This could be a record year for HIPAA enforcement actions by federal regulators, both in the number of resolution agreements and in the size of financial settlements resulting from breach investigations, predicts Adam Greene, a privacy attorney at the law firm Davis Wright Tremaine.
"As we get closer to a new [presidential] administration, there could be a push for getting more things out the door," he says in an interview with Information Security Media Group this week during the HIMSS 2016 Conference in Las Vegas.
When it comes to the Department of Health and Human Services' Office for Civil Rights cracking down on organizations involved with "high impact" breach cases, Greene is expecting the agency responsible for HIPAA enforcement will issue "five to 10" resolution agreements and financial settlements this year.
Already this year, OCR has issued two enforcement actions. That includes a $25,000 settlement and resolution agreement in February with Complete P.T., Pool & Land Physical Therapy Inc., related to an OCR investigation following an August 2012 complaint alleging that the Los Angeles-based physical therapy provider was impermissibly disclosing protected health information on its website. The largest action by OCR so far this year also came in February when a Department of Health and Human Services administrative law judge granted a summary judgment requiring Lincare Inc., a provider of respiratory care, medical equipment and other services to in-home patients, to pay a $239,800 civil monetary penalty. That case stemmed from an individual who complained in December 2008 that a Lincare employee left behind documents containing the PHI of 278 patients after moving to a new residence.
Greene predicts that financial settlements in HIPAA enforcement cases this year will also approach or break previous records. "We'll see the average settlement creep up a bit," he predicts.
Greene, a former OCR attorney, also predicts that OCR will issue this year its first HIPAA enforcement action against a business associate. Under the HIPAA Omnibus Rule that became effective in 2012, business associates and their subcontractors became liable for HIPAA compliance. Of the 1,476 breaches listed on the HHS "wall of shame" website of breaches affecting 500 or more individuals, business associates have been involved in about 22 percent.
Still, Greene says that overall, most breach investigations are closed with technical assistance offered by OCR on what the breached organization needs to do to fix the mistakes that led to an incident. "Possibly up to 99 percent of [breach investigations] are resolved without settlement or financial penalty," he says.
In the interview (see audio link below photo), Greene discusses:
- Predictions for HIPAA enforcement cases brought by state attorneys general this year, as allowed under the HITECH Act;
- The significance of a new "crosswalk" between the HIPAA Security Rule and the NIST Cybersecurity Framework that helps healthcare entities and business associates map NIST standards to HIPAA requirements;
- Emerging security and privacy challenges posed by health information exchange.
As a partner at Davis Wright Tremaine LLP in Washington, Greene specializes in HIPAA and HITECH Act issues. He formerly was senior health information technology and privacy specialist at the HHS Office for Civil Rights, where he played a significant role in administering and enforcing the HIPAA privacy, security and breach notification rules.