HIPAA Guidance and Enforcement: A New Alignment?
The Office of Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) announced that it has entered into a settlement with a business associate that provides electronic medical records services to health care providers.The resolution agreement requires Medical Informatics Engineering, Inc. (MIE) to pay $100,000 and adhere to a corrective action plan.Under the corrective action plan, MIE must conduct a security risk assessment and implement a security risk management plan under OCR supervision.
The breach that gave rise to the settlement resulted from a compromised user name and password that allowed hackers access to the electronic protected health information of 3.5 million people.The compromised information included names, addresses, birth dates, Social Security numbers, e-mail addresses, clinical information, and health insurance information.As required by HIPAA, MIE reported the breach.OCR investigated and found that MIE had failed to conduct an accurate and thorough security risk analysis.
Direct Liability. Shortly after OCR announced this settlement, HHS published guidance on the broad range of HIPAA violations for which a business associate may be held directly liable.These violations include:
- The failure to meet a wide range of HIPAA’s security rules (as in the settlement)
- Impermissible uses and disclosures of Protected Health Information (PHI)
- The lack of a reasonable effort to limit PHI to the minimum necessary in the applicable circumstances
- The failure to respond appropriately to requests by individuals exercising their rights with regard to their own protected health information
- The failure to enter into a business associate agreement with a subcontractor that receives or creates PHI for the business associate
- The failure to send appropriate notice of a breach
In tandem, the guidance and settlement serve as strong warnings to business associates that they may be held directly liable for acts or omissions that do not meet HIPAA standards.
Penalty Limits. While sounding the alarm of potential liability, the settlement also may echo the reduced maximum limits on penalties, which OCR announced in April. On the basis of the information revealed and the numbers affected, the penalty sought from MIE could have been much larger. Under OCR guidance, the minimum penalty that applies (when even reasonable diligence would not have prevented the breach) would be based on $100 per violation.With 3.5 million people affected, that would come to $350 million, if no maximum dollar limit applied.
However, OCR has set a dollar cap that applies for each type of violation.In this case, OCR cited only one type of violation:the failure to conduct an appropriate security risk assessment. Under prior guidance, the cap for any type of violation was $1.5 million.However, new guidance sets forth smaller limits for violations that it considers less blameworthy.In this case, the $100,000 penalty matches the maximum that may be imposed for a violation that is due to reasonable cause.
More detailed information would be needed to determine whether and how the new limits on penalties applied in this case, but the amount of the penalty suggests that OCR may have taken the new limits into account in reaching the recently announced settlement.
Ballard Spahr attorneys established the Health Care Reform Dashboard as a one-stop resource under the Affordable Care Act. We have expanded the scope of the Dashboard to extend to certain other laws, but continue our mission to provide readers with information about significant changes affecting health care and health benefits in the United States and to establish a repository for analysis and original source material on significant developments that have occurred over time. Change is ongoing, and we will continue to update the Dashboard to reflect new legislation, administrative guidance, and judicial decisions as they are published.
Copyright © 2019 by Ballard Spahr LLP.
(No claim to original U.S. government material.)
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, including electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the author and publisher.
This alert is a periodic publication of Ballard Spahr LLP and is intended to notify recipients of new developments in the law. It should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own attorney concerning your situation and specific legal questions you have.