Throughout September, the Department of Health and Human Services, Office for Civil Rights (“OCR”), announced eight different settlements to resolve a variety of alleged violations of the Privacy and Security Rules promulgated under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).  Notably, three settlements stem from data breaches in which hackers were able to access and obtain individuals’ protected health information (“PHI”).  In a press release for one of these settlements, OCR Director Roger Severino noted that “[h]acking is the number one source of large health care data breaches,” and failure to comply with the HIPAA Rules may render “health data a tempting target for hackers.”  In addition, OCR announced settlements with five separate providers to address potential violations of the Privacy Rule’s right of access provision.

OCR previously issued guidance waiving enforcement of certain HIPAA provisions in response to the COVID-19 pandemic, as we have discussed in earlier posts.  However, these recent settlements may indicate that OCR is starting to return to “business as usual” in the area of HIPAA enforcement.

Premera Blue Cross

On September 25, OCR announced that Premera Blue Cross (“PBC”) — the largest health plan in the Pacific Northwest, operating in Washington and Alaska — agreed to pay $6.85 million and take corrective actions as part of a settlement to resolve potential HIPAA violations arising from a data breach that affected more than 10.4 million individuals.  According to OCR, PBC’s settlement “represents the second-largest payment to resolve a HIPAA investigation in OCR history.”

PBC’s settlement relates to an incident in which hackers gained access to PBC’s IT system in May 2014 by using a phishing email to install malware.  The unauthorized access was not discovered until January 2015, almost nine months later, during which time the hackers were able to obtain the PHI of over 10.4 million individuals, including their names, addresses, dates of birth, email addresses, Social Security numbers, bank account information, and health plan clinical information.

OCR launched an investigation after PBC reported the breach in March 2015, which revealed “systemic noncompliance with the HIPAA Rules including failure to conduct an enterprise-wide risk analysis, and failures to implement risk management, and audit controls.”  According to Director Severino, PBC’s breach “vividly demonstrates the damage that results when hackers are allowed to roam undetected in a computer system for nearly nine months.”  In addition to paying $6.85 million, PBC also entered into a Corrective Action Plan (“CAP”) that requires PBC, among other things, to conduct a risk analysis to identify potential risks and vulnerabilities to its electronic PHI and to develop and implement an enterprise-wide risk management plan to mitigate any identified risks and vulnerabilities.

CHSPSC LLC

On September 23, OCR announced that it had entered into an agreement with CHSPSC LLC (“CHSPSC”), in which the company agreed to pay $2.3 million to resolve alleged HIPAA violations resulting from a 2014 data breach.  In April 2014, CHSPSC — a business associate for hospitals and clinics indirectly owned by Community Health Systems, Inc., in Tennessee — was notified by the Federal Bureau of Investigations (“FBI”) that a cyber-hacking group had been able to gain access to CHSPSC’s information systems using compromised administrative credentials.  Notwithstanding the FBI’s warning, the hackers were able to access CHSPSC’s systems and obtain the PHI of over six million individuals (including their name, sex, date of birth, phone number, Social Security number, email, ethnicity, and emergency contact information) until August 2014.

OCR’s investigation following the breach uncovered “longstanding, systemic noncompliance with the HIPAA Security Rule including failure to conduct a risk analysis, and failures to implement information system activity review, security incident procedures, and access controls.”  Director Severino stated that “[t]he failure to implement the security protections required by the HIPAA Rules, especially after being notified by the FBI of a potential breach, is inexcusable.”  Along with the monetary settlement, CHSPSC also entered into a two-year CAP.

Athens Orthopedic Clinic PA

On September 21, OCR announced that it had reached a settlement with Athens Orthopedic Clinic PA (“AOC”), in which AOC agreed to pay $1.5 million to resolve potential violations of the HIPAA Privacy and Security Rules related to a 2016 data breach.  On June 26, 2016, AOC was informed by a journalist that a database of patient records possibly belonging to AOC had been posted for sale online.  Two days later, a hacker group contacted AOC, demanding payment in return for the stolen database.  A forensic analysis ascertained that the hackers used a vendor’s credentials to access AOC’s systems.  The compromised credentials were terminated on June 27, 2016, but the hackers were not effectively blocked for almost another month.

On July 29, 2016, AOC reported that the PHI of more than 200,000 individuals (including names, dates of birth, Social Security numbers, medical procedures, test results, and health insurance information) had been disclosed through the breach.  OCR’s subsequent investigation revealed AOC’s “longstanding, systemic noncompliance with the HIPAA Privacy and Security Rules including failures to conduct a risk analysis, implement risk management and audit controls, maintain HIPAA policies and procedures, secure business associate agreements with multiple business associates, and provide HIPAA Privacy Rule training to workforce members.”  As part of the settlement agreement, AOC entered into a two-year CAP that requires revisions to its policies and procedures, particularly those related to business associates, and training for its workforce members.

HIPAA Right of Access Settlements

Additionally, OCR announced settlements of five separate investigations as part of its HIPAA Right of Access Initiative (the “Initiative”).  These settlements stem from allegations that healthcare providers failed to grant individuals access to their health records, as required by the HIPAA Privacy Rule.  See 45 C.F.R. § 164.524.  In all five cases, the providers agreed to pay various penalty amounts, ranging from $3,500 to $70,000, and take corrective actions in order to resolve allegations that they had failed to comply with the Privacy Rule’s right of access provisions.

In 2019, OCR established the Initiative as an enforcement priority focusing on individuals’ right to access their health records in a timely manner and at a reasonable cost.  According to OCR, enforcement actions under the Initiative “are designed to send a message to the health care industry about the importance and necessity of compliance with the HIPAA Rules.”  Settlement terms and monetary payments are based on numerous factors, including “the nature and extent of the potential HIPAA violation; the nature and extent of the harm resulting from the potential HIPAA violation; the entity’s history with respect to compliance with the HIPAA Rules; the financial condition of the entity, including its size and the impact of the COVID-19 public health emergency; and other matters as justice may require.”  OCR has completed seven enforcement actions, including the five September settlements, under the Initiative since it was introduced.