HIPAA fines by HHS OCR are set to reach record breaking levels with Jerome Meites, HHS Chief Regional Civil Rights Counsel, warning that penalties to date are “low compared to what’s coming up”.
The caution from Meites should be met with trepidation by covered entities and businesses associates, with New York Presbyterian Hospital and Columbia University already being hit with a $4.8 million fine in May this year – the largest penalty settlement to date.
Recent costly fines are a stark reminder of the announcement made by OCR Director Leon Rodriguez alongside the release of the Final Rule in January 2013:
“The final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented. These changes not only greatly enhance a patient’s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates.”
The second round of HIPAA audits are due to take place later this year and continue into the end of 2015, with 1,200 candidates facing further scrutiny from HHS OCR. Of these candidates, it is reported that 800 will be covered entities, with the remaining 400 being business associates (BAs) that store or process information on behalf of covered entities.
The buck doesn’t stop with HIPAA. The Federal Trade Commission (FTC) is also using its powers to reprimand those that fail to safeguard Protected Health Information (PHI) from exposure.
After violating a 100-year-old consumer protection and antitrust law, the FTC filed administrative charges against LabMD, an independent medical laboratory, for failing to prevent two data security breaches. Pinpointed for “unfair or deceptive acts or practices in or affecting commerce.” the dispute between the FTC and LabMD continues and has gone to an Administrative Law Judge for trial.
Elsewhere, a recent case between Tabata v. Charleston Area Medical Center, Inc. through the West Virginia Supreme Court has opened doors for other state courts to review and penalise PHI breaches. Noted on the HHS ‘Wall of Shame’, patient data (including names, contact details, Social Security Numbers and D.O.B.) was made accessible after being placed on an unsecured electronic database and website. However, as it was not possible to prove PHI was stolen or used for a nefarious purpose, patients were unable to bring a private civil suit against the Medical Centre via HIPAA.
Overturning a lower court ruling, the West Virginia Supreme Court specified that a violation of the patient’s right to privacy alone was enough to bring further action, and proof of actual damages was therefore unnecessary to seek justice. Although an isolated case, the ruling by West Virginia could see individual patients initiate suits against other healthcare organizations in the the event of a breach, even where proof of damages is unobtainable.
The key takeaway here is that whilst healthcare professionals and organizations can expect higher fines and increased enforcement, HHS OCR are not the only regulators for data breaches. Covered entities and BAs should be mindful that patient data is bound by other data security laws and should take every necessary step to protect sensitive information on a physical, organizational and technical level.