OCR sets record in 2018 for HIPAA enforcement actions

Last year, the Department of Health and Human Services’ Office for Civil Rights set an all-time record for HIPAA enforcement activity in terms of overall dollar value of its fines, according to HHS.

OCR racked up a total of $28.7 million in enforcement actions in 2018, including 10 settlements and a summary judgment in a case before an administrative law judge. The agency beat the previous record of $23.5 million in 2016 by 22 percent.

“Our record year underscores the need for covered entities to be proactive about data security if they want to avoid being on the wrong end of an enforcement action,” says Roger Severino, director of OCR.

In 2018, OCR also reported the single largest individual HIPAA settlement in history of $16 million with Anthem—a nearly three-fold increase over the previous record settlement of $5.5 million in 2016.

HHS HQ

Also See: OCR levies $16M fine on Anthem for large 2015 breach

The year’s final settlement—this past December—involved Cottage Health, a Santa Barbara, Calif.-based not-for-profit healthcare system, which agreed to pay $3 million to OCR and to adhere to a corrective action plan to settle potential violations of the HIPAA rules.

The Cottage Health case involved two breaches of unsecured electronic protected health information (ePH)—one in December 2013 and the other in December 2015—which affected more than 62,500 individuals.

According to OCR, its investigation found the following failures on the part of Cottage Health:

  • It didn’t conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of the ePHI.
  • The organization failed to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.
  • It didn’t perform periodic technical and non-technical evaluations in response to environmental or operational changes affecting the security of ePHI.
  • Cottage Health failed to obtain a written business associate agreement with a contractor that maintained ePHI on its behalf.

“The Cottage settlement reminds us that information security is a dynamic process and the risks to ePHI may arise before, during, and after implementation covered entity makes system changes,” adds OCR’s Severino.

For reprint and licensing requests for this article, click here.