Enhanced HIPAA Enforcement Actions in 2020 and Beyond: Health Care Providers of All Sizes Need to Be Prepared

As the COVID-19 pandemic has continued, health care providers have adjusted to a new reality of providing health care services to patients through telehealth and other means designed to mitigate the spread of the virus. With these new practices come the additional evolving challenges of continuing to keep patient information secure, yet accessible to the patient. As health care providers have continued to adjust to this new reality, the Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) has stepped up its HIPAA enforcement and settlement activity.

Since July 23, 2020, OCR has announced eighteen new settlements of HIPAA enforcement investigations into various providers, insurers, and business associates. Eleven of these eighteen settlements were part of OCR’s Right of Access Initiative. The other seven settlements are representative of what we expect from OCR settlements. They focused on insurers and larger providers and involved high fines because of the scale of the patient records affected by the alleged HIPAA breaches.

The eleven Right of Access Initiative settlements illustrate OCR’s increased enforcement activities over the last couple of months and a departure from previous enforcement activities. OCR launched the Right of Access Initiative in mid-2019, emphasizing patients’ rights of ready access to their own health information. OCR announced the first settlement from the Right of Access Initiative on September 9, 2019. While OCR only announced one additional settlement from this initiative over the next year, OCR recently announced eleven more. These settlements have focused on smaller providers and clinics, a reversal of typical OCR practice. The fees associated with these Right of Access Initiative settlements have ranged from $3,500 to $160,000, further illustrating the new emphasis on smaller practices and clinics.

Accompanying its recent settlement and enforcement activity, on December 17, 2020 OCR released its 2016-2017 HIPAA Audit Industry Report. In gathering information for this report, OCR audited 166 covered entities and 41 business associates for compliance with certain provisions of the HIPAA rules. The Report notes the following key compliance findings:

• Most covered entities met the timeliness requirements for providing individuals breach notification;
• Most covered entities that maintained a website about their customer services or benefits satisfied the requirement to prominently post their Notice of Privacy Practices on their website;
• Most covered entities failed to provide all of the required content in the Notice of Privacy Practices;
• Most covered entities failed to provide all the required content for breach notifications to individuals;
• Most covered entities failed to properly implement the individual right of access requirements; and
• Most covered entities and business associates failed to implement the HIPAA Security Rule requirements for risk analysis and management.

Some of the above compliance areas may undergo changes under a proposed rule that would revise many requirements and provisions of the HIPAA Rules. Mellette PC posted a separate Client Advisory on these recently-published changes here.

As its recent enforcement activities illustrate, OCR is no longer focusing the brunt of its enforcement activity on the largest insurance companies and providers. Instead, OCR will pursue enforcement activity against providers of all shapes and sizes. All covered entities that have access to patients’ Protected Health Information should remain cognizant of their requirements under HIPAA at all times, particularly in light of pandemic-induced changes in patient care and record retention. All health care entities should review current practices and responsibilities under HIPAA to provide patients’ access to their health information and medical records in a timely fashion.

All covered entities with access to protected health information should review their security and disclosure obligations under HIPAA frequently to ensure they have compliant practices and policies in place. Should you, your practice, or your business have any questions about these responsibilities, please contact Peter Mellette, Harrison Gibbs, or Elizabeth Dahl Coleman at Mellette PC.

This client alert is for general educational purposes only. It is not intended to provide legal advice specific to any situation you may have. Individuals desiring legal advice should consult legal counsel for up-to-date and fact-specific advice.