Home Health & Hospice Week

Warning: HIPAA investigations can drag on for years.

Both federal and state authorities are getting serious about HIPAA compliance, and the result is millions paid out in CMPs and settlements. Are you next?

Since 2003, the HHS Office for Civil Rights has received more than 134,246 HIPAArelated complaints, and investigated and resolved more than 24,241 cases (as of May 31). According to figures compiled by the law firm Davis Wright Tremaine, there have been 36 OCR enforcement actions, comprised of 34 settlements and two civil monetary penalty actions.

Settlement amounts and CMPs total more than $40 million, with an average settlement amount of more than $1 million. And 23 out of the 36 OCR enforcement actions arose from breach reports to HHS. At least 25 of the 36 involved electronic protected health information.

OCR also typically hands down Corrective Action Plans following an investigation, especially one arising from a breach. The average minimum CAP length is about two years, according to DWT.

What’s more: State attorneys general are also getting in on the HIPAA enforcement action, with 11 actions by state AGs in less than seven years — five actions in Massachusetts, two in Connecticut, and one each in Indiana, Minnesota, New York, and Vermont. The average penalty amount from a state AG enforcement action is $347,909.

What To Expect When OCR Investigates

Trend: Since 2008, the number of OCR enforcement actions resolved each year has risen steadily, according to DWT. In 2015, OCR resolved six complaints total, but as of June 10, 2016, OCR has already resolved the same amount, signaling that 2016 may be a record-breaking year in terms of number of enforcement actions and settlements.

“These investigations and compliance reviews take personnel out of their ‘day jobs,’ having to intensively focus on the OCR requests,” laments attorney and nurse Rebecca Williams, Chair of the Health Information Practice at DWT in Seattle.

“Sometimes OCR will come on-site for interviews and further investigation. And, of course, these tend to be stressful situations.”

“An OCR investigation is an all-hands-ondeck experience,” agrees DWT attorney Adam Greene, a former HHS regulator playing a key role in administering and enforcing the HIPAA Rules.

“The initial data request may ask for a large amount of information, which takes significant resources to put together,” Greene says. “And some investigations will stretch for a number of years, with each data request once again requiring significant resources to respond.”

Bottom line: CEs and BAs “should understand that OCR is still resolving most cases through voluntary corrective action, but is more willing than ever before to seek significant financial enforcement where there are systemic or egregious compliance failures,” Greene warns. “For example, a lack of a [Business Associate Agreement] where one is clearly required, or a failure to include a large amount of ePHI in periodic risk assessments, are more likely than ever before to lead to sizable financial settlements.”

Note: The DWT data and infographic are at www.privsecblog.com/2016/06/articles/healthcare/hipaa-enforcement-actions-by-the-numbers.