The nation’s HIPAA enforcement agency has been dramatically ramping up its issuance of breach-related financial penalties this year, in addition to its recent kick-off of a new round of HIPAA compliance audits.
In its ninth enforcement action of 2016, the Department of Health and Human Services’ Office for Civil Rights has slapped the University of Mississippi Medical Center with a $2.75 million penalty stemming from an investigation into a relatively small 2013 breach. The probe uncovered serious security issues.
This latest penalty follows eight HIPAA resolution agreements and one civil monetary penalty issued by OCR so far this year, for a total of almost $15 million in fines.
By comparison, in all of 2016, OCR announced six HIPAA resolution agreements with about $6.2 million in fines. And the totals in previous years were even lower. Since 2008, there have been 38 enforcement actions that involved OCR issuing a total of about $43.74 million in financial penalties.
In a statement provided to Information Security Media Group, an OCR spokesman says: “Since the enactment of the HITECH Act and the requirement for entities to report breaches to HHS, OCR has focused a greater number of enforcement resources on systemic compliance failures – for example, where compliance failures present ongoing threats to PHI, and where there are patterns of noncompliance that appear to be pervasive in the industry. OCR expects there to be more resolutions through the end of the fiscal and calendar year, given this continued focus.”
OCR HIPAA Enforcement Actions So Far in 2016
|Feinstein Institute for Medical Research||$3.9 Million|
|University of Mississippi Medical Center||$2.75 Million|
|Oregon Health & Science University||$2.7 Million|
|New York Presbyterian||$2.2 Million|
|North Memorial Health Care||$1.55 Million|
|Raleigh Orthopaedic Clinic, P.A||$750,000|
|Catholic Health Care Services of the Archdiocese of Philadelphia||$650,000|
|Complete P.T., Pool & Land Physical Therapy||$25,000|
Source: U.S. Department of Health and Human Services
Corrective Action Plan
Under the OCR resolution agreement, UMMC has agreed to a corrective action plan that requires the medical center to:
- Draft an enterprise wide risk analysis and risk management plan;
- Update and implement its information security policies and procedures;
- Revise its current breach notification policy;
- Implement a plan requiring a unique name and/or number identifying and tracking users of all systems containing ePHI, including shared network drives;
- Provide a security awareness training program for all workforce members.
In its statement, UMMC says that over the last several years, it has initiated “substantial improvements in its information security program.” Among other initiatives, UMMC says it’s requiring that all laptop computers be encrypted; has restructured the role and reporting relationships of its CISO; and brought in an outside firm for a complete assessment and overhaul of its IT security program.
While the penalty UMMC received appears high relative to the small number of records breached, “the transgressions were many, including insufficient access controls and failure to notify patients whose personal health information had been compromised, Berger notes.