About this time last year, we predicted 2017 would see continued vigilance from the Department of Health and Human Services’ Office for Civil Rights (OCR) in regulating and issuing enforcement actions for HIPAA violations. The results are in, and there was sustained momentum from OCR in the last year, including 196 separate breach cases listed for 2017 on the OCR’s so-called “Wall of Shame” breach portal and notable financial settlements for HIPAA violations – in total, OCR received $19,393,000. A full listing of these enforcement settlements from 2017 can be found here.
OCR Enforcement Trends
Two of the enforcement settlements resulted from failing to provide timely notification–a requirement we see growing in specificity in state data breach laws as well. This underscores that, when it comes to notifying regulators and affected individuals, privacy and compliance teams find themselves racing the clock. Providing notification to regulators will also require documentation of the incident ready and at hand, as OCR investigations may include data request details such as:
- Policies and procedures on breach notification
- A copy of recent notifications
- A copy of incident risk assessments where notifications were not made (due to low probability that PHI was compromised or exceptions to the definition of a breach)
- Documentation of timelines, including occurrence, discovery, and notification dates
- Documentation of investigations relating to breaches
Another notable enforcement in 2017 resulted from a lack of a business associate agreement. Covered entities have an obligation to help their Business Associates meet rigorous HIPAA requirements by ensuring all agreements are current and reflect the latest obligations as outlined in the HIPAA Final Rule. What’s more, implementing business associate agreements with all vendors allows you to understand your business relationships, including which vendors may be using what data, and how. It is critical that these types of agreements include clear, established contractual obligations to notify one another of unauthorized disclosure of personal data, and the agreement should also establish notification timelines and content.
Meeting these contractual obligations is just as important as abiding by the notification requirements of industry, state, and federal regulations.
Preparing for HIPAA Compliance in 2018
What is to come in 2018? Likely continued guidance issued – and continued enforcements. The “Wall of Shame” breach portal already has 11 cases for 2018. A survey from the Ponemon Institute reports that 67% of CISO, CIO and information security respondents believe they will experience a data breach or cyber attack in 2018. The need to button up privacy practices and processes is more critical than ever to mitigate the organizational burden associated with an anticipated increase in data breaches, including the monetary, regulatory, and reputational risks to you, your company, and your customers.
The 2017 Health Care Compliance Association annual Compliance Institute featured OCR’s Senior Advisor for HIPAA Compliance and Enforcement Iliana Peters, who provided near-prophetic trends to a crowd of compliance professionals. In her discussion points, Peters included explicit mention of the need to bolster business associate agreements and the need to regularly and consistently conduct a thorough risk assessment and analysis. This presentation gave attendees significant insights into where the OCR focus would lie in the year to come.
Peters will revisit this topic at this year’s Compliance Institute in April, again discussing trends in HIPAA enforcement, lessons from settlement cases, and recent guidance from OCR. You can bet we’ll be there, in the front row.