BreachExchange mailing list archives
OCR Issues Two HIPAA Enforcement Actions, Plus Adjusts Future Fines
From: Destry Winant <destry () riskbasedsecurity com>
Date: Wed, 6 Nov 2019 08:31:26 -0600
https://www.databreachtoday.com/ocr-issues-two-hipaa-enforcement-actions-plus-adjusts-future-fines-a-13360 The Department of Health and Human Services' Office for Civil Rights has slapped two more organizations with hefty HIPAA enforcement fines. Meanwhile, HHS announced increases to future HIPAA civil monetary penalties to adjust for annual inflation in a move some observers say is likely to create confusion and uncertainty, given earlier announcements about plans to reduce penalties. Latest HIPAA Enforcement Actions OCR on Tuesday said it signed a $3 million HIPAA settlement with the University of Rochester Medical Center related to breach reports in 2013 and 2017 involving the losses of an unencrypted flash drive and an unencrypted laptop. URMC, which includes the School of Medicine and Dentistry and Strong Memorial Hospital, is one of the largest health systems in New York state with over 26,000 employees. At a HIPAA conference in Washington on Tuesday, OCR Director Roger Severino noted that the agency has also issued a $1.6 million civil monetary penalty against the Texas Health and Human Services Commission in a case involving web application security. OCR did not immediately respond to an Information Security Media Group request for comment and additional information on the agency's enforcement action against Texas HHSC. In a statement provided to Information Security Media Group, Texas HHSC says it "takes information security and privacy seriously for all the people we serve. We are continually examining ways to strengthen our processes for the health and safety of Texans." But the agency did not comment on the specifics of the HIPAA penalty. URMC Settlement OCR in a statement Tuesday says its investigation into the URMC breaches revealed that the medical center failed to: Conduct an enterprisewide risk analysis; Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level; Utilize device and media controls; Employ a mechanism to encrypt and decrypt electronic protected health information. "Of note, in 2010, OCR investigated URMC concerning a similar breach involving a lost unencrypted flash drive and provided technical assistance to URMC," OCR says. "Despite the previous OCR investigation, and URMC's own identification of a lack of encryption as a high risk to ePHI, URMC permitted the continued use of unencrypted mobile devices." Severino said in a statement: "Because theft and loss are constant threats, failing to encrypt mobile devices needlessly puts patient health information at risk. When covered entities are warned of their deficiencies, but fail to fix the problem, they will be held fully responsible for their neglect." Under its resolution agreement with OCR, URMC will implement corrective action plan that requires two years of monitoring compliance with the HIPAA rules. The plan requires URMC to conduct a security risk analysis and develop and implement a detailed risk management plan, including policies for encryption and decryption. URMC Statement The settlement agreement with OCR concludes an investigation into IT security practices at URMC, following two unrelated incidents that the medical center voluntarily reported in 2013 and 2017, URMC notes in a statement provided to ISMG. "Potentially affected patients were notified at the time both of these incidents occurred, and we have no reason to believe that any patient's personal health information was misused," the statement says. "The medical center is deeply committed to protecting patient privacy, and we continuously improve our IT security safeguards and staff training to reduce the risk of a privacy breach. As part of the settlement with HHS, we will undertake a comprehensive audit of security practices and implement any corrective actions needed to ensure our safeguards are as strong as possible," URMC says. So far in 2019, OCR has taken HIPAA enforcement actions against at least seven entities, including URMC and Texas Health and Human Services Commission, totaling nearly $10 million. Adjusting Penalties In other action on Tuesday, HHS issued a final rule to adjust its civil monetary penalties for annual inflation - including civil monetary penalties for HIPAA violations. The increase of about 1 percent, which affects all tiers of HIPAA enforcement penalties, goes into effect immediately. Even though OCR in April issued a "notice of enforcement discretion" that significantly lowered HIPAA fines for some less serious violations, the new "adjusted" civil monetary penalties published Tuesday are based on the schedule of higher penalties that were in place prior to OCR's April announcement. For example, back in April 2019, OCR lowered the annual civil monetary penalty cap for the "no knowledge" level of HIPAA culpability from $1.7 million to $25,000, with OCR calling the higher amount inconsistent with the authority set by Congress in the HITECH Act. OCR's notice of enforcement discretion published on April 30 lowering some HIPAA fines for less egregious cases noted that HHS would engage in future rulemaking to revise its HIPAA penalty tiers. But so far that has not happened. So, until OCR issues specific rulemaking to "officially" lower penalty tiers for HIPAA violations, the final rule on Tuesday by HHS about "adjusted" civil monetary penalties raises the annual cap for most culpability tiers to $1.75 million. Until OCR issues formal rulemaking to lower its HIPAA fine tiers, "HHS could legally issue higher fines at any point," says privacy attorney Iliana Peters of the law firm Polsinelli. Before doing so, however, HHS would most likely issue notice warning organizations of a return to potentially higher fines, she adds. Privacy attorney Adam Greene of the law firm Davis Wright Tremaine notes that "while [the Trump] administration will likely follow the April 2019 enforcement clarification, until the regulations are amended with the lower annual caps, future administrations will be free to renew the prior interpretation" of higher penalties. Cause for Confusion? Privacy attorney David Holtzman of security consultancy CynergisTek says the schedule of adjusted HIPAA civil monetary penalties published on Tuesday will likely create confusion and uncertainty among HIPAA covered entities and business associates. "Covered entities and business associates better belt yourself in. We could be in for a bumpy ride." —David Holtzman, CynergisTek "They have reason to wonder what the annual limit is that can be levied by OCR as penalties for violations of the regulations," Holtzman notes. "Does this notice issued by HHS signal a conflict between the HHS secretary and the OCR director who is delegated the authority to enforce the HIPAA regulations? Will OCR issue a clarification on how it is applying its enforcement discretion to the civil monetary penalties it will levy in light of this change announced by HHS? Covered entities and business associates better belt yourself in. We could be in for a bumpy ride." Potential Impact But privacy attorney Kirk Nahra of the law firm WilmerHale says he expects current OCR leadership to stick with the lower HIPAA penalty tiers issued in April, even if OCR has the legal authority to levy the higher fines still on the books. "In general, OCR seems to be continuing its pattern throughout the HIPAA era - it is not a 'gotcha' agency," Nahra says. "It looks carefully at whether people are trying to do the right things and it focuses its enforcement attention on serious problems, repeated issues and a modest number of 'example' cases where they want to make a point about a practice," he says. "OCR is still doing careful, thoughtful enforcement generally, even with reduced staff and more demands." Similarly, Greene says he doesn't expect that HHS annual inflation adjustments will have a very substantial impact on OCR's enforcement inclinations. "OCR has not historically sought to impose the maximum penalties or settlement amounts possible," he says. "Rather, OCR often uses minimum civil monetary penalty levels, rather than maximums." _______________________________________________ BreachExchange mailing list sponsored by Risk Based Security BreachExchange () lists riskbasedsecurity com If you wish to Edit your membership or Unsubscribe you can do so at the following link: https://lists.riskbasedsecurity.com/listinfo/breachexchange
Current thread:
- OCR Issues Two HIPAA Enforcement Actions, Plus Adjusts Future Fines Destry Winant (Nov 06)