March 25, 2019
The U.S. Department of Health & Human Services, Office for Civil Rights (OCR), is the federal agency tasked with enforcing HIPAA.
Recently, OCR issued a press release noting that 2018 was a record year for HIPAA enforcement. OCR settled 10 cases and secured one judgment in 2018, totaling $28.7 million, which surpassed the previous record of $23.5 million from 2016.
In addition, in 2018, OCR achieved the single largest individual HIPAA settlement in history of $16 million with Anthem, Inc.
Of the 11 HIPAA enforcement cases that resulted in payments to the government for a violation of HIPAA, two of the cases were against physician group practices.
One of the HIPAA enforcement settlements was with a physician group for $500,000. The physician group filed a breach report confirming that patient information was viewable on a medical billing services’ website. OCR’s investigation revealed that the physician group never had a business associate agreement with the individual providing medical billing services to the physician group, and failed to adopt any policy requiring business associate agreements until April 2014. Although the physician group had been in operation since 2005, it had not conducted a risk analysis or implemented security measures or any other written HIPAA policies or procedures before 2014.
Another of the HIPAA enforcement settlements was with a health care practice that specializes in treating individuals with allergies for $125,000. In February 2015, a patient of the practice contacted a local television station to speak about a dispute that had occurred between the patient and a doctor in the practice. OCR’s investigation found that the reporter subsequently contacted the doctor for comment and the doctor impermissibly disclosed the patient’s PHI to the reporter.