Legal Alert

OCR’s HIPAA Resolution Agreements: the Year Thus Far

by Edward I. Leeds and Paige A. Haughton
August 12, 2021


The Office of Civil Rights (OCR) continues to enforce HIPAA privacy and security rules and has announced a number of settlements of alleged violations in the first seven months of 2021.

The Upshot

  • Excellus Health Plan, Inc. in January agreed to pay $5.1 million following a cyber-security breach affecting over 9.3 million people. An OCR investigation determined the company had not implemented sufficient security measures to mitigate risks and implement procedures.
  • The OCR determined six health care providers failed to provide patients’ medical records in a timely manner. Each of the six entities entered into Resolution Agreements and Corrective Action Plans with OCR, with resolution payments ranging from $5,000 to $200,000.

The Bottom Line

The Excellus settlement is a reminder that covered entities should vigilantly review activity within their systems and respond quickly if a breach occurs. In addition, the six Resolution Agreements demonstrate the importance of health care entities to ensure timely, comprehensive and accurate responses to patients’ requests for medical records.

The Office of Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) has continued its enforcement of the privacy and security rules included in the Health Insurance Portability and Accountability Act of 1996 (HIPAA), announcing a number of settlements of alleged violations in the first seven months of 2021. 

This settlement activity followed other significant HIPAA developments that occurred in January 2021, including HHS’s release of proposed regulations to the HIPAA Privacy Rule and a Fifth Circuit Court of Appeals opinion vacating an OCR penalty of approximately $4.44 million for a HIPAA security breach involving the University of Texas MD Anderson Cancer Center (MD Anderson).

The Fifth Circuit took issue with the standards that OCR (and an administrative law judge) had applied in assessing the penalty. The Court found that MD Anderson had implemented a mechanism for the encryption of data, even if certain employees did not follow that mechanism. It held that the government had not demonstrated that MD Anderson made any affirmative disclosure of protected health information to an outside person. The Court explained that even if the government had established that MD Anderson was liable, the Court would have lowered the penalties substantially, finding that the amount assessed exceeded applicable limits. Although it is unclear how the Fifth Circuit’s opinion will affect OCR’s enforcement activity (or the willingness of parties to settle) going forward, this year’s settlements demonstrate that OCR has remained active in enforcing HIPAA’s rules.

OCR’s first settlement of 2021 also was its largest of the year to date. OCR learned of a breach when Excellus Health Plan reported to OCR that cyber-attackers had installed malware and gained unauthorized access to its systems from December 2013 to May 2015. The breach resulted in the impermissible disclosure of more than 9.3 million individuals’ protected health information, including their social security numbers, bank account information, health plan claims, and treatment information.

HHS investigated the breach and alleged that Excellus did not conduct a thorough analysis of the risks and vulnerabilities of the electronic protected health information (ePHI), implement security measures to mitigate risks, and implement procedures to regularly review information system activity records.

Excellus agreed to pay a resolution amount of $5.1 million and entered into a Corrective Action Plan. The Corrective Action Plan required Excellus to perform a comprehensive risk analysis to identify any other potential risks or vulnerabilities to its systems maintaining ePHI. It also required Excellus to prepare written policies to address the monitoring of suspicious activity and submit the policies to HHS for review, provide training to employees on such policies, and submit to monitoring by HHS for a period of two years.

OCR’s analysis of the severity of the potential violations and determination of the resolution amount appears to have been heavily influenced by the length of time that the breach went undetected. As the director of OCR commented: “In this case, a health plan did not stop hackers from roaming inside its health record system undetected for over a year, which endangered the privacy of millions of its beneficiaries.”

This settlement serves as a reminder that covered entities should be vigilant in reviewing activity within their systems so they may respond quickly if a breach does occur.

OCR also has demonstrated a continuing commitment to enforce the obligation to provide individuals with timely access to their health information upon request. OCR entered into six separate Resolution Agreements between January and June of 2021, amounting to 19 total actions under its Right of Access Initiative.

All six settlements involved health care providers that failed to provide patients’ medical records in a timely manner, ranging from a six-month delay to a complete failure to provide the requested documents. Each entity entered into a Resolution Agreement and Corrective Action Plan with OCR, with resolution payments ranging from $5,000 to $200,000.

Based on the limited information available in the Resolution Agreements, it is unclear how the monetary resolution amounts were set. They may have been based on a combination of factors such as the time that passed between the initial request and the date the entity provided the medical records, the number of complaints that HHS received with respect to each entity, or the size and sophistication of each entity. Although the settlement amounts for breaches of the access to information requirements tend to be less than those involving an actual breach of privacy, the Corrective Action Plans still require the entities to undertake significant compliance measures, including revising internal policies and procedures for HHS review, providing training to all employees with job duties that relate to processing these requests, and submitting to monitoring by HHS for up to two years.

These Resolution Agreements and accompanying news releases indicate that HHS will continue pursuing its Right of Access Initiative, demonstrating the importance of health care entities to maintain sufficient policies to ensure timely, comprehensive, and accurate responses to patients’ requests for medical records. 

Consolidated Appropriations Act (CAA) and Transparency Regulations

Read The Series

Copyright © 2024 by Ballard Spahr LLP.
(No claim to original U.S. government material.)

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, including electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the author and publisher.

This alert is a periodic publication of Ballard Spahr LLP and is intended to notify recipients of new developments in the law. It should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own attorney concerning your situation and specific legal questions you have.

Subscribe to Ballard Spahr Mailing Lists

Get the latest significant legal alerts, news, webinars, and insights that affect your industry.