Notable enforcement activity in 2019

by Jay P. Anstine

Jay P. Anstine (jay.anstine@bannerhealth.com) is the Area Compliance Program Director for Banner Health’s Western Region Rural Hospitals.

As this year draws to a close, I wanted to take stock of the privacy world from an enforcement standpoint with the Department of Health and Human Services, Office for Civil Rights (OCR) to see what lessons can be learned. Below are some notable developments, as of the date of this writing (September 2019).

Notable enforcement activity

High-dollar settlements

For the OCR, 2019 began the same way 2018 ended, that is, a $3 million settlement. In December of 2018, OCR finalized a settlement with Cottage Health[1] related to two separate breaches involving an unprotected server. In May of 2019, OCR followed suit with a settlement with Touchstone Medical Imaging, Inc.[2] related to a file transfer protocol (FTP) server that allowed uncontrolled access to their patients’ protected health information (PHI) over the internet.

Aside from the dollar amounts, some common themes included the organizations’ lack of conducting an accurate and thorough risk analysis of potential risks and vulnerabilities to their ePHI, and failure to have business associate agreement(s)(BAA) in place. Touchstone went a step further in failing to timely respond to a known security incident.

Fines and penalties

In April, the OCR announced reducing the annual penalty caps across its four-tiered structure, except in instances of willful neglect.[3] This came on the heels of MD Anderson Cancer Center’s appeal of an administrative law judge (ALJ) decision upholding civil remedies of approximately $4.3 million imposed against the organization. Central to the case were the organization’s encryption policies that were in place beginning in 2006, but not adopted system-wide until 2011. In upholding the penalties, the ALJ took note of the organization’s pace in complying with their own policies.

Right of access initiative

In September, the OCR announced a first-ever settlement with Bayfront Health St. Petersburg for $85,000 related to its Right of Access Initiative, a promise to enforce the rights of patients to timely receive copies of their medical records and not be overcharged.[4]

So what lessons can be learned as we move into 2020? First, take note of the common trends involving improper analysis of potential risks and vulnerabilities to ePHI, lacking BAAs, response times to known security incidents, and failing to follow policies. Additionally, as evidenced in the Bayfront Health St. Petersburg case, what the OCR says, the OCR does. Something to be mindful of as we move into 2020.

This document is only available to members. Please log in or become a member.
Become a Member Login
 

About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook Twitter LinkedIn
Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings