Why OCR is varying its responses to breach events
An interesting argument was posed in a recent post about a lack of enforcement actions from the Office for Civil Rights against small or medium-sized healthcare entities that do not appropriately report breaches to either or the individuals impacted.
As outlined in the post, the apparent lack of follow up from OCR is occurring even though outside parties are filing reports or complaints with OCR about the underlying conduct that resulted in the breach.
The post then went on to report about a seemingly rare instance when OCR did follow up on a report. In the example, it was discovered that a covered entity left patient information exposed on an FTP server that could be publicly accessed. A security researcher found that information, notified the covered entity, was accused by the covered entity of hacking the covered entity, and then the researcher filed its report with OCR. In response, OCR contacted the covered entity and over six months later a breach report was finally filed by the covered entity. Further, the covered entity implemented many changes to its HIPAA policies and procedures to better bring itself into alignment with expectations.
OCR outlined all of these developments in its follow-up letter to the security researcher when the matter was deemed resolved by OCR. No penalties or fines were assessed. Instead, OCR used the matter as a means of educating the covered entity so it better understood the requirements of HIPAA.
The outcome is not surprising based on publicly reported actions and outcomes observed in practice. The comparison of reported issues to penalties or fines imposed shows that a penalty or fine results in the extreme vast minority of instances. That disparity only seems to be growing as the fines have fallen off dramatically from an already low number. Instead, OCR investigations more typically end with a determination of no issue or through behind the scenes corrective action.
In helping entities correct issues and improve compliance behind the scenes, the focus of such efforts seems to center upon education. In fact, OCR investigators will often push for more information and then provide resources to help entities update policies as opposed to going down a line of punitive action. The friendly approach very often helps to relieve the tremendous worry and burden that many entities encounter when having to report a breach or otherwise find OCR opening an investigation. The concern arises because more often than not the issue did not arise from intentional conduct, but a mistake or some other oversight even when the entity was trying to do the right thing.
While behind-the-scenes resolutions work very well for the entities involved, a different perspective should also be considered. Specifically, the perspective of the complainant if there is an alleged violation of a HIPAA requirement or the individuals whose protected health information is impacted in the event of a breach. In those instances, the aggrieved individuals may ask why more was not done to penalize the entity or impose some punishment given the harm to the individual that likely cannot be “remedied” in the individual’s eye. While retribution will not necessarily result in satisfaction, a very real human desire can arise to see it imposed regardless.
Given what should be a real consideration of not discounting the harm to individuals, should OCR pursue more enforcement actions that result in penalties or another form of public reprimand? The answer is not clear and not one subject to easy advocacy.
As noted, entities are for the most part trying to do the right thing and may be caught up in some extremely unfortunate circumstances. As such, the education and teaching offered by OCR is appropriate and likely should not be followed by any other action. It is acknowledged that these outcomes can feel less than satisfactory to impacted individuals, but the approach may be more beneficial in the long run to the involved entities.
Pushing punitive action can result in a climate based upon fear and could further drive entities to brush incidents under the rug in the hopes that no one will ever find out about the issue.
While punitive measures may not be appropriate, could alternatives be found that result in some form of public notice and a financial consequence? In classic legal fashion, the answer likely depends. It is hard to argue against education as a good endpoint, but that alone is not always enough to drive compliance.
If a fine or penalty needs to be issued, maybe it could be in the form of some public benefit fund that could result in any money paid to help further HIPAA education and compliance broadly. Trying to come up with a “public justice” style remedy could produce many ideas. Such remedies may be more appealing than just fining entities and not result in an atmosphere of fear.
There is a long-delayed rule that would let individuals share in any penalty assessed, almost like the share a whistleblower can receive. However, it is not clear when, if ever, that rule will ever be proposed and then implemented. However, this remedy could arguably result in a bit of a hunt for issues to enable recovery. The incentive should not be on finding and reporting issues, but better encouraging prevention in the first place.
Ultimately, the issue also comes back to upfront compliance. If an entity is not willing to invest in those efforts or does not want to freely admit when an issue has occurred, getting to the favorable end place can be longer or more complex. As has been argued many times before, creating a collaborative environment where entities can work together to promote and implement compliance will help everyone in the long run.