16 states.
Compliance With NIST Standards Favored
Proposed changes to the HITECH Act are found in the Lower Health Care Costs Act, S. 1895, 116th Cong. (2019). The bill was introduced on June 19 by Sen. Lamar Alexander, R-Tenn., chairman of the Health, Education, Labor and Pensions Committee, which Alexander chairs. The committee passed the bill by a 20-3 vote on June 26; it now will be considered for a vote by the full Senate. The bill proposes a series of reforms, including management and oversight of “surprise” bills and drug costs.
Provisions affecting HIPAA penalties are part of a section on improving the exchange of health information.
The bill would amend the HITECH Act with a new section titled “Recognition of security practices.” It specifically references guidance issued by the National Institute of Standards and Technology, as well as “any other program or processes that are equivalent to such requirements as may be developed through regulations.” S. 1895 would allow CEs and BAs to identify the practices.
Addressing OCR (technically HHS), the bill states that “when making determinations relating to fines,” when “decreasing the length and extent of an audit” or when contemplating “remedies otherwise agreed to by” HHS, the agency “shall consider whether the entity or business associate had, for not less than the previous 12 months, recognized security practices in place that may…mitigate fines,” take action that would “result in the early, favorable termination of an audit” and “limit the remedies that would otherwise be agreed to in any agreement” between HHS and a CE or BA.
It also provides that the CE or BA, if it chooses, can ask HHS for “further consideration by adequately demonstrat[ing] that such recognized security practices were in place.”
The bill also calls for the Government Accountability Office (GAO) to conduct a study that could end up making the case for an expansion of HIPAA to encompass firms that don’t today have to comply, or it may prompt new regulatory efforts. The study appears designed to pinpoint risks and gaps in safeguards for electronically exchanged information.
GAO to Review Private Sector Protections
Were the bill to be signed into law, GAO would have one year from then to complete the study. GAO is being asked to “describe the roles of federal agencies and the private sector with respect to protecting the privacy and security of individually identifiable health information transmitted electronically to and from entities not covered” by HIPAA.
GAO also would “identify recent developments regarding the use of application programming interfaces to access individually identifiable health information, and implications for the privacy and security of such information.”
The committee then wants GAO to review how the information that a person directs to be sent to or from a noncovered entity or BA is protected. GAO is to “identify practices in the private sector, such as terms and conditions for use, relating to the privacy, disclosure, and secondary uses of individually identifiable health information transmitted electronically to or from entities, selected by an individual” that are not covered by HIPAA.
More broadly, the committee has asked GAO to “identify steps the public and private sectors can take to improve the private and secure access to and availability of individually identifiable health information.” ✧