October 23, 2020
The Office for Civil Rights (OCR) has left practices taking hit after hit after hit when it comes to HIPAA fines this year, but two recent multi-state HIPAA fines have added just as many $$$ to this year’s enforcement totals. While the OCR certainly makes headlines, state enforcement and state-specific HIPAA regulations are just as important to adhere to as federal laws. In fact, depending on the incident and patients affected, many states require their attorney general be notified of a breach and have the option to pursue the HIPAA violation in addition to the investigation at the federal level.
Driving the point home for us, two healthcare organizations found themselves emptying their pockets for a second time in the past few weeks – agreeing to multi-million dollar settlements with multiple states for HIPAA violations already settled with the OCR. These fines are the latest in over $66 million collected by states as part of HIPAA enforcement actions.
Anthem, Inc.
The health insurance provider Anthem went one round with the HIPAA police in 2018, and suffered their first loss against the Office for Civil Rights (OCR) with a $16 million settlement relating to a breach that exposed almost 79 million patients records back in 2014. The results of round 2 have just come in, and it’s a K.O. – Anthem, Inc. has just settled with 43-states and California relating to the same HIPAA breach, with a whopping $48.2 million in total fines.
If you aren’t able to recite every HIPAA fine from memory (it’s ok, we’re probably the only ones that would win that trivia contest) the original incident resulted from a cyberattack that exposed almost 79 million individuals records. OCR investigation revealed Anthem was missing an enterprise-wide security risk analysis, various technical safeguards, and the proper response to suspected or known security incidents – resulting in the first place trophy for largest HIPAA settlement ever.
Community Health System (CHS)
Just last month, the OCR settled a $2.3 million fine with a business associate, Community Health System (CHS), who exposed 6.1 million patients records as a result of another 2014 cyber attack. While most of us wish we could fast forward to 2021 and escape 2020, we’re sure CHS probably feels that way more than anyone after the announcement of another $5 million added to their tab in a 28-state settlement of the same incident.
These recent fines are starting to feel like deja-vu, so here’s more on the announcement to help jog your memory. Not surprisingly, in their investigation the OCR found CHS was missing a security risk analysis, had no proper security incident procedures in place, and failed to implement necessary access controls.
While the breaches themselves may be old news, the latest settlements are a fresh reminder of how healthcare practices must take notice of state HIPAA enforcement. Both state fines mentioned above, though split among all the states listed in each settlement, actually totalled more than the amount the OCR fined each organization.
Having a complete HIPAA compliance program with necessary safeguards in place will not only reduce your risk of being targeted by a hacker, as was the case in both these incidents, but will also keep your chances of federal and state-level fines to a minimum. Federal HIPAA requirements certainly put enough on your plate, but having a HIPAA partner that can provide all your state-specific HIPAA requirements for you makes complying that much easier – and helps avoid costly state audits.