In Fiscal Year 2016, the HHS Office for Civil Rights, which enforces the HIPAA privacy and security rules, settled 13 agreements with healthcare organizations that agreed to complete a corrective action plan following a breach of protected health information.
That compares with the prior annual record of seven settlement agreements and is three times the average of four or five agreements in recent years, according to Edward Zacharias and David Gacioch, partners specializing in compliance issues, including HIPAA resolution cases, at the law firm of McDermott Will & Emery.
What’s really astounding is the size of the fines that were imposed on HIPAA covered entities during FY 2016, says Zacharias. Before 2016, the previous record for total fines that OCR levied in any year was $7.9 million. Last year, settlement payments hit $25.6 million.
There are two reasons for the increase in HIPAA compliance investigations and settlements that include a civil monetary fine. For years, OCR has received criticism, including shots from members of Congress, that it was not being aggressive enough, and the agency would counter that it was hamstrung by resource constraints.
But now, with adequate resources from settlement fines, which averaged around $2 million last year compared with $850,000 in recent past years, “the grace period is over,” Zacharias says. Further, OCR has decided that the industry has had sufficient time to develop more mature data security approaches, and too often, healthcare organizations haven’t done so.
That’s why more investigations and settlements can be expected in fiscal 2017, Zacharias adds. The new fiscal year is only two months old, and OCR already has made two settlements with organizations, he notes.
Dealing with an OCR HIPAA audit is not pleasant, and the agency isn’t always consistent in how it conducts the investigations, says Gacioch, who along with Zacharias has represented multiple organizations that have been the focus of audits.
Investigations can take years to complete, with spurts of activity mixed with months of silence from OCR, Gacioch says. That makes it difficult for an organization, which is working on improving compliance, and then OCR returns and moves the goal posts, asking for additional requirements. Zacharias speculates the stops and starts reflected OCR’s own resource challenges in past years.
But long investigations hinder organizations that are trying to comply. OCR’s perspective on compliance sometimes is a matter of judgment on the language in pertinent regulations and also a perception of where best security practices lie, Zacharias says. If an investigation drags on for three or four years, an organization could find itself implementing a series of standards and best practices that develop during that period.
And sometimes, guidance from the agency isn’t very helpful, according to Zacharias. OCR is very focused on the need for covered entities to conduct regular and comprehensive risk analyses, and it refers covered entities to the HIPAA security rule for guidance, Zacharias explains.
But the security rule doesn’t give much guidance on risk analysis, with one sentence saying to conduct an analysis and do it on a regular basis. “What constitutes comprehensiveness of an analysis varies and is a judgment call,” he adds.
Covered entities facing a HIPAA audit or investigation need to understand the exercise likely will be broad in scope, ranging beyond the breach reports or complaints that may have triggered action from OCR, Gacioch cautions. “A covered entity or business associate facing investigation should expect to have a big chunk of its HIPAA compliance program scrutinized, even if the investigation started with a breach that touched only one or two discrete issues.”
While there still isn’t a clear trend that HIPAA investigations will get shorter even as the number of investigations grows, Gacioch sees a ray of hope, tinged with caution. “With more funds they may allocate more resources to move faster, or investigate cases more deeply.”
Register or login for access to this item and much more
All Health Data Management content is archived after seven days.
Community members receive:
- All recent and archived articles
- Conference offers and updates
- A full menu of enewsletter options
- Web seminars, white papers, ebooks
Already have an account? Log In
Don't have an account? Register for Free Unlimited Access